Balancing Product and Process Assurance for Evolving Security Systems

Wolfgang Raschke, Massimiliano Zilli, Philipp Baumgartner, Johannes Loinig, Christian Steger, Christian Josef Kreiner

Research output: Contribution to journalArticlepeer-review


At present, security-related engineering usually requires a big up-front design (BUFD) regarding security requirements and security design. In addition to the BUFD, at the end of the development, a security evaluation process can take up to several months. In today’s volatile markets customers want to be able to influence the software design during the development process. Agile processes have proven to support these demands. Nevertheless, there is a clash between traditional security design and evaluation processes. In this paper, the authors propose an agile security evaluation method for the Common Criteria standard.
This method is complemented by an implementation of a change detection analysis for model-based security requirements. This system facilitates the agile security evaluation process to a high degree. However, the application of the proposed evaluation method is limited by several constraints. The authors discuss these constraints and show how traditional certification schemes could be extended to better support modern industrial software development processes.
Original languageEnglish
Pages (from-to)47
Number of pages29
JournalInternational Journal of Secure Software Engineering
Issue number1
Publication statusPublished - 2015

Cite this