Introduction

Software security and reliability is rapidly becoming one of the most pressing issues in software engineering since software has become a critical component in almost all systems that society relies on. The level of risk the society faces from intentional or unintentional failures in these systems has increased in an almost uncontrolled fashion:

• With software controlling, protecting, and affecting more and more critical information and systems, the consequences of failure has increased significantly.
• As software becomes more complex, it tends to contain more flaws, and as it becomes more networked, its exposure to potential adversaries increases.
• Software-intensive systems are increasingly becoming viable financial and political targets for well-funded and well-motivated attackers, thus increasing the overall hreat to these systems.

Today, security is often an afterthought when developing software, rarely included in the early phases of software development, and mostly focused on detecting problems, rather than on preventing them in the first place. Despite a rash of new programming paradigms, methodologies, and development environments, the ever increasing number of vulnerabilities found in software clearly shows that a different approach is called for.

Software developers use models extensively, particularly in the early phases of software development, in order to improve software quality. This workshop would like to discuss how software security can be improved through the MDA approach.

The main discussion topics will be:

• How security specialists can capture their security expertise in form of reusable models, in particular threat and vulnerability models 
• How the security requirements and goals can be traced all along the development process 
• How security models and profiles can be merged with system models in different abstraction levels.
• How security models can be shared and reused
• How developers can benefit from these reusable models for specification and design (e.g. through sharing tool artifacts such as security design patterns).
• How security testing can be improved through security models.
• Which are the requirements on tools to support the creation, transformation and use of security models.

The workshop will try to bring together people from both academia and industry, from all the different areas that want to/might play an active role in domain of security solutions and issue in MDA, to discuss problems, highlight possible solutions, disseminate success stories and also draft a possible research agenda.

Topics

The workshop addresses problems and solutions for Security in MDA. The topics of interest include, but are not restricted to:

• Security Modelling
• Security requirements tracking in MDA
• Model-based security testing
• Transformation of model-based security knowledge
• Interoperability between security models
• Platform dependent and platform independent models for security solutions
• Model-based behavior analysis
• Security Tools using security models
• Security design patterns in MDA
• Abuse and Misuse cases
• Standards for modeling and sharing vulnerabilities and security issue knowledge
• Standards for storing and querying vulnerabilities and security issue knowledge bases
• Requirements for new security improved tools
• Security models and design patterns integration within IDE

Important dates

Submission deadline: April 2nd, 2010

Notification of acceptance for participation/presentation: May 4th, 2010

Final papers: May 21th, 2010 (tentative)

Workshop: June 16th, 2010

Further information here.