Integrating Security and Software Engineering: An Introduction

This chapter serves as an introduction to this book. It introduces software engineering, security engineering, and secure software engineering, providing definitions and explanation of terms necessary for readers to understand the subsequent chapters. Characteristics of each of the above areas are presented followed by an overview of the current advances in these areas. Finally, the 10 approaches described in the remaining chapters of the book are briefly introduced. INTRODUCTION Software systems become more and more critical in every domain of the human society. Transportation, telecommunications, entertainment, health care, military, education, and so on; the list is almost endless. These systems are used not only by major corporations and governments but also by individual users. Such wide use of information systems has resulted in these systems containing a large amount of critical information, which inevitably need to remain secure. Therefore, although it is important to ensure that software systems are developed according to the user 701 E. Chocolate Avenue, Suite 200, Hershey PA 17033, USA Tel: 717/533-8845; Fax 717/533-8661; URL-http://www.idea-group.com ITB13354 INFORMATION SCIENCE PUBLISHING This chapter appears in the book, Integrating Security and Software Engineering: Advances and Future Visions edited by Haralambos Mouratidis and Paolo Giorgini © 2007, Idea Group Inc. Mouratidis & Giorgini Copyright © 2007, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited. needs (functional requirements), it is equally important to ensure that these systems are secure. However, traditionally, security is considered after the definition of the system, meaning that security mechanisms are fitted into pre-existing designs. Usually, in practise, a fit-all solution is assumed where security mechanisms, such as authentication, are inserted into the system with very little consideration of the implications of inserting such mechanisms into the existing system’s design. As a result, security may conflict with the system’s requirements and this can lead to problems, which most of the times translate into security vulnerabilities (Anderson, 2001; Stallings, 1999). One of the reasons for this situation is the fact that traditionally the two associated research areas of software engineering and security engineering work independently. On one hand, software engineering techniques and methodologies do not consider security as an important issue, although they have integrated concepts such as reliability and performance, and they usually fail to provide precise enough semantics to support the analysis and design of security requirements and properties (Crook, Ince, & Nuseibeh, 2003; Mouratidis, 2004a). On the other hand, security engineering research has mainly produced formal and theoretical methods, which are difficult to understand by non security experts and which, apart from security, they only consider limited aspects of the system. From the viewpoint of the traditional security paradigm, integrating security and software engineering would result in a situation where security is considered as part of the development process, leading to the development of more secure software systems. We call this area of research secure software engineering, and we consider it a branch of research concerned with the development of secure software systems, which integrates security and software engineering. In the rest of the chapter, the research areas of software and security engineering are introduced and a discussion emphasising the characteristics of the secure software engineering research area is presented. Then the current state of the art on software and security engineering are presented, emphasising the latest approaches to secure software engineering. The chapter concludes by introducing the approaches presented in the rest of the book. SOFTWARE ENGINEERING Trying to explicitly and accurately define something as wide and dynamic as software engineering is a very difficult task. Therefore, there is a tendency from researchers and practitioners to develop personal definitions (Pressman, 2005). As a result of this, various different definitions regarding software engineering appear on texts (see for example Macro & Buxton, 1990; Pressman, 2005; Sommerville, 2004; Vliet, 1993). These definitions often use different words and different ideas to describe software engineering and range from very simple ones, such as software 12 more pages are available in the full version of this document, which may be purchased using the "Add to Cart" button on the publisher's webpage: www.igi-global.com/chapter/integrating-security-softwareengineering/24048

[1]  Axel van Lamsweerde,et al.  Handling Obstacles in Goal-Oriented Requirements Engineering , 2000, IEEE Trans. Software Eng..

[2]  John Mylopoulos,et al.  Requirement Engineering Meets Security: A Case Study on Modelling Secure Electronic Transactions by VISA and Mastercard , 2003, ER.

[3]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[4]  Lawrence Chung,et al.  Dealing with Non-Functional Requirements: Three Experimental Studies of a Process-Oriented Approach , 1995, 1995 17th International Conference on Software Engineering.

[5]  John Mylopoulos,et al.  Filling the Gap between Requirements Engineering and Public Key/Trust Management Infrastructures , 2004, EuroPKI.

[6]  Fausto Giunchiglia,et al.  Tropos: An Agent-Oriented Software Development Methodology , 2004, Autonomous Agents and Multi-Agent Systems.

[7]  Haralambos Mouratidis,et al.  A security oriented approach in the development of multiagent systems : applied to the management of the health and social care needs of older people in England , 2004 .

[8]  Bashar Nuseibeh,et al.  Arguing security: validating security requirements using structured argumentation , 2005 .

[9]  Gruia-Catalin Roman,et al.  A taxonomy of current issues in requirements engineering , 1985, Computer.

[10]  Gary McGraw,et al.  Building Secure Software : ソフトウェアセキュリティについて開発者が知っているべきこと , 2006 .

[11]  V. P. Lane Security of computer based information systems , 1985 .

[12]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[13]  Bashar Nuseibeh,et al.  Modelling access policies using roles in requirements engineering , 2003, Inf. Softw. Technol..

[14]  Haralambos Mouratidis,et al.  Using Security Attack Scenarios to Analyse Security During Information Systems Design , 2004, ICEIS.

[15]  Haralambos Mouratidis,et al.  A secure architectural description language for agent systems , 2005, AAMAS '05.

[16]  Markus Schumacher,et al.  Security Engineering with Patterns , 2003, Lecture Notes in Computer Science.

[17]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[18]  Dieter Gollmann,et al.  Computer Security , 1979, Lecture Notes in Computer Science.

[19]  Michael Weiss,et al.  Security Patterns Meet Agent Oriented Software Engineering: A Complementary Solution for Developing Secure Information Systems , 2005, ER.

[20]  William Stallings,et al.  Cryptography and Network Security: Principles and Practice , 1998 .

[21]  Haralambos Mouratidis,et al.  Modelling secure multiagent systems , 2003, AAMAS '03.

[22]  Grady Booch,et al.  Object-Oriented Analysis and Design with Applications , 1990 .

[23]  Hans van Vliet,et al.  Software engineering - principles and practice , 1993 .

[24]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[25]  Annie I. Antón,et al.  A requirements taxonomy for reducing Web site privacy vulnerabilities , 2004, Requirements Engineering.

[26]  Ian F. Alexander,et al.  Misuse Cases: Use Cases with Hostile Intent , 2003, IEEE Softw..

[27]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[28]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[29]  Daniel J. Russell,et al.  FAD : a functional analysis and design methodology , 2001 .

[30]  Roger S. Pressman,et al.  Software Engineering: A Practitioner's Approach , 1982 .

[31]  John N. Buxton,et al.  Craft of software engineering , 1987, International computer science series.