Evaluation of Engineering Approaches in the Secure Software Development Life Cycle

  • Marianne Busch
  • Nora Koch
  • Martin Wirsing
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8431)

Abstract

Software engineers need to find effective methods, appropriate notations and tools that support the development of secure applications along the different phases of the Software Development Life Cycle (SDLC). Our evaluation approach, called SecEval, supports the search and comparison of these artifacts. SecEval comprises: (1) a workflow that defines the evaluation process, which can be easily customized and extended; (2) a security context model describing security features, methods, notations and tools; (3) a data collection model, which records how data is gathered when researchers or practitioners are looking for artifacts that solve a specific problem; (4) a data analysis model specifying how analysis, using previously collected data, is performed; and (5) the possibility to easily extend the models, which is exemplarily shown for risk rating and experimental approaches. The validation of SecEval was performed for tools in the web testing domain.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    CBK: Common Body of Knowledge (2013), http://nessos-project.eu/cbk
  2. 2.
    NESSoS: Network of Excellence on Engineering Secure Future Internet Software Services and Systems (2014), http://nessos-project.eu/
  3. 3.
    Busch, M., Koch, N., Wirsing, M.: SecEval: An Evaluation Framework for Engineering Secure Systems. In: MoK 2014 (2014)Google Scholar
  4. 4.
    Busch, M., Koch, N.: NESSoS Deliverable D2.4 – Second release of Method and Tool Evaluation (2013)Google Scholar
  5. 5.
    OWASP Foundation: OWASP Risk Rating Methodology (2013), https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
  6. 6.
    Moody, D.L.: The method evaluation model: A theoretical model for validating information systems design methods. In: Ciborra, C.U., Mercurio, R., de Marco, M., Martinez, M., Carignani, A. (eds.) ECIS, pp. 1327–1336 (2003)Google Scholar
  7. 7.
    Lipner, S., Howard, M.: The Trustworthy Computing Security Development Lifecycle. Developer Network - Microsoft (2005), http://msdn.microsoft.com/en-us/library/ms995349.aspx#sdl2_topic2_5
  8. 8.
    ISO/IEC: 27001: Information technology – Security techniques – Information security management systems – Requirements. Technical report, International Organization for Standardization (ISO) and International Electrotechnical Commission, IEC (2013)Google Scholar
  9. 9.
    OWASP Foundation: OWASP Top 10 – 2013 (2013), http://owasptop10.googlecode.com/files/OWASPTop10-2013.pdf
  10. 10.
    Kitchenham, B., Charters, S.: Guidelines for performing Systematic Literature Reviews in Software Engineering. Technical Report EBSE 2007-001, Keele University and Durham University Joint Report (2007)Google Scholar
  11. 11.
    Beckers, K., Eicker, S., Heisel, M. (UDE), W.S.: NESSoS Deliverable D5.2 – Identification of Research Gaps in the Common Body of Knowledge (2012)Google Scholar
  12. 12.
    Becker, P., Papa, F., Olsina, L.: Enhancing the Conceptual Framework Capability for a Measurement and Evaluation Strategy. In: 4th International Workshop on Quality in Web Engineering (6360), pp. 1–12 (2013)Google Scholar
  13. 13.
    RWTH Aachen University: i* notation, http://istar.rwth-aachen.de/
  14. 14.
    Elahi, G., Yu, E., Zannone, N.: A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities. Requirements Engineering 15(1), 41–62 (2010)CrossRefGoogle Scholar
  15. 15.
    Wang, J.A., Guo, M.: Security data mining in an ontology for vulnerability management. In: International Joint Conference on Bioinformatics, Systems Biology and Intelligent Computing, IJCBS 2009, pp. 597–603 (2009)Google Scholar
  16. 16.
    RWTH Aachen University: SWRL: A Semantic Web Rule Language Combining OWL and RuleML (2004), http://www.w3.org/Submission/SWRL/
  17. 17.
    Moyano, F., Fernandez-Gago, C., Lopez, J.: A conceptual framework for trust models. In: Fischer-Hübner, S., Katsikas, S., Quirchmayr, G. (eds.) TrustBus 2012. LNCS, vol. 7449, pp. 93–104. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  18. 18.
    Fernandez, C., Lopez, J., Moyano, F.: NESSoS Deliverable D4.2 – Engineering Secure Future Internet Services: A Research Manifesto and Agenda from the NESSoS Community (2012)Google Scholar
  19. 19.
    Bertolino, A., Busch, M., Daoudagh, S., Lonetti, F., Marchetti, E.: A Toolchain for Designing and Testing Access Control Policies. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds.) Engineering Secure Future Internet Services. LNCS, vol. 8431, pp. 266–286. Springer, Heidelberg (2014)Google Scholar
  20. 20.
    Giorgini, P., Mouratidis, H., Zannone, N.: Modelling Security and Trust with Secure Tropos. In: Integrating Security and Software Engineering: Advances and Future Vision (2006)Google Scholar
  21. 21.
    Dardenne, A., Fickas, S., Van Lamsweerde, A.: Goal-directed Requirements Acquisition 20(1-2), 3–50 (1993)Google Scholar
  22. 22.
    Bresciani, P., Perini, A., Giorgini, P., Giunchiglia, F., Mylopoulos, J.: Tropos: An agent-oriented software development methodology. Autonomous Agents and Multi-Agent Systems 8(3), 203–236 (2004)CrossRefGoogle Scholar
  23. 23.
    Gedik, B., Liu, L.: Protecting Location Privacy with Personalized k-anonymity: Architecture and Algorithms 7(1), 1–18 (2008)Google Scholar
  24. 24.
    Jürjens, J.: Secure Systems Development with UML. Springer (2004)Google Scholar
  25. 25.
    Basin, D., Doser, J., Lodderstedt, T.: Model Driven security: From UML Models to Access Control Infrastructures. ACM Trans. Softw. Eng. Methodol. 15(1), 39–91 (2006)CrossRefGoogle Scholar
  26. 26.
    Basin, D., Clavel, M., Egea, M., Garcia de Dios, M., Dania, C.: A model-driven methodology for developing secure data-management applications. IEEE Transactions on Software Engineering PP(99), 1 (2014)Google Scholar
  27. 27.
    de Dios, M.A.G., Dania, C., Basin, D., Clavel, M.: Model-driven Development of a Secure eHealth Application. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds.) Engineering Secure Future Internet Services. LNCS, vol. 8431, pp. 97–118. Springer, Heidelberg (2014)Google Scholar
  28. 28.
    Busch, M., Knapp, A., Koch, N.: Modeling Secure Navigation in Web Information Systems. In: Grabis, J., Kirikova, M. (eds.) BIR 2011. LNBIP, vol. 90, pp. 239–253. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  29. 29.
    Busch, M., Koch, N., Suppan, S.: Modeling Security Features of Web Applications. In: Engineering Secure Future Internet Services. LNCS, vol. 8431, pp. 119–139. Springer, Heidelberg (2014)Google Scholar
  30. 30.
    Goldstein, A., Frank, U.: Augmented Enterprise Models as a Foundation for Generating Security-related Software: Requirements and Prospects. In: Model-Driven Security Workshop in Conjunction with MoDELS 2012 (MDsec 2012). ACM Digital Library (2012)Google Scholar
  31. 31.
    Busch, M., Koch, N., Masi, M., Pugliese, R., Tiezzi, F.: Towards Model-Driven Development of Access Control Policies for Web Applications. In: Model-Driven Security Workshop in Conjunction with MoDELS 2012 (MDsec 2012). ACM Digital Library (2012)Google Scholar
  32. 32.
  33. 33.
    Jacobs, B., Smans, J., Piessens, F.: VeriFast (2013), http://www.cs.kuleuven.be/~bartj/verifast/
  34. 34.
    CORAS method: CORAS tool (2013), http://coras.sourceforge.net/
  35. 35.
    Busch, M., Koch, N.: NESSoS Deliverable D2.1 – First release of Method and Tool Evaluation (2011)Google Scholar
  36. 36.
    Busch, M.: SecEval – Further Information (2014), http://www.pst.ifi.lmu.de/~busch/SecEval
  37. 37.
    Bishop, M.: Computer Security: Art and Science, 1st edn. Addison-Wesley Professional (2002)Google Scholar
  38. 38.
    Schreiner, S.: Comparison of Security-related Tools and Methods for Testing Software, Bachelor Thesis (2013)Google Scholar
  39. 39.
    Lacek, C.: In-depth Comparison and Integration of Tools for Testing Security features of Web Applications, Bachelor Thesis (2013)Google Scholar
  40. 40.
    Busch, M., Koch, N.: NESSoS Deliverable D2.3 – Second Release of the SDE for Security-Related Tools (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Marianne Busch
    • 1
  • Nora Koch
    • 1
  • Martin Wirsing
    • 1
  1. 1.Institute for InformaticsLudwig-Maximilians-Universität MünchenMünchenGermany

Personalised recommendations