Abstract
With the rise of Model Driven Engineering (MDE) as a software development methodology, which increases productivity and, supported by powerful code generation tools, allows a less error-prone implementation process, the idea of modeling security aspects during the design phase of the software development process was first suggested by the research community almost a decade ago. While various approaches for Model Driven Security (MDS) have been proposed during the years, it is still unclear, how these concepts compare to each other and whether they can improve the security of software projects. In this paper, we provide an evaluation of current MDS approaches based on a simple web application scenario and discuss the strengths and limitations of the various techniques, as well as the practicability of MDS for web application security in general.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
Download to read the full chapter text
Chapter PDF
References
Bresciani, P., Perini, A., Giorgini, P., Giunchiglia, F., Mylopoulos, J.: Tropos: An agent-oriented software development methodology. Autonomous Agents and Multi-Agent Systems 8(3), 203–236 (2004)
Hayati, P., Jafari, N., Rezaei, S., Sarenche, S., Potdar, V.: Modeling input validation in uml. In: 19th Australian Conference on Software Engineering, ASWEC 2008, pp. 663–672. IEEE (2008)
Jürjens, J.: Umlsec: Extending UML for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002)
Kasal, K., Heurix, J., Neubauer, T.: Model-driven development meets security: An evaluation of current approaches. In: 2011 44th Hawaii International Conference on System Sciences (HICSS), pp. 1–9. IEEE (2011)
Lloyd, J., Jürjens, J.: Security analysis of a biometric authentication system using UMLsec and JML. In: Schürr, A., Selic, B. (eds.) MODELS 2009. LNCS, vol. 5795, pp. 77–91. Springer, Heidelberg (2009)
Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)
Montrieux, L., Jürjens, J., Haley, C., Yu, Y., Schobbens, P., Toussaint, H.: Tool support for code generation from a umlsec property. In: Proceedings of the IEEE/ACM International Conference on Automated Software Engineering, pp. 357–358. ACM (2010)
Mouratidis, H., Giorgini, P.: Enhancing secure tropos to effectively deal with security requirements in the development of multiagent systems. In: Barley, M., Mouratidis, H., Unruh, A., Spears, D., Scerri, P., Massacci, F. (eds.) SASEMAS 2004-2006. LNCS, vol. 4324, pp. 8–26. Springer, Heidelberg (2009)
OWASP. Open web application security project top 10, https://www.owasp.org/index.php/Top_10_2010-Main (last access: January 15, 2013)
Rumbaugh, J., Jacobson, I., Booch, G.: The Unified Modeling Language Reference Manual, 2nd edn. Pearson Higher Education (2004)
Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. Computer 29(2), 38–47 (1996)
Sindre, G., Opdahl, A.: Templates for misuse case description. In: Proceedings of the 7th International Workshop on Requirements Engineering, Foundation for Software Quality (REFSQ 2001), Switzerland. Citeseer (2001)
van Lamsweerde, A., Dardenne, A., Delcourt, B., Dubisy, F.: The kaos project: Knowledge acquisition in automated specification of software. In: Proceedings AAAI Spring Symposium Series, pp. 59–62 (1991)
Yu, H., Liu, D., He, X., Yang, L., Gao, S.: Secure software architectures design by aspect orientation. In: Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems, ICECCS 2005, pp. 47–55. IEEE (2005)
Zhu, Z., Zulkernine, M.: A model-based aspect-oriented framework for building intrusion-aware software systems. Information and Software Technology 51(5), 865–875 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 IFIP International Federation for Information Processing
About this paper
Cite this paper
Hochreiner, C., Ma, Z., Kieseberg, P., Schrittwieser, S., Weippl, E. (2014). Using Model Driven Security Approaches in Web Application Development. In: Linawati, Mahendra, M.S., Neuhold, E.J., Tjoa, A.M., You, I. (eds) Information and Communication Technology. ICT-EurAsia 2014. Lecture Notes in Computer Science, vol 8407. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-55032-4_42
Download citation
DOI: https://doi.org/10.1007/978-3-642-55032-4_42
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-55031-7
Online ISBN: 978-3-642-55032-4
eBook Packages: Computer ScienceComputer Science (R0)