Using Model Driven Security Approaches in Web Application Development

  • Christoph Hochreiner
  • Zhendong Ma
  • Peter Kieseberg
  • Sebastian Schrittwieser
  • Edgar Weippl
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8407)


With the rise of Model Driven Engineering (MDE) as a software development methodology, which increases productivity and, supported by powerful code generation tools, allows a less error-prone implementation process, the idea of modeling security aspects during the design phase of the software development process was first suggested by the research community almost a decade ago. While various approaches for Model Driven Security (MDS) have been proposed during the years, it is still unclear, how these concepts compare to each other and whether they can improve the security of software projects. In this paper, we provide an evaluation of current MDS approaches based on a simple web application scenario and discuss the strengths and limitations of the various techniques, as well as the practicability of MDS for web application security in general.


Goal Model Case Diagram Model Drive Engineer Misuse Case Input Validation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bresciani, P., Perini, A., Giorgini, P., Giunchiglia, F., Mylopoulos, J.: Tropos: An agent-oriented software development methodology. Autonomous Agents and Multi-Agent Systems 8(3), 203–236 (2004)CrossRefzbMATHGoogle Scholar
  2. 2.
    Hayati, P., Jafari, N., Rezaei, S., Sarenche, S., Potdar, V.: Modeling input validation in uml. In: 19th Australian Conference on Software Engineering, ASWEC 2008, pp. 663–672. IEEE (2008)Google Scholar
  3. 3.
    Jürjens, J.: Umlsec: Extending UML for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Kasal, K., Heurix, J., Neubauer, T.: Model-driven development meets security: An evaluation of current approaches. In: 2011 44th Hawaii International Conference on System Sciences (HICSS), pp. 1–9. IEEE (2011)Google Scholar
  5. 5.
    Lloyd, J., Jürjens, J.: Security analysis of a biometric authentication system using UMLsec and JML. In: Schürr, A., Selic, B. (eds.) MODELS 2009. LNCS, vol. 5795, pp. 77–91. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  6. 6.
    Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Montrieux, L., Jürjens, J., Haley, C., Yu, Y., Schobbens, P., Toussaint, H.: Tool support for code generation from a umlsec property. In: Proceedings of the IEEE/ACM International Conference on Automated Software Engineering, pp. 357–358. ACM (2010)Google Scholar
  8. 8.
    Mouratidis, H., Giorgini, P.: Enhancing secure tropos to effectively deal with security requirements in the development of multiagent systems. In: Barley, M., Mouratidis, H., Unruh, A., Spears, D., Scerri, P., Massacci, F. (eds.) SASEMAS 2004-2006. LNCS, vol. 4324, pp. 8–26. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    OWASP. Open web application security project top 10, (last access: January 15, 2013)
  10. 10.
    Rumbaugh, J., Jacobson, I., Booch, G.: The Unified Modeling Language Reference Manual, 2nd edn. Pearson Higher Education (2004)Google Scholar
  11. 11.
    Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. Computer 29(2), 38–47 (1996)CrossRefGoogle Scholar
  12. 12.
    Sindre, G., Opdahl, A.: Templates for misuse case description. In: Proceedings of the 7th International Workshop on Requirements Engineering, Foundation for Software Quality (REFSQ 2001), Switzerland. Citeseer (2001)Google Scholar
  13. 13.
    van Lamsweerde, A., Dardenne, A., Delcourt, B., Dubisy, F.: The kaos project: Knowledge acquisition in automated specification of software. In: Proceedings AAAI Spring Symposium Series, pp. 59–62 (1991)Google Scholar
  14. 14.
    Yu, H., Liu, D., He, X., Yang, L., Gao, S.: Secure software architectures design by aspect orientation. In: Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems, ICECCS 2005, pp. 47–55. IEEE (2005)Google Scholar
  15. 15.
    Zhu, Z., Zulkernine, M.: A model-based aspect-oriented framework for building intrusion-aware software systems. Information and Software Technology 51(5), 865–875 (2009)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2014

Authors and Affiliations

  • Christoph Hochreiner
    • 1
  • Zhendong Ma
    • 3
  • Peter Kieseberg
    • 1
  • Sebastian Schrittwieser
    • 2
  • Edgar Weippl
    • 1
  1. 1.SBA-ResearchAustria
  2. 2.St. Poelten University of Applied SciencesAustria
  3. 3.Austrian Institute of TechnologyAustria

Personalised recommendations