A Common Body of Knowledge for Engineering Secure Software and Services Widura Schwittek, Holger Schmidt, Kristian Beckers, Stefan Eicker, Stephan Faßbender, and Maritta Heisel paluno – The Ruhr Institute for Software Technology University of Duisburg-Essen, Germany Email: {firstname.lastname}@paluno.uni-due.de Abstract—The discipline of engineering secure software and services brings together researchers and practitioners from software, services, and security engineering. This interdisci- plinary community is fairly new, it is still not well integrated and is therefore confronted with differing perspectives, pro- cesses, methods, tools, vocabularies, and standards. We present a Common Body of Knowledge (CBK) to over- come the aforementioned problems. We capture use cases from research and practice to derive requirements for the CBK. Our CBK collects, integrates, and structures knowledge from the different disciplines based on an ontology that allows one to semantically enrich content to be able to query the CBK. The CBK heavily relies on user participation, making use of the Semantic MediaWiki as a platform to support collaborative writing. The ontology is complemented by a conceptual framework, consisting of concepts to structure the knowledge and to provide access to it, and a means to build a common terminology. We also present organizational factors covering dissemination and quality assurance. Keywords-interdisciplinary, common body of knowledge, knowledge management, software engineering, security engi- neering, services computing. I. I NTRODUCTION NESSoS (Network of Excellence on Engineering Secure Future Internet Software Services and Systems) 1 is an EU project comprising 12 partners from academia, industry, and research institutes. It is funded for a duration of 42 months. However, NESSoS aims at constituting and inte- grating a long-lasting research community on engineering secure software-based services and systems, which outlasts the funding period. NESSoS is based on the principle of addressing security concerns from the very beginning in system analysis and design, thus contributing to reduce the amount of system and service vulnerabilities and enabling the systematic treatment of security needs through the engineering process. For this approach to work, research from the areas of software engi- neering (SE), service engineering, and security engineering must be brought together and integrated in such a way that researchers as well as practitioners can easily access and apply the knowledge accumulated in the different areas. To 1 http://www.nessos-project.eu/ support this goal, we develop a Common Body of Knowledge (CBK). While existing bodies of knowledge (BOKs) like the Software Engineering Body of Knowledge (SWEBOK) [1] solely rely on books or hypertext systems as a medium, our CBK provides several advantages such as improved flexibility and knowledge access possibilities for its users. Our CBK introduces an ontology that allows users to semantically enrich content. The CBK ontology is based upon a conceptual framework, which introduces a common terminology supporting an increased comprehensibility of research results of different areas. Another difference between existing BOKs and our CBK is that our CBK heavily relies on user participation realized through a wiki platform. Consequently, the CBK supports collaborative writing and provides mechanisms to build up and update the CBK. Since the CBK will be opened for the public in the future, our approach is complemented by organizational means considering processes such as quality assurance to ensure a high quality of content. The main con- tribution of this work is to tackle the semantic challenges of finding research in a domain, which we apply to the domain of secure software and service development. However, the contribution can also be applied to other domains. Note that although the CBK we present in this paper is designed to support the NESSoS project, its underlying concepts are of a general nature. Thus, our CBK concept can be adapted to set up CBKs in other areas. In the current version the ontology is implemented using the SMW+ platform 2 and the members of the NESSoS project currently add content into the SMW+ platform. The paper is organized as follows: we outline use cases for the CBK in Sect. II. In Sect. III, we present the concepts and an ontology underlying our CBK. We proceed in Sect. IV to briefly present our choice of technology for realizing the CBK. We shape organizational factors of the CBK and report on the CBK’s status in Sect. V. We present related work in Sect. VI. Finally, we conclude and raise ideas for future work in Sect. VII. 2 http://www.semantic-mediawiki.org 2012 Seventh International Conference on Availability, Reliability and Security 978-0-7695-4775-6/12 $26.00 © 2012 IEEE DOI 10.1109/ARES.2012.31 499