Beyond one-shot security

Security in long-living information systems requires an on-going and systematic evolution of knowledge and software for its protection. We present work towards developing techniques, tools, and processes that support security requirements and design analysis techniques for evolving information systems in order to ensure "lifelong" compliance to security requirements. We build on the security requirements & design approach SecReq developed in previous joint work. As a core feature, this approach supports reusing security engineering experience gained during the development of security-critical software and feeding it back into the development process. We develop heuristic tools and techniques that support elicitation of relevant changes in the environment. Findings will be formalized for se mi-automatic security updates. During the evolution of a long-living information system, changes in the environment will be monitored and translated to adaptations that preserve or restore its security level.