Ontology-driven evolution of software security

Ontologies as a means to formally specify the knowledge of a domain of interest have made their way into information and communication technology. Most often, such knowledge is subject to continuous change, which demands for consistent evolution of ontologies and dependent artifacts. In this article, we study ontology evolution in the context of software security, where ontologies may be used to formalize the security context knowledge which is needed to properly implement security requirements. In this application scenario, techniques for detecting ontology changes and determining their semantic impact are required to maintain the security of a software-intensive system in response to changing security context knowledge. Our solution is capable of detecting semantic editing patterns, which may be customly defined using graph transformation rules, but it does not depend on information about editing processes such as persistently managed changelogs. We leverage semantic editing patterns for (i) generating system co-evolution proposals, (ii) adapting the configuration of standard security checks, and (iii) performing incremental security compliance analyses between co-evolved system models and the implementation. We demonstrate the feasibility of the approach using a realistic medical information system known as iTrust.