Meta-Modeling Based Secure Software Development Processes

This work suggests a multilevel support to software developers, who often lack knowledge and skills on how to proceed to develop secure software. In fact, developing software with such quality is a hard and complex task that involves many additional security-dedicated activities which are usually omitted in traditional software development lifecycles or integrated but not efficiently and appropriately deployed in some others. To federate all these software security-assurance activities in a structured way and provide the required guidelines for choosing and using them in a flexible development process, authors used meta-modeling techniques and dynamic process execution that consider developer's affinities and product's states. The proposed approach formalizes existing secure software development processes, allows integration of new ones, prevents ad-hoc executions and is supported by a tool to facilitate its deployment. A case study is given here to exemplify the proposed approach application and to illustrate some of its advantages.

[1]  Igor Siveroni,et al.  A UML-based static verification framework for security , 2010, Requirements Engineering.

[2]  Thitima Srivatanakul,et al.  Security Analysis with Deviational Techniques , 2005 .

[3]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[4]  Eila Ovaska,et al.  Ontology-Based Security Adaptation at Run-Time , 2010, 2010 Fourth IEEE International Conference on Self-Adaptive and Self-Organizing Systems.

[5]  Olutayo Bamidele Ajayi,et al.  Towards Building Secure Software Systems , 2006 .

[6]  Gary Mcgraw Software security , 2004, IEEE Security & Privacy Magazine.

[7]  Hossein Saiedian,et al.  Secure Software Engineering: Learning from the Past to Address Future Challenges , 2009, Inf. Secur. J. A Glob. Perspect..

[8]  Lakshmi S. Iyer,et al.  Secure activity resource coordination: empirical evidence of enhanced security awareness in designing secure business processes , 2008, Eur. J. Inf. Syst..

[9]  Wouter Joosen,et al.  On the secure software development process: CLASP, SDL and Touchpoints compared , 2009, Inf. Softw. Technol..

[10]  Tim Torvatn,et al.  Project Risk Management: Use and Benefit of Various Tools , 2013 .

[11]  Axelle Apvrille,et al.  Secure software development by example , 2005, IEEE Security & Privacy Magazine.

[12]  Duminda Wijesekera,et al.  Meta-models for misuse cases , 2009, CSIIRW '09.

[13]  Mohammad Zulkernine,et al.  On Selecting Appropriate Development Processes and Requirements Engineering Methods for Secure Software , 2009, 2009 33rd Annual IEEE International Computer Software and Applications Conference.

[14]  Wm. Arthur Conklin,et al.  Secure Software Engineering: A New Paradigm , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[15]  Goh Bee Hua Implementing IT Business Strategy in the Construction Industry , 2013 .

[16]  Nancy R. Mead,et al.  Software Security Engineering: A Guide for Project Managers , 2004 .

[17]  Lamia Labed Jilani,et al.  S2D-ProM: A Strategy Oriented Process Model for Secure Software Development , 2007, International Conference on Software Engineering Advances (ICSEA 2007).

[18]  Daly Paulose Teaching Case for Addressing Risks with Strategies in an International Airport Project , 2013 .

[19]  Chetan S. Sankar,et al.  The Role of a Sustainability Informatics Framework in Transportation Systems , 2014, Int. J. Inf. Syst. Serv. Sect..

[20]  Rossouw von Solms,et al.  SecSDM: A Model for Integrating Security into the Software Development Life Cycle , 2007, World Conference on Information Security Education.

[21]  Jan Jürjens,et al.  A framework to support alignment of secure software engineering with legal regulations , 2011, Software & Systems Modeling.

[22]  Melanie Volkamer,et al.  Holistic and Law Compatible IT Security Evaluation: Integration of Common Criteria, ISO 27001/IT-Grundschutz and KORA , 2013, Int. J. Inf. Secur. Priv..

[23]  Vijayan Sugumaran,et al.  Concepts, Methodologies, Tools, and Applications , 2007 .

[24]  Cecilia Mascolo,et al.  Integrating security and usability into the requirements and design process , 2007, Int. J. Electron. Secur. Digit. Forensics.

[25]  S. G. Godoy,et al.  Sneak Circuit and Software Sneak Analysis , 1978 .

[26]  William H. Allen,et al.  The ISDF Framework: Towards Secure Software Development , 2010, J. Inf. Process. Syst..

[27]  Haralambos Mouratidis,et al.  Integrating Security and Software Engineering: Advances and Future Visions , 2006 .

[28]  James P. McDermott,et al.  Attack net penetration testing , 2001, NSPW '00.

[29]  Matt Bishop,et al.  Addressing software security and mitigations in the life cycle , 2003, 28th Annual NASA Goddard Software Engineering Workshop, 2003. Proceedings..

[30]  Colette Rolland,et al.  A Multi-Model View of Process Modelling , 1999, Requirements Engineering.

[31]  Karsten Sohr,et al.  Articulating and enforcing authorisation policies with UML and OCL , 2005, SOEN.

[32]  Julio Flórez-López,et al.  Fracture and Damage Mechanics for Structural Engineering of Frames: State-of-the-Art Industrial Applications , 2014 .

[33]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[34]  Donald Firesmith,et al.  Common Concepts Underlying Safety, Security, and Survivability Engineering , 2003 .

[35]  Stephan Faßbender,et al.  A Pattern-Based and Tool-Supported Risk Analysis Method Compliant to ISO 27001 for Cloud Systems , 2015, Int. J. Secur. Softw. Eng..

[36]  Lamia Labed Jilani,et al.  Towards a Comprehensive View of Secure Software Engineering , 2007, The International Conference on Emerging Security Information, Systems, and Technologies (SECUREWARE 2007).

[37]  Ghulam Rasool,et al.  A Review of Approaches to Model Security into Software Systems , 2013 .

[38]  Colette Rolland,et al.  A Comprehensive View of Process Engineering , 1998, CAiSE.

[39]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.