Abstract
Existing approaches only provide informal guidelines for the transition from security requirements to secure design. Carrying out this transition is highly non-trivial and error-prone, leaving the risk of introducing vulnerabilities.
This paper presents a pattern-oriented approach to connect security requirements analysis and secure architectural design. Following the divide & conquer principle, a software development problem is divided into simpler subproblems based on security requirements analysis patterns. We complement each of these patterns with architectural security patterns tailored to solve classes of security subproblems. We use UMLsec together with the advanced modeling possibilities for software architectures of UML 2.3 to equip the architectural security patterns with security properties, and to allow tool-supported analysis and composition of instances of these patterns. We validate our approach using two case studies and illustrate its support for Common Criteria certifications.
Chapter PDF
References
Bryl, V., Massacci, F., Mylopoulos, J., Zannone, N.: Designing security requirements models through planning. In: Martinez, F.H., Pohl, K. (eds.) CAiSE 2006. LNCS, vol. 4001, pp. 33–47. Springer, Heidelberg (2006)
Choppy, C., Hatebur, D., Heisel, M.: Component composition through architectural patterns for problem frames. In: Proceedings of the Asia Pacific Software Engineering Conference (APSEC), pp. 27–34. IEEE Computer Society, Washington, DC, USA (2006)
Giorgini, P., Mouratidis, H.: Secure tropos: A security-oriented extension of the tropos methodology. International Journal of Software Engineering and Knowledge Engineering 17(2), 285–309 (2007)
Hall, J.G., Jackson, M., Laney, R.C., Nuseibeh, B., Rapanotti, L.: Relating software requirements and architectures using problem frames. In: Proceedings of the IEEE International Requirements Engineering Conference (RE), pp. 137–144. IEEE Computer Society, Los Alamitos (2002)
Heyman, T., Yskout, K., Scandariato, R., Joosen, W.: An analysis of the security patterns landscape. In: Proceedings of the International Workshop on Software Engineering for Secure Systems (SESS), pp. 3–10. IEEE Computer Society, Los Alamitos (2007)
Heyman, T., Yskout, K., Scandariato, R., Schmidt, H., Yu, Y.: The security twin peaks. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 167–180. Springer, Heidelberg (2011)
Jackson, M.: Problem Frames. In: Analyzing and structuring software development problems. Addison-Wesley, Reading (2001)
Jürjens, J.: Principles for Secure Systems Design. PhD thesis, University of Oxford (2002)
Massacci, F., Mylopoulos, J., Zannone, N.: An Ontology for Secure Socio-Technical Systems. Information Science Reference. In: Ontologies for Business Interaction, pp. 188–207 (2007)
Mouratidis, H., Jürjens, J.: From goal-driven security requirements engineering to secure design. International Journal of Intelligent Systems – Special issue on Goal-Driven Requirements Engineering 25(8), 813–840 (2010)
Pérez-Martínez, J.E., Sierra-Alonso, A.: UML 1.4 versus UML 2.0 as languages to describe software architectures. In: Oquendo, F., Warboys, B.C., Morrison, R. (eds.) EWSA 2004. LNCS, vol. 3047, pp. 88–102. Springer, Heidelberg (2004)
Pfleeger, C.P., Pfleeger, S.L.: Security In Computing, 3rd edn. Prentice Hall PTR, Englewood Cliffs (2003)
Rapanotti, L., Hall, J.G., Jackson, M., Nuseibeh, B.: Architecture-driven problem decomposition. In: Proceedings of the IEEE International Requirements Engineering Conference (RE), pp. 80–89. IEEE Computer Society, Los Alamitos (2004)
Schmidt, H.: A Pattern- and Component-Based Method to Develop Secure Software. Deutscher Wissenschafts-Verlag (DWV) Baden-Baden (April 2010)
Schmidt, H., Jürjens, J.: UMLsec4UML2 - adopting UMLsec to support UML2. Technical Report 838, Technical University of Dortmund (February 2011), http://hdl.handle.net/2003/27602
Shaw, M., Garlan, D.: Software Architecture. Perspectives on an Emerging Discipline. Prentice Hall PTR, Englewood Cliffs (1996)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Schmidt, H., Jürjens, J. (2011). Connecting Security Requirements Analysis and Secure Design Using Patterns and UMLsec. In: Mouratidis, H., Rolland, C. (eds) Advanced Information Systems Engineering. CAiSE 2011. Lecture Notes in Computer Science, vol 6741. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-21640-4_28
Download citation
DOI: https://doi.org/10.1007/978-3-642-21640-4_28
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-21639-8
Online ISBN: 978-3-642-21640-4
eBook Packages: Computer ScienceComputer Science (R0)