Software security and reliability is rapidly becoming one of the most pressing issues in software engineering since software has become a critical component in almost all systems that society relies on. The level of risk the society faces from intentional or unintentional failures in these systems has increased in an almost uncontrolled fashion:

* With software controlling, protecting, and affecting more and more critical information and systems, the consequences of failure has increased significantly.
* As software becomes more complex, it tends to contain more flaws, and as it becomes more networked, its exposure to potential adversaries increases.
* Software-intensive systems are increasingly becoming viable financial and political targets for well-funded and well-motivated attackers, thus increasing the overall hreat to these systems.

Today, security is often an afterthought when developing software, rarely included in the early phases of software development, and mostly focused on detecting problems, rather than on preventing them in the first place.
Despite a rash of new programming paradigms, methodologies, and development environments, the ever increasing number of vulnerabilities found in software clearly shows that a different approach is called for.
Software developers use models extensively, particularly in the early phases of software development, in order to improve software quality.

This workshop would like to discuss how software security can be improved through the MDA approach. The main discussion topics will be:

* How security specialists can capture their security expertise in form of reusable models, in particular threat and vulnerability models
* How the security requirements and goals can be traced all along the development process
* How security models and profiles can be merged with system models in different abstraction levels.
* How security models can be shared and reused
* How developers can benefit from these reusable models for specification and design (e.g. through sharing tool artifacts such as security design patterns).
* How security testing can be improved through security models.
* Which are the requirements on tools to support the creation, transformation and use of security models.

The workshop will try to bring together people from both academia and industry, from all the different areas that want to/might play an active role in domain of security solutions and issue in MDA, to discuss problems, highlight possible solutions, disseminate success stories and also draft a possible research agenda.

Organizing committee

* Alessandra Bagnato (TXT e-solutions, Corporate Research Division, Italy)
* Amel Mammar (Telecom SudParis, France)
* Per Håkon Meland (SINTEF, Norway)
* Txus Sánchez (ESI, Spain)

Topics

The workshop addresses problems and solutions for Security in MDA. The topics of interest include, but are not restricted to:
- Security Modelling
- Security requirements tracking in MDA
- Model-based security testing
- Transformation of model-based security knowledge
- Interoperability between security models
- Platform dependent and platform independent models for security solutions
- Model-based behavior analysis
- Security Tools using security models
- Security design patterns in MDA
- Abuse and Misuse cases
- Standards for modeling and sharing vulnerabilities and security issue knowledge
- Standards for storing and querying vulnerabilities and security issue knowledge bases
- Requirements for new security improved tools
- Security models and design patterns integration within IDE

Important dates

Submission deadline: April 2nd, 2010

Notification of acceptance for participation/presentation: May, 4, 2010

Final papers: May 21, 2010

Workshop: June 16, 2010

Submission Guidelines

The workshop is open to contributions that focus on the "broad" spectrum on security in MDA related activities and in particular industrialexperience report, progress, new methods and solutions in that context. We would like to invite papers that explain and exemplify relevant issues and problems related to the security and reliability incomplex software systems in MDA context,papers that present established solutions to well-known problems and also papers that discuss success stories. In all these cases, we expect well-focused contributions to help participants understand problems, open issues, and available solutions, and also to foster rich and fruitful discussions.
The emphasis should be on defining and setting problems, on technical details of proposed solutions, or on the rationale behind success stories.Papers should be written in Springer LNCS style and limited to 10 pages (see http://www.springer.de/comp/lncs/authors.html for details). The emphasis should be on defining and setting problems, on technical details of proposed solutions, or on the rationale behind success stories. As the workshop will apply double-blind reviews process, the papers should not indicate their authors. Submissions should be sent by email attachment (Word format) alessandra.bagnato txt.it.

Pubblications

The paper selection will be based upon the relevance of a paper to the main topics, on its quality and on the potential to stimulate discussion in the workshop.
Workshop Proceedings will be published as CEA Proceedings with assigned ISBN.

Program committee (under definition)

* Habtamu Abie (Norwegian Computing Center, Norway)
* Alessandra Bagnato (TXT e-solutions, Corporate Research Division, Italy)
* Ruth Breu (University of Insbruck, Austria)
* Ana Cavalli (GET/INT, France)
* Jorge Cuellar (Siemens CERT Siemens AG, Germany)
* Violeta Damjanovic (Salzburg Research, Austria)
* Marina Egea Gonzalez (ETH Zürich, Swiss)
* Jan Jurjens (TU Dortmund and Fraunhofer ISST, Germany)
* Filippo Lanubile (Università degli Studi di Bari, Italia)
* Xabier Larrucea, (European Software Institute, Spain)
* Amel Mammar (Telecom SudParis, France)
* Jason Xabier Mansell, (European Software Insitute, Spain)
* Per Håkon Meland (SINTEF, Norway)
* Matteo Meucci (OWASP-Italy Chair, OWASP Testing Guide lead, Italy)
* Charles Bastos Rodriguez, (Atos Research & Innovation Security Unit, Spain)
* Bernhard Rumpe (RWTH Aachen University, Germany)
* Nahid Shahmehri (Linkoping University, Sweden)
* Txus Sánchez (European Software Institute, Spain)
* Ståle Walderhaug, (SINTEF, Norway)

Sponsored by

SHIELDS Project

Workshop Contact References

For more information on the workshop, please contact:
Alessandra Bagnato
Txt e-solutions, Corporate Research Division
Via al Ponte Reale 5, Genoa (Italy)
Phone: 39 027711