Modeling Security Features of Web Applications

  • Marianne Busch
  • Nora Koch
  • Santiago Suppan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8431)

Abstract

Securing web applications is a difficult task not only, because it is hard to implement bulletproof techniques, but also because web developers struggle to get an overview of how to avoid security flaws in a concrete application. This is aggravated by the fact that the description of a web application’s security concept is often scattered over lengthy requirements documents, if documented at all. In this chapter, we extend the graphical, UML-based Web Engineering (UWE) language to model security concepts within web applications, thus providing the aforementioned overview. Our approach is applied to a case study of an Energy Management System that provides a web interface for monitoring energy consumption and for configuring appliances. Additionally, we give an overview of how our approach contributes to the development of secure web applications along the software development life cycle.

Keywords

UML-based web engineering secure web engineering web applications UML security Energy Management System Smart Home 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Basin, D., Clavel, M., Egea, M., Schläpfer, M.: Automatic Generation of Smart, Security-Aware GUI Models. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 201–217. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  2. 2.
    Busch, M., Knapp, A., Koch, N.: Modeling Secure Navigation in Web Information Systems. In: Grabis, J., Kirikova, M. (eds.) BIR 2011. LNBIP, vol. 90, pp. 239–253. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  3. 3.
    Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 75–88. ACM, New York (2008)Google Scholar
  4. 4.
    NESSoS: Network of Excellence on Engineering Secure Future Internet Software Services and Systems (2014), http://nessos-project.eu/
  5. 5.
    Bertolino, A., Busch, M., Daoudagh, S., Lonetti, F., Marchetti, E.: A Toolchain for Designing and Testing Access Control Policies. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds.) Engineering Secure Future Internet Services and Systems. LNCS, vol. 8431, pp. 266–286. Springer, Heidelberg (2014)Google Scholar
  6. 6.
  7. 7.
    Cuellar, J.: NESSoS deliverable D11.4 – Pilot applications, evaluating NESSoS solutions (to appear, 2014)Google Scholar
  8. 8.
    Guerrero, J.M.: Microgrids: Integration of distributed energy resources into the smart-grid. In: IEEE International Symposium on Industrial Electronics, pp. 4281–4414 (2010)Google Scholar
  9. 9.
    LMU. Web Engineering Group.: UWE Website (2014), http://uwe.pst.ifi.lmu.de/
  10. 10.
    Cubo, J., Cuellar, J., Fries, S., Martín, J.A., Moyano, F., Fernández, G., Gago, M.C.F., Pasic, A., Román, R., Dieguez, R.T., Vinagre, I.: Selection and documentation of the two major applicationcase studies. NESSoS deliverable D11.2 (2011)Google Scholar
  11. 11.
    Gómez, A., Tellechea, M., Rodríguez, C.: D1.1 Requirements of AMI. Technical report, OPEN meter project (2009)Google Scholar
  12. 12.
    Bennett, C., Wicker, S.: Decreased time delay and security enhancement recommendations for ami smart meter networks. In: Innovative Smart Grid Technologies (ISGT), pp. 1–6 (2010)Google Scholar
  13. 13.
    OWASP Foundation: OWASP Top 10 – 2013 (2013), http://owasptop10.googlecode.com/files/OWASPTop10-2013.pdf
  14. 14.
    OMG.: OCL 2.0 (2011), http://www.omg.org/spec/OCL/2.0/
  15. 15.
    No Magic Inc.: Magicdraw (2014), http://www.magicdraw.com/
  16. 16.
    Busch, M., Koch, N.: NESSoS Deliverable D2.3 – Second Release of the SDE for Security-Related Tools (2012)Google Scholar
  17. 17.
    Busch, M., Koch, N.: MagicUWE — A CASE Tool Plugin for Modeling Web Applications. In: Gaedke, M., Grossniklaus, M., Díaz, O. (eds.) ICWE 2009. LNCS, vol. 5648, pp. 505–508. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  18. 18.
    Busch, M., Ochoa, M., Schwienbacher, R.: Modeling, Enforcing and Testing Secure Navigation Paths for Web Applications. Technical Report 1301, Ludwig-Maximilians-Universität München (2013)Google Scholar
  19. 19.
    Busch, M., García de Dios, M.A.: ActionUWE: Transformation of UWE to ActionGUI Models. Technical report, Ludwig-Maximilians-Universität München, Number 1203 (2012)Google Scholar
  20. 20.
    Kroiss, C., Koch, N., Knapp, A.: UWE4JSF - A Model-Driven Generation Approach for Web Applications. In: Gaedke, M., Grossniklaus, M., Díaz, O. (eds.) ICWE 2009. LNCS, vol. 5648, pp. 493–496. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  21. 21.
    Eclipse: XPand (2013), http://wiki.eclipse.org/Xpand
  22. 22.
    OASIS: eXtensible Access Control Markup Language (XACML) Version 2.0 (2005), http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf
  23. 23.
    Wolf, K.: Sicherheitsbezogene Model-to-Code Transformation für Webanwendungen (German), Bachelor Thesis (2012)Google Scholar
  24. 24.
    Busch, M., Koch, N., Masi, M., Pugliese, R., Tiezzi, F.: Towards model-driven development of access control policies for web applications. In: Model-Driven Security Workshop in Conjunction with MoDELS 2012. ACM Digital Library (2012)Google Scholar
  25. 25.
    Masi, M., Pugliese, R., Tiezzi, F.: Formalisation and Implementation of the XACML Access Control Mechanism. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) ESSoS 2012. LNCS, vol. 7159, pp. 60–74. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  26. 26.
    SDE: Service Development Environment (2014), http://www.nessos-project.eu/sde
  27. 27.
    Soriano, R., Alberto, M., Collazo, J., Gonzales, I., Kupzo, F., Moreno, L., Lugmaier, A., Lorenzo, J.: OpenNode. Open Architecture for Secondary Nodes of the Electricity SmartGrid. In: 21st International Conference on Electricity Distribution (2011)Google Scholar
  28. 28.
    Department of Energy and Climate Change: Smart Metering Implementation Programme, Response to Prospectus Consultation, Overview Document. Technical report, Office of Gas and Electricity Markets (2011)Google Scholar
  29. 29.
    Beckers, K., Fabender, S., Heisel, M., Suppan, S.: A threat analysis methodology for smart home scenarios. In: SmartGridSec 2014. LNCS. Springer (2014)Google Scholar
  30. 30.
    Grossman, J.: Website security statistics report. Technical report, WhiteHat Security (2013), https://www.whitehatsec.com/resource/stats.html
  31. 31.
    Busch, M.: Secure Web Engineering supported by an Evaluation Framework. In: Modelsward 2014. Scitepress (2014)Google Scholar
  32. 32.
    Jürjens, J.: Secure Systems Development with UML. Springer (2004), Tools and further information: http://www.umlsec.de/
  33. 33.
    Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  34. 34.
    Slimani, N., Khambhammettu, H., Adi, K., Logrippo, L.: UACML: Unified Access Control Modeling Language. In: NTMS 2011, pp. 1–8 (2011)Google Scholar
  35. 35.
    Hafner, M., Breu, R.: Security Engineering for Service-Oriented Architectures. Springer (2008)Google Scholar
  36. 36.
    Gilmore, S., Gönczy, L., Koch, N., Mayer, P., Tribastone, M., Varró, D.: Non-functional Properties in the Model-Driven Development of Service-Oriented Systems. J. Softw. Syst. Model. 10(3), 287–311 (2011)CrossRefGoogle Scholar
  37. 37.
    Menzel, M., Meinel, C.: A Security Meta-model for Service-Oriented Architectures. In: Proc. 2009 IEEE Int. Conf. Services Computing (SCC 2009), pp. 251–259. IEEE (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Marianne Busch
    • 1
  • Nora Koch
    • 1
  • Santiago Suppan
    • 2
  1. 1.Institute for InformaticsLudwig-Maximilians-Universität MünchenMünchenGermany
  2. 2.Siemens AG, GermanyMünchenGermany

Personalised recommendations