Call for Proposals: Master Thesis: Evaluating software security benefits based on software processes with Essence

Context and Motivation

The security quality of software is not something to add after developing the functionality. Actually, to develop non-trivial secure software, one has to consider security in all aspects of software engineering—including requirements elicitation, design, implementation, test, and runtime, even including tear down of the system, when you consider what to do with the remaining data, for example.

Also, security is no one-shot endeavor. Keeping software secure throughout its life-cycle requires to manifest security–enhancing activities in the development process. In this master thesis you explore possibilities to identify security–enhancing activities in software engineering processes.

There are existing practices to improve software–security, such as Threat Modeling1 or the use of Identity and Access Management2. These in turn can be refined, e.g. to STRIDE3 for Threat Modeling and the use of OAuth 2.04 for Identity and Access Management.

Software security is a broad area. ISO/IEC 25010 [1] defines software qualities, including security. The ISO family of standards ISO/IEC 27000 [3] describe information security deeper. The OMG standard Essence [2, 4, 6, 5] can be used to describe software engineering practices and methods. These practices refer to activities in software engineering processes that can be beneficial or harmful for software security. However, currently no means exist to declare or analyze the security impact of such activities in Essence.

Objectives

In this thesis you will investigate how the OMG standard Essence is suitable to systematically describe and analyze how security–enhancing measures are implemented in the software engineering process for a given software. You will codify the Essence standard into a model that can be used by developers and analysts, and processed by software for automation. You will identify activities, practices and methods that help improving software security. The objective of this thesis is to develop a methodology and tool prototype to model and analyze software engineering processes with Essence with a focus on security–enhancing activities and practices.

As a guidance, you will address the following research questions:

  • Identify a set of relevant practices to enhance software security in practice, such as Threat Modeling and model them according to the Essence standard.
  • Develop a method and tool to identify the use of these practices in open source project repositories or documentations and potentially other data soruces—and model the current state in alignment with your practice model.
  • Develop suggestions for the projects on how to improve their security.

Contact

Supervisor: Prof. Dr. Marco Konersmann

Literatur

[1]
Systems and software engineering — systems and software quality requirements and evaluation (square) — system and software quality models. Technical Report ISO/IEC 25010:2011, Geneva, Switzerland, 2011.
[2]
Essence — kernel and language for software engineering methods, version 1.2. Technical Report formal/2018-10-03, Object Management Group (OMG), 2018. https://www.omg.org/spec/Essence/1.2.
[3]
Information technology — security techniques — information security management systems — overview and vocabulary. Technical Report ISO/IEC 27000:2018, Geneva, Switzerland, 2018.
[4]
Essence — kernel and language for engineering methods, version 2.0 (beta). Technical report, Object Management Group (OMG), 2025. OMG Adopted Beta Specification, https://www.omg.org/spec/Essence/2.0.
[5]
Daniel Graziotin and Pekka Abrahamsson. A web-based modeling tool for the semat essence theory of software engineering. Journal of Open Research Software, 1(1), 2013.
[6]
Ivar Jacobson, Harold Bud Lawson, and Pan-Wei Ng. The Essentials of Modern Software Engineering: Free the Practices from the Method Prisons! Addison-Wesley, Boston, MA, 2019.