Genie in a Model? Why Model Driven Security will not secure your Web Application

More often a new software development methodology called Model Driven Engineering (MDE) is used to increase productivity by supporting powerful code generation tools, which allows a less errorprone implementation process. However the idea of modeling system aspects during the design phase so called Model Driven Security (MDS) was proposed by the scientific community decades ago and yet it is still unclear whether MDS can improve the security of a software project. In this paper we provide a comprehensive evaluation of current MDS approaches based on a web application scenario in regards to the most common web security attacks. We discuss their strengths and limitations as well as the practicability of MDS for modern web application security in general.

[1]  Bashar Nuseibeh,et al.  Security patterns: comparing modeling approaches , 2010 .

[2]  Fausto Giunchiglia,et al.  Tropos: An Agent-Oriented Software Development Methodology , 2004, Autonomous Agents and Multi-Agent Systems.

[3]  Ivar Jacobson,et al.  The unified modeling language reference manual , 2010 .

[4]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[5]  Axel van Lamsweerde,et al.  The KAOS Project: Knowledge Acquisition in Automated Specification of Software , 1991 .

[6]  Christian Wagner,et al.  Model-driven security for Web services in e-Government system: Ideal and real , 2011, 2011 7th International Conference on Next Generation Web Services Practices.

[7]  Axel van Lamsweerde,et al.  From Object Orientation to Goal Orientation: A Paradigm Shift for Requirements Engineering , 2002, RISSEF.

[8]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[9]  Jun Li,et al.  Incorporating Security Requirements into Service Composition: From Modelling to Execution , 2009, ICSOC/ServiceWave.

[10]  Axel van Lamsweerde,et al.  Agent-based tactics for goal-oriented requirements elaboration , 2002, ICSE '02.

[11]  Thomas Neubauer,et al.  Model-Driven Development Meets Security: An Evaluation of Current Approaches , 2011, 2011 44th Hawaii International Conference on System Sciences.

[12]  Ivar Jacobson,et al.  Unified Modeling Language Reference Manual, The (2nd Edition) , 2004 .

[13]  Jan Jürjens,et al.  Modelling and Verification of Layered Security Protocols: A Bank Application , 2003, SAFECOMP.

[14]  Meiko Jensen,et al.  A Security Modeling Approach for Web-Service-Based Business Processes , 2009, 2009 16th Annual IEEE International Conference and Workshop on the Engineering of Computer Based Systems.

[15]  Jan Jürjens,et al.  Security Analysis of a Biometric Authentication System Using UMLsec and JML , 2009, MoDELS.

[16]  Mark Strembeck,et al.  Modeling process-related RBAC models with extended UML activity models , 2011, Inf. Softw. Technol..

[17]  Jan Jürjens,et al.  Model-based security analysis for mobile communications , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[18]  Mohammad Zulkernine,et al.  A model-based aspect-oriented framework for building intrusion-aware software systems , 2009, Inf. Softw. Technol..

[19]  Michiaki Tatsubori,et al.  Model-driven security based on a Web services security architecture , 2005, 2005 IEEE International Conference on Services Computing (SCC'05) Vol-1.

[20]  Edgar R. Weippl,et al.  Using Model Driven Security Approaches in Web Application Development , 2014, ICT-EurAsia.

[21]  David A. Basin,et al.  A decade of model-driven security , 2011, SACMAT '11.

[22]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[23]  Andreas L. Opdahl,et al.  Templates for Misuse Case Description , 2001 .

[24]  Axel van Lamsweerde,et al.  Deriving operational software specifications from system goals , 2002, SIGSOFT '02/FSE-10.

[25]  Christoph Meinel,et al.  SecureSOA Modelling Security Requirements for Service-Oriented Architectures , 2010, 2010 IEEE International Conference on Services Computing.

[26]  Bashar Nuseibeh,et al.  Model-Based Security Engineering of Distributed Information Systems Using UMLsec , 2007, 29th International Conference on Software Engineering (ICSE'07).

[27]  Haralambos Mouratidis,et al.  Enhancing Secure Tropos to Effectively Deal with Security Requirements in the Development of Multiagent Systems , 2009, Safety and Security in Multiagent Systems.

[28]  Pierre-Yves Schobbens,et al.  Tool support for code generation from a UMLsec property , 2010, ASE.

[29]  Li Yang,et al.  Secure software architectures design by aspect orientation , 2005, 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'05).

[30]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[31]  Jan Jürjens,et al.  Sound development of secure service-based systems , 2004, ICSOC '04.

[32]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[33]  Ivar Jacobson,et al.  The Unified Modeling Language Reference Manual, Second Edition , 2005 .

[34]  Ruth Breu,et al.  Model-Driven Security Engineering for Trust Management in SECTET , 2007, J. Softw..

[35]  David A. Basin,et al.  Model driven security for process-oriented systems , 2003, SACMAT '03.

[36]  Saeed Sarencheh,et al.  Modeling Input Validation in UML , 2008, 19th Australian Conference on Software Engineering (aswec 2008).