Skip to main content
SpringerLink
Log in

Report: CC-Based Design of Secure Application Systems

  • Conference paper
Engineering Secure Software and Systems (ESSoS 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5429))

Included in the following conference series:

Abstract

This paper describes some experiences with using the Common Criteria for Information Security Evaluation as the basis for a design methodology for secure application systems. The examples considered include a Point-of-Sale (POS) system, a wind turbine park monitoring and control system and a secure workflow system, all of them specified to achieve CC assurance level EAL3. The methodology is described and strengths and weaknesses of using the Common Criteria in this way are discussed. In general, the systematic methodology was found to be a good support for the designers, enabling them to produce an effective and secure design, starting with the formulation of a Protection Profile and ending with a concrete design, within the project timeframe.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Common Criteria for Information Technology Security Evaluation, version 3.1, revision 1. Part 1: Introduction and general model, CCMB-2006-09-001 (September 2006)

    Google Scholar 

  2. Common Criteria for Information Technology Security Evaluation, version 3.1, revision 2. Part 2: Security functional components, CCMB-2007-09-002 (September 2007)

    Google Scholar 

  3. Common Criteria for Information Technology Security Evaluation, version 3.1, revision 2. Part 3: Security assurance components, CCMB-2007-09-003 (September 2007)

    Google Scholar 

  4. Bertoa, M.F., Troya, J., Vallecilo, A.: A survey on the quality information provided by software component vendors. In: Proc. 7th. ECOOP Workshop on Quantitative Approaches in Object-Oriented Software Engineering (July 2003)

    Google Scholar 

  5. Blakley, B., Heath, C.: Security design patterns. Technical Report G031, The Open Group, Reading, UK (April 2004)

    Google Scholar 

  6. Friis-Jensen, R.: A CC approach to secure workflow systems. Master’s thesis, Informatics and Mathematical Modelling, Technical University of Denmark (February 2007)

    Google Scholar 

  7. Galitzer, S.: Introducing Engineered Composition (EC). In: ACSA Workshop on the Application of Engineering Principles to System Security Design (WAEPSSD) (November 2002)

    Google Scholar 

  8. Jürjens, J.: UMLsec: Extending UML for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  9. Khodaverdi, S., Vohra, V.: A CC approach to windmill control systems. Master’s thesis, Informatics and Mathematical Modelling, Technical University of Denmark (February 2007)

    Google Scholar 

  10. Lloyd, W.J.: A Common Criteria based approach for COTS component selection. Journal of Object Technology 4(3), 27–34 (2005)

    Article  Google Scholar 

  11. Pedersen, A., Hedegaard, A.: Security in POS systems. Master’s thesis, Informatics and Mathematical Modelling, Technical University of Denmark (August 2005)

    Google Scholar 

  12. Pedersen, A., Hedegaard, A., Sharp, R.: Designing a Secure Point-of-Sale System. In: Proc. 4th IEEE Intl. Workshop on Information Assurance (IWIA 2006), April 2006, pp. 51–65 (2006)

    Google Scholar 

  13. Schumacher, M., Roedig, U.: Security engineering with patterns. In: Proc. 8th Conference on Pattern Languages of Programs, Monticello (July 2001)

    Google Scholar 

  14. The RAISE Method Group. The RAISE Development Method. BCS Practitioner Series. Prentice Hall (1995)

    Google Scholar 

  15. Vetterling, M., Wimmel, G., Wisspeintner, A.: Secure systems development based on the Common Criteria: The PalME project. In: Proc. 10th ACM SIGSOFT Symposium on Foundations of Software Engineering, November 2002, pp. 129–138 (2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. DTU Informatics, Technical University of Denmark, DK-2800, Kongens Lyngby, Denmark

    Robin Sharp

Authors
  1. Robin Sharp
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. University of Trento, Povo (Trento), Italy

    Fabio Massacci

  2. Department of Computer Science, James Madison University, VA 22807, Harrisonburg, USA

    Samuel T. Redwine Jr.

  3. Department of Computer Science, University of Toronto, ON, Canada

    Nicola Zannone

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sharp, R. (2009). Report: CC-Based Design of Secure Application Systems. In: Massacci, F., Redwine, S.T., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2009. Lecture Notes in Computer Science, vol 5429. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-00199-4_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-00199-4_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-00198-7

  • Online ISBN: 978-3-642-00199-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation