Reducing the gap between security audit and software engineering methods

The information security aspect has become a major concern for software project leaders. The problem is that software engineers still consider security issues as add-on requirements expressed and verified by “external” actors like auditors or security managers. We aim to help software engineers by identifying precisely what they are expected to do and to deliver at each step, in order to enhance the security level of the targeted information system. In this paper, we focus on merging security issues in software life cycle. Therefore, we extract security requirements and best practices from security audit methods and embed them in software methods. We consider in particular the well-known UP and MEHARI methods. The idea is to anchor security recommendations from the MEHARI method in the lifecycle of the UP, by the mean of meta-modeling approach.

[1]  Eric Dubois,et al.  A Systematic Approach to Define the Domain of Information System Security Risk Management , 2010, Intentional Perspectives on Information Systems Engineering.

[2]  P. Krutchen,et al.  The Rational Unified Process: An Introduction , 2000 .

[3]  Brian Ritchie,et al.  Model based security risk analysis for web applications: the CORAS approach , 2002 .

[4]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[5]  Charlotte Hug,et al.  Méthode, modèles et outil pour la méta-modélisation des processus d'ingénierie de systèmes d'information. (Method, models and tool for information systems engineering process metamodelling) , 2009 .

[6]  Dirk Fox,et al.  Open Web Application Security Project , 2006, Datenschutz und Datensicherheit - DuD.

[7]  Salah Baïna Interopérabilité dirigée par les modèles : une Approche Orientée Produit pour l'interopérabilité des systèmes d'entreprise. (A product oriented approach for enterprise systems interoperability) , 2006 .

[8]  Scott W. Ambler,et al.  A Manager's Introduction to The Rational Unified Process (RUP) , 2005 .

[9]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[10]  Marlon Dumas,et al.  A Comparison of SecureUML and UMLsec for Role-based Access Control , 2010 .

[11]  Mounia Fredj,et al.  MDA based-approach for UML Models Complete Comparison , 2011, ArXiv.

[12]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.