University of Texas at San Antonio
Mobile applications frequently access sensitive personal information to meet user or business requirements. Because such information is sensitive in general, regulators increasingly require mobileapp developers to publish privacy policies that describe what information is collected. Furthermore, regulators have fined companies when these policies are inconsistent with the actual data practices of mobile apps. As a means to assist developers, auditors, and end-users, I have created a framework and suite of tools to help bridge the semantic gap between natural language privacy policies and application code.
Security Requirements Patterns
Secure software depends upon the ability of software developers to respond to security risks early in the software development process. Despite a wealth of security requirements, often called security controls, there is a shortfall in the adoption and implementation of these requirements. This shortfall is due to the extensive expertise and higher level cognitive skillsets required to comprehend, decompose and reassemble security requirements concepts in the context of an emerging system design. To address this shortfall, we propose to develop two empirical methods: (1) a method to derive security requirements patterns from requirements catalogues using expert knowledge; and (2) a method to empirically evaluate these patterns for their "usability" by novice software developers against a set of common problem descriptions, including the developer's ability to formulate problems, select and instantiate patterns. The study results will yield a framework for discovering and evaluating security requirements patterns and new scientific knowledge about the limitations of pattern-based approaches when applied by novice software developers. This project has been funded by National Security Agency grant "Improving the Usability of Security Requirements by Software Developers through Empirical Studies and Analysis", UTSA award amount $200,000, February 2012 - September 2014, UTSA PI, Jianwei Niu, PIs, Travis Breaux (CMU) and Laurie Williams (NCSU).
Title on hover
Description on hover
Title on hover
Description on hover
- Hui Shen, Ram Krishnan, Rocky Slavin, and Jianwei Niu. "Sequence Diagram Aided Security Policy Specification", IEEE Transactions on Dependable and Secure Computing, 2014. (pdf)
Refereed Conference and Workshop Publications
- Rocky Slavin, Jean-Michel Lehker, Jianwei Niu, and Travis D. Breaux. "Managing Security Requirements Patterns using Feature Diagram Hierarchies", 22nd IEEE International Requirements Engineering Conference, 2014, Karlskrona, Sweden. (pdf)
- Jean-Michel Lehker, Rocky Slavin, and Jianwei Niu. "Integration of Security Pattern Selection Practices with Pattern Storage", Symposium and Bootcamp on the Science of Security (HotSoS), 2014, Raleigh. (pdf)
- Rocky Slavin, Hui Shen, and Jianwei Niu. "Characteristics and Boundaries of Security Requirements Patterns", Second International Workshop on Requirements Patterns (RePa), 2012, Chicago. (pdf)
- Rocky Slavin. "Does your Android App Collect More than it Promises to?", IEEE Software Blog, 2016, http://blog.ieeesoftware.org/2016/05/does-your-android-app-collect-more-than.html.
PhD Candidate, Computer ScienceUniversity of Texas at San Antonio
Advisor: Jianwei Niu
Bachelor of Science, Computer ScienceUniversity of Texas at San Antonio
Mobile Application PrivacyCollaboration: Carnegie Mellon University, University of Texas at San Antonio, University of Texas at Dallas
Conducted research to bridge gap between natural language privacy policies and Android application code.
Security Requirements PatternsCollaboration: Carnegie Mellon University, North Carolina State University, University of Texas at San Antonio
Conducted research to improve the usability of security requirements patterns through empirical studies and analysis.
Teaching Assistant - Data Analysis and Visualization using MATLABUniversity of Texas at San Antonio, Department of Computer Science
Teaching Assistant - Introduction to Computer Programming IIUniversity of Texas at San Antonio, Department of Computer Science
Program Specialist/Web DeveloperUniversity of Texas at San Antonio, Center for Research and Training in the Sciences
Systems Administrator Assistant/Web DeveloperUniversity of Texas at San Antonio, Computational Biologiy Initiative
When I'm not working on my research I'm having fun with my wife and daughter and working on my astrophotography.