Advertisement

Towards the Integration of Security Aspects into System Development Using Collaboration-Oriented Models

  • Linda Ariani Gunawan
  • Peter Herrmann
  • Frank Alexander Kraemer
Part of the Communications in Computer and Information Science book series (CCIS, volume 58)

Abstract

Security, as an important feature of system design, should be taken into account early in the development of systems. We propose an extension of the SPACE engineering method in order to integrate security aspects into the system design and implementation phases. The integration of security mechanisms is facilitated by collaborations. Functional system specifications are represented by collaboration-oriented models which describe functionalities reaching over different physical components in one model. Countermeasures are also modeled by collaborations since security mechanisms are often collaborative structures themselves. Our approach includes an asset-oriented security analysis on the collaboration-oriented models in order to determine the level of protection needed. We illustrate our approach by the example of an e-sale system.

Keywords

Security Analysis Security Mechanism Access Control Policy Payment Service Security Aspect 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Anderson, R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, Inc., New York (2008)Google Scholar
  2. 2.
    Herrmann, P., Kraemer, F.A.: Design of Trusted Systems with Reusable Collaboration Models. In: Etalle, S., Marsh, S. (eds.) IFIPTM 2007. IFIP, vol. 238, pp. 317–332. Springer, Heidelberg (2007)Google Scholar
  3. 3.
    Kraemer, F.A.: Engineering Reactive Systems: A Compositional and Model-Driven Method Based on Collaborative Building Blocks. PhD thesis, Norwegian University of Science and Technology (August 2008)Google Scholar
  4. 4.
    Kraemer, F.A., Slåtten, V., Herrmann, P.: Tool Support for the Rapid Composition, Analysis and Implementation of Reactive Services. Journal of Systems and Software (2009)Google Scholar
  5. 5.
    Kraemer, F.A., Herrmann, P.: Automated Encapsulation of UML Activities for Incremental Development and Verification. In: Schürr, A., Selic, B. (eds.) MODELS 2009. LNCS, vol. 5795. Springer, Heidelberg (2009)Google Scholar
  6. 6.
    ISO/IEC: Common Criteria for Information Technology Security Evaluation, International Standard ISO/IEC 15408 (1998)Google Scholar
  7. 7.
    Herrmann, P., Herrmann, G.: Security-Oriented Refinement of Business Processes. Electronic Commerce Research Journal 6(3-4), 305–335 (2006)CrossRefGoogle Scholar
  8. 8.
    Baskerville, R.: Information Systems Security Design Methods: Implications for Information Systems Development. ACM Computing Surveys 25(4), 375–414 (1993)CrossRefGoogle Scholar
  9. 9.
    Baskerville, R.: Designing Information Systems Security. Wiley & Sons, Chichester (1988)Google Scholar
  10. 10.
    CCTA: SSADM-CRAMM Subject Guide for SSADM Version 3 and CRAMM Version 2. CCTA, London (1991)Google Scholar
  11. 11.
    Kienzle, D.M., Wulf, W.A.: A Practical Approach to Security Assessment. In: Proceedings of the Workshop New Security Paradigms 1997, Lake District (1997)Google Scholar
  12. 12.
    Leiwo, J., Gamage, C., Zheng, Y.: Harmonizer — A Tool for Processing Information Security Requirements in Organization. In: Proceedings of the 3rd Nordic Workshop on Secure Computer Systems (NORDSEC 1998), Trondheim (1998)Google Scholar
  13. 13.
    Lund, M.S., den Braber, F., Stølen, K.: Maintaining Results from Security Assessments. In: Proceedings of the 7th European Conference on Software Maintenance and Reengineering (CSMR 2003), pp. 341–350. IEEE Computer Society Press, Los Alamitos (2003)Google Scholar
  14. 14.
    Refsdal, A., Stølen, K.: Employing key indicators to provide a dynamic risk picture with a notion of confidence. In: Trust Management III, Boston. Springer, Heidelberg (2009)Google Scholar
  15. 15.
    Herrmann, P.: Information Flow Analysis of Component-Structured Applications. In: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC 2001), New Orleans, pp. 45–54. IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  16. 16.
    Herrmann, P., Krumm, H.: Object-oriented security analysis and modeling. In: Proceedings of the 9th International Conference on Telecommunication Systems — Modelling and Analysis, Dallas, ATSMA, IFIP, March 2001, pp. 21–32 (2001)Google Scholar
  17. 17.
  18. 18.
  19. 19.
    Courtney, R.: Security Risk Assessment in Electronic Data Processing. In: AFIPS Conference Proceedings of the National Computer Conference, vol. 46, Arlington, pp. 97–104 (1977)Google Scholar
  20. 20.
  21. 21.
  22. 22.
    Siponen, M., Heikka, J.: Do secure information system design methods provide adequate modeling support? Information and Software Technology 50(9-10) (2008)Google Scholar
  23. 23.
    Vaughn Jr., R.B., Henning, R., Fox, K.: An empirical study of industrial security-engineering practices. Journal of System and Software 61(3), 225–232 (2002)CrossRefGoogle Scholar
  24. 24.
    Basin, D., Doser, J., Lodderstedt, T.: Model driven security: From uml models to access control infrastructures. ACM Transactions on Software Engineering Methodology 15(1), 39–91 (2006)CrossRefGoogle Scholar
  25. 25.
    Lodderstedt, T., Basin, D.A., Doser, J.: Secureuml: A uml-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)Google Scholar
  26. 26.
    Jürjens, J.: Secure System Development with UML. Springer, Heidelberg (2004)Google Scholar
  27. 27.
    Mouheb, D., Talhi, C., Lima, V., Debbabi, M., Wang, L., Pourzandi, M.: Weaving security aspects into uml 2.0 design models. In: AOM 2009: Proceedings of the 13th workshop on Aspect-oriented modeling, pp. 7–12. ACM, New York (2009)CrossRefGoogle Scholar
  28. 28.
    Georg, G., Ray, I., Anastasakis, K., Bordbar, B., Toahchoodee, M., Houmb, S.H.: An aspect-oriented methodology for designing secure applications. Information and Software Technology 51(5), 846–864 (2009); SPECIAL ISSUE: Model-Driven Development for Secure Information SystemsCrossRefGoogle Scholar
  29. 29.
    Pavlich-Mariscal, J., Michel, L., Demurjian, S.: Enchancing uml to model custom security aspects. In: AOM 2007: Proceedings of the 11th workshop on Aspect-oriented modeling (2007)Google Scholar
  30. 30.
    Braber, F., Hogganvik, I., Lund, M.S., Stølen, K., Vraalsen, F.: Model-based security analysis in seven steps — a guided tour to the coras method. BT Technology Journal 25(1), 101–117 (2007)CrossRefGoogle Scholar
  31. 31.
    Myers, A.C.: JFlow: Practical Mostly-Static Information Flow Control. In: Proceedings of the 26th ACM Symposium on Principles of Programming Languages (POPL 1999), San Antonio (1999)Google Scholar
  32. 32.
    Zheng, L., Myers, A.C.: Dynamic security labels and static information flow control. International Journal of Information Security 6(2), 67–84 (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Linda Ariani Gunawan
    • 1
  • Peter Herrmann
    • 1
  • Frank Alexander Kraemer
    • 1
  1. 1.Department of TelematicsNorwegian University of Science and Technology (NTNU)TrondheimNorway

Personalised recommendations