Web Engineering Security (WES) Methodology

The World Wide Web has had a significant impact on basic operational economical components in global information rich civilizations. This impact is forcing organizations to provide justification for security from a business case perspective and to focus on security from a web application development environment perspective. This increased focus on security was the basis of a business case discussion and led to the acquisition of empirical evidence gathered from a high level Web survey and more detailed industry surveys to analyse security in the Web application development environment. Along with this information, a collection of evidence from relevant literature was also gathered. Individual aspects of the data gathered in the previously mentioned activities contributed to the proposal of the Essential Elements (EE) and the Security Criteria for Web Application Development (SCWAD). The Essential Elements present the idea that there are essential, basic organizational elements that need to be identified, defined and addressed before examining security aspects of a Web Engineering Development process. The Security Criteria for Web Application Development identifies criteria that need to be addressed by a secure Web Engineering process. Both the EE and SCWAD are presented in detail along with relevant justification of these two elements to Web Engineering. SCWAD is utilized as a framework to evaluate the security of a representative selection of recognized software engineering processes used in Web Engineering application development. The software engineering processes appraised by SCWAD include: the Waterfall Model, the Unified Software Development Process (USD), Dynamic Systems Development Method (DSDM) and eXtreme Programming (XP). SCWAD is also used to assess existing security methodologies which are comprised of the Orion Strategy; Survivable / Viable IS approaches; Comprehensive Lightweight Application Security Process (CLASP) and Microsoft’s Trust Worthy Computing Security Development Lifecycle. The synthesis of information provided by both the EE and SCWAD were used to develop the Web Engineering Security (WES) methodology. WES is a proactive, flexible, process neutral security methodology with customizable components that is based on empirical evidence and used to explicitly integrate security throughout an organization’s chosen application development process. In order to evaluate the practical application of the EE, SCWAD and the WES methodology, two case studies were conducted during the course of this research. The first case study describes the application of both the EE and SCWAD to the Hunterian Museum and Art Gallery’s Online Photo Library (HOPL) Internet application project. The second case study presents the commercial implementation of the WES methodology within a Global Fortune 500 financial service sector organization. The assessment of the WES methodology within the organization consisted of an initial survey establishing current security practices, a follow-up survey after changes were implemented and an overall analysis of the security conditions assigned to projects throughout the life of the case study.

[1]  Kaustubh Phaltankar Practical Guide for Implementing Secure Intranets and Extranets , 1999 .

[2]  Brendan Smoker A matter of trust. , 2002, Health management technology.

[3]  Ray Welland,et al.  Secure Web Application Development and Global Regulation , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[4]  M. Traugott,et al.  Web survey design and administration. , 2001, Public opinion quarterly.

[5]  Shari Lawrence Pfleeger,et al.  Principles of survey research part 2: designing a survey , 2002, SOEN.

[6]  Mick P. Couper,et al.  Web Survey Design Paging versus Scrolling , 2006 .

[7]  I. Walden Crime and Security in Cyberspace , 2005 .

[8]  Mikko T. Siponen,et al.  Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods , 2005, Inf. Organ..

[9]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[10]  M. Couper,et al.  Web Surveys , 2001 .

[11]  Juanita Ellis,et al.  The Internet Security Guidebook: From Planning to Deployment , 2001 .

[12]  P. D. Howard The Security Policy Life Cycle: Functions and Responsibilities , 2002 .

[13]  Jan Pries-Heje,et al.  High-Speed Software Development Practices: What Works, What Doesn't , 2006, IT Professional.

[14]  Ivar Jacobson,et al.  The Unified Software Development Process , 1999 .

[15]  Kenneth R. van Wyk,et al.  SECURE CODING PRINCIPLES & PRACTICES , 2003 .

[16]  Michael D. Myers,et al.  A Set of Principles for Conducting and Evaluating Interpretive Field Studies in Information Systems , 1999, MIS Q..

[17]  Steve Hansen,et al.  Web Engineering: Creating a Discipline among Disciplines , 2001, IEEE Multim..

[18]  H. D. Benington,et al.  Production of Large Computer Programs , 1983, Annals of the History of Computing.

[19]  Inger Anne Tøndel,et al.  How can the developer benefit from security modeling? , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[20]  A Min Tjoa,et al.  Modelling Data Secrecy and Integrity , 1998, Data Knowl. Eng..

[21]  Rodney McKemmish,et al.  What is forensic computing , 1999 .

[22]  Ray Welland,et al.  Web engineering security: a practitioner's perspective , 2006, ICWE '06.

[23]  Diana K. Smetters,et al.  In search of usable security: five lessons from the field , 2004, IEEE Security & Privacy Magazine.

[24]  Nahid Shahmehri,et al.  Design of a Process for Software Security , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[25]  Kent L. Beck,et al.  Extreme programming explained - embrace change , 1990 .

[26]  Marvin V. Zelkowitz,et al.  Experimental Models for Validating Technology , 1998, Computer.

[27]  Eszter Hargittai,et al.  Second-Level Digital Divide: Differences in People's Online Skills , 2002, First Monday.

[28]  R. Priest Data Protection Act , 1988 .

[29]  Shari Lawrence Pfleeger,et al.  Principles of survey research: part 3: constructing a survey instrument , 2002, SOEN.

[30]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[31]  Barry W. Boehm,et al.  A spiral model of software development and enhancement , 1986, Computer.

[32]  Steven B. Lipner,et al.  The trustworthy computing security development lifecycle , 2004, 20th Annual Computer Security Applications Conference.

[33]  Holly Gunn,et al.  Web-based Surveys: Changing the Survey Process , 2002, First Monday.

[34]  Evangelos A. Kiountouzis,et al.  Redefining Information Systems Security: Viable Information Systems , 2001, SEC.

[35]  K. Beck,et al.  Extreme Programming Explained , 2002 .

[36]  Helen L. Armstrong Managing Information Security in Healthcare - an Action Research Experience , 2000, SEC.

[37]  Pekka Abrahamsson,et al.  New directions on agile methods: a comparative analysis , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[38]  Mikko T. Siponen,et al.  An analysis of the traditional IS security approaches: implications for research and practice , 2005, Eur. J. Inf. Syst..

[39]  Yogesh Deshpande Web Engineering Curriculum: A Case Study of an Evolving Framework , 2004, ICWE.

[40]  Christopher L. Tucci,et al.  Internet Business Models and Strategies , 2000 .

[41]  Robert L. Glass,et al.  Facts and fallacies of software engineering , 2002 .

[42]  Günther Pernul,et al.  Security constraint processing during multilevel secure database design , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[43]  Ray Welland,et al.  Web Engineering Security: Essential Elements , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[44]  Andromachi Tseloni,et al.  SURVEY: TECHNICAL REPORT , 2008 .

[45]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[46]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[47]  Richard Baskerville,et al.  Integrating Security into Agile Development Methods , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[48]  Jan H. P. Eloff,et al.  A Methodology for the development of secure Application Systems , 1995 .

[49]  Peter Fingar,et al.  The Death of "e" and the Birth of the Real New Economy : Business Models, Technologies and Strategies for the 21st Century , 2001 .

[50]  Gregory Kipper Computer Fraud and Abuse Act 1986 (US) 18 USC 1030 , 2007 .

[51]  Ray Welland,et al.  Web development evolution: the business perspective on security , 2006 .

[52]  Susan Hansche,et al.  Official (ISC)2 Guide to the CISSP Exam , 2003 .

[53]  R. Hirschheim INFORMATION SYSTEMS EPISTEMOLOGY: AN HISTORICAL PERSPECTIVE , 2000 .

[54]  Steve Hansen,et al.  Web Engineering: A New Discipline for Development of Web-Based Systems , 2001, Web Engineering.

[55]  Bruce Schneier,et al.  Beyond fear - thinking sensibly about security in an uncertain world , 2003 .

[56]  Ray Welland,et al.  Web development evolution: the assimilation of Web engineering security , 2005, Third Latin American Web Congress (LA-WEB'2005).

[57]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[58]  Richard F. Paige,et al.  Agile development of secure web applications , 2006, ICWE '06.

[59]  Blaire Foutz Wealth of knowledge , 2007 .

[60]  Helen L. James,et al.  Managing information systems security: a soft approach , 1996, Proceedings of 1996 Information Systems Conference of New Zealand.

[61]  Will Ozier,et al.  Risk Analysis and Assessment , 2000 .

[62]  Chris Hare Information Security Management Handbook , 2000 .

[63]  Guy Fitzgerald,et al.  Research methods in information systems , 1985 .

[64]  Per Runeson,et al.  Checklists for Software Engineering Case Study Research , 2007, First International Symposium on Empirical Software Engineering and Measurement (ESEM 2007).

[65]  Hans van Vliet,et al.  Software engineering (2nd ed.): principles and practice , 2000 .

[66]  Andrew Gregory McDonald,et al.  The Agile Web Engineering (AWE) process , 2001 .

[67]  Eduardo B. Fernández,et al.  A Methodology for Secure Software Design , 2004, Software Engineering Research and Practice.

[68]  P BostromRobert,et al.  MIS Problems and failures , 1977 .

[69]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[70]  Mikko T. Siponen Secure-system design methods: evolution and future directions , 2006, IT Professional.

[71]  B. J. Oates,et al.  Researching Information Systems and Computing , 2005 .

[72]  Carol Woody,et al.  Introduction to the OCTAVE ® Approach , 2003 .

[73]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[74]  Owen Rees,et al.  Identity Management: a Key e-Business Enabler , 2002 .

[75]  Gerald Quirchmayr,et al.  Organizing MLS databases from a data modelling point of view , 1994, Tenth Annual Computer Security Applications Conference.

[76]  Eduardo B. Fernández,et al.  Coordination of security levels for Internet architectures , 1999, Proceedings. Tenth International Workshop on Database and Expert Systems Applications. DEXA 99.

[77]  Ian Walden Harmonising Computer Crime Laws in Europe , 2004 .

[78]  Rahul Telang,et al.  Impact of Software Vulnerability Announcements on the Market Value of Software Vendors - an Empirical Investigation , 2005, WEIS.

[79]  Steven R. Rakitin Software verification and validation - a practitioner's guide , 1997 .

[80]  Walid G. Aref,et al.  Security models for web-based applications , 2001, CACM.

[81]  Harold F. Tipton,et al.  Information security management handbook, Sixth Edition , 2003 .

[82]  FrazerKen Building secure software , 2002 .

[83]  Ray Welland,et al.  Agile Web Engineering (AWE) Process: Perceptions within a Fortune 500 Financial Services Company , 2005, J. Web Eng..

[84]  Timothy J. Shimeall,et al.  Intelligence Analysis for Internet Security , 2002 .

[85]  Marcus K. Rogers,et al.  Social Engineering: The Forgotten Risk , 2000 .

[86]  W. W. Royce,et al.  Managing the development of large software systems: concepts and techniques , 1987, ICSE '87.

[87]  Robert P. Bostrom,et al.  Mis problems and failures: a socio-technical perspective , 1977 .

[88]  Michael L. Brodie,et al.  On Conceptual Modelling , 1984, Topics in Information Systems.

[89]  Konstantin Beznosov,et al.  Extreme Security Engineering: On Employing XP Practices to Achieve , 2003 .

[90]  John D. Moteff Computer Security: A Summary of Selected Federal Laws, Executive Orders, and Presidential Directives , 2004 .

[91]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[92]  Chen Wang,et al.  Taxonomy of security considerations and software quality , 2003, CACM.

[93]  Shari Lawrence Pfleeger,et al.  Principles of survey research: part 1: turning lemons into lemonade , 2001, SOEN.

[94]  Julie-Marie Foss,et al.  Web Application Security , 2005 .

[95]  Abhay Bhargav,et al.  Web Application Security—A Case Study , 2010 .

[96]  John Viega Building security requirements with CLASP , 2005, SOEN.

[97]  San Murugesan Web engineering , 1999, LINK.

[98]  Linda S. Spedding,et al.  The Sarbanes-Oxley Act of 2002 , 2009 .

[99]  Gerhard Steinke,et al.  Data privacy approaches from US and EU perspectives , 2002, Telematics Informatics.