Biblio

With the emergence of biometric technology in various applications, such as access control (e.g. mobile lock/unlock), financial transaction (e.g. Alibaba smile-to-pay) and time attendance, the development of biometric system attracts increasingly interest to the developers. Despite a sound biometric system gains the security assurance and great usability, it is a rather challenging task to develop an effective biometric system. For instance, many public available biometric APIs do not provide sufficient instructions / precise documentations on the usage of biometric APIs. Many developers are struggling in implementing these APIs in various tasks. Moreover, quick update on biometric-based algorithms (e.g. feature extraction and matching) may propagate to APIs, which leads to potential confusion to the system developers. Hence, we conduct an empirical study to the problems that the developers currently encountered while implementing the biometric APIs as well as the issues that need to be addressed when developing biometric systems using these APIs. We manually analyzed a total of 500 biometric API-related posts from various online media such as Stack Overflow and Neurotechnology. We reveal that 1) most of the problems encountered are related to the lack of precise documentation on the biometric APIs; 2) the incompatibility of biometric APIs cross multiple implementation environments.

Tracing and integrating security requirements throughout the development process is a key challenge in security engineering. In socio-technical systems, security requirements for the organizational and technical aspects of a system are currently dealt with separately, giving rise to substantial misconceptions and errors. In this paper, we present a model-based security engineering framework for supporting the system design on the organizational and technical level. The key idea is to allow the involved experts to specify security requirements in the languages they are familiar with: business analysts use BPMN for procedural system descriptions; system developers use UML to design and implement the system architecture. Security requirements are captured via the language extensions SecBPMN2 and UMLsec. We provide a model transformation to bridge the conceptual gap between SecBPMN2 and UMLsec. Using UMLsec policies, various security properties of the resulting architecture can be verified. In a case study featuring an air traffic management system, we show how our framework can be practically applied.