Web Engineering Security (WES) Process

This document explains the Web Engineering Security (WES) process for the construction of secure Web based application development projects. WES is a process neutral methodology that has been developed to address specific development issues: • Active organizational support for security in the Web development process • Proper Controls in the development environment • Security visibility throughout all areas of the development process • Delivery of a cohesive system, integrating business requirements, software and security • Prompt, rigorous testing and evaluation • Trust and Accountability [39]. In addition, WES supports the implementation of an Application Development Methodology, a clear Web Security Development Process Definition, the acquisition of End-Users Feed Back, the Implementation & Testing of Disaster Recovery Plans, and putting into effect a Job Related Impact scheme for secure application development[41]. The identification of the project’s risk to the business, specific application security requirements, secure design and coding standards, controlled implementations and rigorous security testing practices, encourages a development environment conducive to creating and delivering increasingly secure Web applications that satisfy the needs of the end-user. Who in our global web enabled environment provides the ultimate decree on the triumph of an applications practical utilization of security. William Brad Glisson Page 2 of 51 13/03/2007 © University of Glasgow 2006, Department of Computing Science Technical Report TR-2007-243

[1]  Chris Franke Family Educational Rights and Privacy Act (FERPA) , 2007, Journal of empirical research on human research ethics : JERHRE.

[2]  Ian Walden Harmonising Computer Crime Laws in Europe , 2004 .

[3]  Ray Welland,et al.  Agile Web Engineering (AWE) Process: Perceptions within a Fortune 500 Financial Services Company , 2005, J. Web Eng..

[4]  Timothy J. Shimeall,et al.  Intelligence Analysis for Internet Security , 2002 .

[5]  Wenfei Fan,et al.  Keys with Upward Wildcards for XML , 2001, DEXA.

[6]  Lynn A. Karoly,et al.  Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification , 2010, Practice Management Consultant.

[7]  William E. Odom,et al.  Intelligence Analysis , 2008 .

[8]  Mark Crichard UK Electronic Communications Act 2000: Electronic Communications Act 2000 - Take-off Time for E-Business or a Missed Opportunity? , 2000, Comput. Law Secur. Rev..

[9]  Carol Woody,et al.  Introduction to the OCTAVE ® Approach , 2003 .

[10]  Ray Welland,et al.  Web development evolution: the business perspective on security , 2006 .

[11]  John D. Moteff Computer Security: A Summary of Selected Federal Laws, Executive Orders, and Presidential Directives , 2004 .

[12]  Susan Hansche,et al.  Official (ISC)2 Guide to the CISSP Exam , 2003 .

[13]  Rahul Telang,et al.  Impact of Software Vulnerability Announcements on the Market Value of Software Vendors - an Empirical Investigation , 2005, WEIS.

[14]  Blaire Foutz Wealth of knowledge , 2007 .

[15]  Ray Welland,et al.  Web Engineering Security: Essential Elements , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[16]  Will Ozier,et al.  Risk Analysis and Assessment , 2000 .

[17]  Kaustubh Phaltankar Practical Guide for Implementing Secure Intranets and Extranets , 1999 .

[18]  Frederick P. Brooks,et al.  No Silver Bullet: Essence and Accidents of Software Engineering , 1987 .

[19]  Wladyslaw M. Turski,et al.  No Silver Bullet - Essence and Accidents of Software Engineering - Response , 1986, IFIP Congress.

[20]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[21]  Eduardo B. Fernández,et al.  Coordination of security levels for Internet architectures , 1999, Proceedings. Tenth International Workshop on Database and Expert Systems Applications. DEXA 99.

[22]  Anne H. Soukhanov,et al.  The american heritage dictionary of the english language , 1992 .

[23]  Glen L. Urban,et al.  Strategies for E-Business Success , 2001 .

[24]  D. Stephens The Sarbanes‐Oxley Act , 2005 .

[25]  Rodney McKemmish,et al.  What is forensic computing , 1999 .

[26]  Ray Welland,et al.  Web engineering security: a practitioner's perspective , 2006, ICWE '06.

[27]  Ray Welland,et al.  Secure Web Application Development and Global Regulation , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[28]  I. Walden Crime and Security in Cyberspace , 2005 .

[29]  Michael L. Brodie,et al.  On Conceptual Modelling , 1984, Topics in Information Systems.

[30]  Ray Welland,et al.  Web development evolution: the assimilation of Web engineering security , 2005, Third Latin American Web Congress (LA-WEB'2005).

[31]  Kenneth R. van Wyk,et al.  SECURE CODING PRINCIPLES & PRACTICES , 2003 .

[32]  R. Priest Data Protection Act , 1988 .

[33]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[34]  cyberdetective Convention on Cybercrime , 2007 .

[35]  D. E. Ross,et al.  Computer Fraud and Abuse Act , 2005 .

[36]  Tawfik Jelassi,et al.  Strategies for e-Business: Concepts and Cases on Value Creation and Digital Business Transformation , 2020, Classroom Companion: Business.

[37]  Juanita Ellis,et al.  The Internet Security Guidebook: From Planning to Deployment , 2001 .

[38]  Peter Fingar,et al.  The Death of "e" and the Birth of the Real New Economy : Business Models, Technologies and Strategies for the 21st Century , 2001 .

[39]  Christopher L. Tucci,et al.  Internet Business Models and Strategies , 2000 .

[40]  Robert L. Glass,et al.  Facts and fallacies of software engineering , 2002 .

[41]  Gerhard Steinke,et al.  Data privacy approaches from US and EU perspectives , 2002, Telematics Informatics.

[42]  Steven B. Lipner,et al.  The trustworthy computing security development lifecycle , 2004, 20th Annual Computer Security Applications Conference.

[43]  San Murugesan Web engineering , 1999, LINK.

[44]  Yogesh Deshpande Web Engineering Curriculum: A Case Study of an Evolving Framework , 2004, ICWE.

[45]  K. Schwalm National Strategy to Secure Cyberspace , 2006 .

[46]  Rick Freedman The eConsultant: Guiding Clients to Net Success , 2001 .

[47]  Charles P. Pfleeger,et al.  Security in computing , 1988 .