Abstract
This paper describes some experiences with using the Common Criteria for Information Security Evaluation as the basis for a design methodology for secure application systems. The examples considered include a Point-of-Sale (POS) system, a wind turbine park monitoring and control system and a secure workflow system, all of them specified to achieve CC assurance level EAL3. The methodology is described and strengths and weaknesses of using the Common Criteria in this way are discussed. In general, the systematic methodology was found to be a good support for the designers, enabling them to produce an effective and secure design, starting with the formulation of a Protection Profile and ending with a concrete design, within the project timeframe.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Common Criteria for Information Technology Security Evaluation, version 3.1, revision 1. Part 1: Introduction and general model, CCMB-2006-09-001 (September 2006)
Common Criteria for Information Technology Security Evaluation, version 3.1, revision 2. Part 2: Security functional components, CCMB-2007-09-002 (September 2007)
Common Criteria for Information Technology Security Evaluation, version 3.1, revision 2. Part 3: Security assurance components, CCMB-2007-09-003 (September 2007)
Bertoa, M.F., Troya, J., Vallecilo, A.: A survey on the quality information provided by software component vendors. In: Proc. 7th. ECOOP Workshop on Quantitative Approaches in Object-Oriented Software Engineering (July 2003)
Blakley, B., Heath, C.: Security design patterns. Technical Report G031, The Open Group, Reading, UK (April 2004)
Friis-Jensen, R.: A CC approach to secure workflow systems. Master’s thesis, Informatics and Mathematical Modelling, Technical University of Denmark (February 2007)
Galitzer, S.: Introducing Engineered Composition (EC). In: ACSA Workshop on the Application of Engineering Principles to System Security Design (WAEPSSD) (November 2002)
Jürjens, J.: UMLsec: Extending UML for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002)
Khodaverdi, S., Vohra, V.: A CC approach to windmill control systems. Master’s thesis, Informatics and Mathematical Modelling, Technical University of Denmark (February 2007)
Lloyd, W.J.: A Common Criteria based approach for COTS component selection. Journal of Object Technology 4(3), 27–34 (2005)
Pedersen, A., Hedegaard, A.: Security in POS systems. Master’s thesis, Informatics and Mathematical Modelling, Technical University of Denmark (August 2005)
Pedersen, A., Hedegaard, A., Sharp, R.: Designing a Secure Point-of-Sale System. In: Proc. 4th IEEE Intl. Workshop on Information Assurance (IWIA 2006), April 2006, pp. 51–65 (2006)
Schumacher, M., Roedig, U.: Security engineering with patterns. In: Proc. 8th Conference on Pattern Languages of Programs, Monticello (July 2001)
The RAISE Method Group. The RAISE Development Method. BCS Practitioner Series. Prentice Hall (1995)
Vetterling, M., Wimmel, G., Wisspeintner, A.: Secure systems development based on the Common Criteria: The PalME project. In: Proc. 10th ACM SIGSOFT Symposium on Foundations of Software Engineering, November 2002, pp. 129–138 (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sharp, R. (2009). Report: CC-Based Design of Secure Application Systems. In: Massacci, F., Redwine, S.T., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2009. Lecture Notes in Computer Science, vol 5429. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-00199-4_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-00199-4_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-00198-7
Online ISBN: 978-3-642-00199-4
eBook Packages: Computer ScienceComputer Science (R0)