Towards a Comprehensive Framework for Secure Systems Development

  • Haralambos Mouratidis
  • Jan Jürjens
  • Jorge Fox
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4001)


Security involves technical as well as social challenges. In the development of security-critical applications, system developers must consider both the technical and the social parts. To achieve this, security issues must be considered during the whole development life-cycle of an information system. This paper presents an approach that allows developers to consider both the social and the technical dimensions of security through a structured and well defined process. In particular, the proposed approach takes the high-level concepts and modelling activities of the secure Tropos methodology and enriches them with a low level security-engineering ontology and models derived from the UMLsec approach. A real case study from the e-commerce sector is employed to demonstrate the applicability of the approach.


Smart Card Security Requirement Secure Goal Security Constraint Security Pattern 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, New York (2001)Google Scholar
  2. 2.
    Basin, D., Doser, J., Lodderstedt, T.: Model Driven Security for Process Oriented Systems. In: Proceedings of the 8th ACM symposium on Access Control Models and Technologies, Como, Italy (2003)Google Scholar
  3. 3.
    Bresciani, P., Giorgini, P., Giunchiglia, F., Mylopoulos, J., Perini, A.: TROPOS: An Agent Oriented Software Development Methodology. Journal of Autonomous Agents and Multi-Agent Systems 8(3), 203–236 (2004)CrossRefGoogle Scholar
  4. 4.
    CEPSCO, Common Electronic Purse Specifications, Business Requirements ver. 7, Functional Requirements ver. 6.3, Technical Specification ver. 2.2 (2000), Available from:
  5. 5.
    Crook, R., Ince, D., Lin, L., Nuseibeh, B.: Security Requirements Engineering: When Anti-requirements Hit the Fan. In: Proceedings of the 10th International Requirements Engineering Conference, pp. 203–205. IEEE Press, Los Alamitos (2002)CrossRefGoogle Scholar
  6. 6.
    Cysneiros, L.M., Sampaio do Prado Leite, J.P.: Nonfunctional Requirements: From Elicitation to Conceptual Models. IEEE Trans. Software Eng. 30(5), 328–350 (2004)CrossRefGoogle Scholar
  7. 7.
    Devanbu, P., Stubblebine, S.: Software Engineering for Security: a Roadmap. In: Proceedings of ICSE 2000 (the conference of the future of Software engineering) (2000)Google Scholar
  8. 8.
    Giorgini, P., Massacci, F., Mylopoulos, J.: Requirement Engineering Meets Security: A Case Study on Modelling Secure Electronic Transactions by VISA and Mastercard. In: Song, I.-Y., Liddle, S.W., Ling, T.-W., Scheuermann, P. (eds.) ER 2003. LNCS, vol. 2813, pp. 263–276. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Hermann, G., Pernul, G.: Viewing business-process security from different perspectives. International Journal of electronic Commence 3, 89–103 (1999)Google Scholar
  10. 10.
    Jürjens, J., Shabalin, P.: Tools for Critical Systems Development with UML (Tool Demo). In: Nunes, N.J., Selic, B., Silva, A., Toval, A. (eds.) UML 2004 Satellite Events. LNCS, Springer, Heidelberg (2004E), [Protected content can be accessed as user: Reader, with password: Ihavethebook]. Available as open-source. Accessible at:
  11. 11.
    Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2004)Google Scholar
  12. 12.
    McDermott, J., Fox, C.: Using Abuse Case Models for Security Requirements Analysis. In: Proceedings of the 15th Annual Computer Security Applications Conference (December 1999)Google Scholar
  13. 13.
    Mouratidis, H.: A Security Oriented Approach in the Development of Multiagent Systems: Applied to the Management of the Health and Social Care Needs of Older People in England. PhD thesis, University of Sheffield, U.K. (2004)Google Scholar
  14. 14.
    Mouratidis, H., Giorgini, P., Manson, G.: Integrating Security and Systems Engineering: towards the modelling of secure information systems. In: Eder, J., Missikoff, M. (eds.) CAiSE 2003. LNCS, vol. 2681. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Object Management Group, OMG Unified Modeling Language Specification v1.5. Version 1.5. OMG Document formal/03-03-01 (March 2003)Google Scholar
  16. 16.
    Saltzer, J., Schroeder, M.: The protection of information in computer systems. Proceedings of the IEEE 63(9), 1278–1308 (1975)CrossRefGoogle Scholar
  17. 17.
    Schneider, F. (ed.): Trust in Cyberspace. National Academy Press, Washington (1999), Available as: Google Scholar
  18. 18.
    Schneier, B.: Secrets & Lies: Digital Security in a Networked World. John Wiley & Sons, Chichester (2000)Google Scholar
  19. 19.
    Schumacher, M., Roedig, U.: Security Engineering with Patterns. In: Proceedings of the 8th Conference on Pattern Languages for Programs (PLoP 2001), Illinois-USA (September 2001)Google Scholar
  20. 20.
    Schumacher, M.: Security Engineering with Patterns. LNCS, vol. 2754. Springer, Heidelberg (2003)zbMATHCrossRefGoogle Scholar
  21. 21.
    Shamir, A.: Crypto Predictions. In: Franklin, M.K. (ed.) FC 1999. LNCS, vol. 1648. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  22. 22.
    The Economist, Digital rights and wrongs (July 17, 1999)Google Scholar
  23. 23.
    van Lamsweerde, A., Letier, E.: Handling Obstacles in Goal-Oriented Requirements Engineering. Transactions of Software Engineering 26(10), 978–1005 (2000)CrossRefGoogle Scholar
  24. 24.
    Viega, J., McGraw, G.: Building a Secure Software. Addison-Wesley, Reading (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Haralambos Mouratidis
    • 1
  • Jan Jürjens
    • 2
  • Jorge Fox
    • 2
  1. 1.Innovative Informatics, School of Computing and TechnologyUniversity of East LondonUK
  2. 2.Software and Systems EngineeringTU MunichGermany

Personalised recommendations