An Agent-Based System to Support Assurance of Security Requirements

Current approaches to evaluating security assurance either focus on the software development stage or at the end product software. However, most often, it is after the deployment or implementation phase that specified security requirements may be violated. This may be due to improper deployment of the security measures, environmental hazards or to the fact that the assumptions under which the security requirements have been specified have become invalid. As such, this paper proposes an approach (supported by a system) which will complement security requirements engineering methodologies by gathering continuous evidence to inform on whether the security requirements elucidated during system development stage have been correctly implemented and as such, they can be relied upon to effectively protect system assets at runtime. We use Secure Tropos methodology to highlight the security assurance case and elicit the features of our security assurance evaluation system. We further depict the security assurance evaluation through an example based on firewalls configurations.