Software Safety and Security, Assurance Cases and Model Management

摘要

From financial services platforms to social networks to vehicle control, software has come to mediate many activities of daily life. Governing bodies and standards organizations have responded to this trend by creating regulations and standards to address issues such as safety, security and privacy. In this environment, the compliance of software development to standards and regulations has emerged as a key requirement; yet, software compliance is a costly and complex goal to achieve. For example, one estimate of the cost of compliance in the US to the Sarbanes-Oxley Act (SOX) is$8B per year [1]. Regulatory compliance creates software development complexity in various ways. An organization may have to comply with multiple standards due to multiple jurisdictions or to address different aspects of the software, and these may overlap and conflict with each other. Evidence of compliance must be collected, managed and linked to an assurance case that contains the claims and arguments for compliance. When software evolves, compliance must be reassessed, which can delay the release of changes. Finally, maintaining families of related software products (product lines) multiplies the effort even further. Standards, development artifacts and compliance evidence can all be expressed as models. The field of Model Management [2] has emerged to address another software development complexity problem - the proliferation of software models in model-driven software development [3]. Model management focuses on a high-level view in which entire models and their relationships (i.e., mappings between models) can be manipulated using specialized operators to achieve useful outcomes. In this talk, we look at the connection between compliance and modeling to reduce compliance complexity and cost, as well as to facilitate reuse and evolution, with a special focus on automotive software development [4, 5J.