Current practices for developing secure systems are still closer to art than to an engineering discipline. Security is still treated as an add-on and is therefore not integrated into software development practices and tools. Experienced security artisans are still the key to achieving acceptable levels of security.
Several approaches and research strands have tried to address this situation in order to introduce rigor and engineering approaches in the treatment of security aspects in information systems, mainly focusing on the development phases. Traditionally, the term security engineering has been used to denote partial approaches that cover only small parts of the processes that are required in order to create a secure system, like modeling, verification, programming, etc. Moreover, the connections between the different techniques and tools is very weak or most of the times inexistent. Even in the cases that approaches are closer to a “methodology”, and have achieved a certain level of maturity, the key concepts and workflows are highly influenced by the way the development process has been traditionally approached by the security artisans.
Today, the current trend towards distributed and open systems has revealed the important limitations of the current lack of rigor and integration in security engineering approaches. The main problems that the new computing paradigms introduce are the high levels of heterogeneity, dynamism and autonomy, as well as the large scale. The result is that engineers have to deal with runtime situations that are unpredictable at design time. The main drawbacks of current approaches is that they fail to provide a reasonable support for systematic engineering since the identification, characterization and specification of the protection goals and the related threats as well as the selection of appropriate mechanisms and countermeasures depends on the experience of the engineers. Consequently, these approaches represent only minor improvements over the security craftsmanship era.
The RISE Workshop is planned as a forum to discuss this situation, to present novel and promising ideas towards the foundation of IT security as an engineering discipline
and to advocate a change of paradigm based on the definition of integrated processes with well-defined goals and interfaces that combine the different techniques, methodologies and tools to support the engineering of secure systems.
We do not only expect the workshop to be a forum for presentation of research results in the classical way, but also expect to produce as outcomes of this event the following specific results:
- Presentation of the Security Engineering Forum as an entity for collaboration of the IT security community and for driving the foundation of IT security as an engineering discipline;
- Creation of a “Security Engineering Manifesto” advocating the establishment of IT Security as an Engineering discipline;
- Kick-starting the production of a new "Security Engineering BOK (Body of Knowledge)" that provides a map of techniques, methodologies and tools along with their relation and their role in the new security engineering processes.
The RISE Workshop will have a hybrid approach that will combine a traditional scientific workshop with an interactive forum for discussion of the main workshop topics, creation of a community and a clear focus on producing tangible results and making an impact on the situation of IT Security. As such, we believe that the organization of the RISE workshop in the framework of ASE/IEEE will not only benefit the workshop attendees, but will also complement the ASE/IEEE offer.