Rocky Slavin, Ph.D.
Assistant Professor of Practice
Department of Computer Science
University of Texas at San Antonio
Mobile applications frequently access sensitive personal information to meet user or business requirements. Because such information is sensitive in general, regulators increasingly require mobileapp developers to publish privacy policies that describe what information is collected. Furthermore, regulators have fined companies when these policies are inconsistent with the actual data practices of mobile apps. As a means to assist developers, auditors, and end-users, I have created a framework and suite of tools to help bridge the semantic gap between natural language privacy policies and application code.
Security Requirements Patterns
Secure software depends upon the ability of software developers to respond to security risks early in the software development process. Despite a wealth of security requirements, often called security controls, there is a shortfall in the adoption and implementation of these requirements. This shortfall is due to the extensive expertise and higher level cognitive skillsets required to comprehend, decompose and reassemble security requirements concepts in the context of an emerging system design. To address this shortfall, we propose to develop two empirical methods: (1) a method to derive security requirements patterns from requirements catalogues using expert knowledge; and (2) a method to empirically evaluate these patterns for their "usability" by novice software developers against a set of common problem descriptions, including the developer's ability to formulate problems, select and instantiate patterns. The study results will yield a framework for discovering and evaluating security requirements patterns and new scientific knowledge about the limitations of pattern-based approaches when applied by novice software developers. This project has been funded by National Security Agency grant "Improving the Usability of Security Requirements by Software Developers through Empirical Studies and Analysis", UTSA award amount $200,000, February 2012 - September 2014, UTSA PI, Jianwei Niu, PIs, Travis Breaux (CMU) and Laurie Williams (NCSU).
Title on hover
Description on hover
- Hui Shen, Ram Krishnan, Rocky Slavin, and Jianwei Niu. Sequence Diagram Aided Security Policy Specification, IEEE Transactions on Dependable and Secure Computing, 2014. (pdf)
Refereed Conference and Workshop Publications
- Rocky Slavin, Jean-Michel Lehker, Jianwei Niu, and Travis D. Breaux. Managing Security Requirements Patterns using Feature Diagram Hierarchies, 22nd IEEE International Requirements Engineering Conference, 2014, Karlskrona, Sweden. (pdf)
- Jean-Michel Lehker, Rocky Slavin, and Jianwei Niu. Integration of Security Pattern Selection Practices with Pattern Storage, Symposium and Bootcamp on the Science of Security (HotSoS), 2014, Raleigh. (pdf)
- Rocky Slavin, Hui Shen, and Jianwei Niu. Characteristics and Boundaries of Security Requirements Patterns, Second International Workshop on Requirements Patterns (RePa), 2012, Chicago. (pdf)
- Hanan Hibshi, Rocky Slavin, Jianwei Niu, and Travis D. Breaux. Rethinking Security Requirements in RE Research. Technical Report CSTR-2014-005, University of Texas at San Antonio Department of Computer Science, 2014. (pdf)
- Hui Shen, Ram Krishnan, Rocky Slavin, and Jianwei Niu. Sequence Diagram Aided Security Policy Specification. Technical Report CSTR-2017-001, University of Texas at San Antonio Department of Computer Science, 2014. (pdf)
- Rocky Slavin. Applying Semantic Analysis for the Alignment of Natural Language Privacy Policies with Application Code. Ph.D. Dissertation, University of Texas at San Antonio, Aug. 2017. (pdf)
- Rocky Slavin. Does your Android App Collect More than it Promises to?, IEEE Software Blog, 2016, http://blog.ieeesoftware.org/2016/05/does-your-android-app-collect-more-than.html.
When I'm not working on my research I'm having fun with my wife and daughter and working on my astrophotography.