Using Model Driven Security Approaches in Web Application Development

With the rise of Model Driven Engineering (MDE) as a software development methodology, which increases productivity and, supported by powerful code generation tools, allows a less error-prone implementation process, the idea of modeling security aspects during the design phase of the software development process was first suggested by the research community almost a decade ago. While various approaches for Model Driven Security (MDS) have been proposed during the years, it is still unclear, how these concepts compare to each other and whether they can improve the security of software projects. In this paper, we provide an evaluation of current MDS approaches based on a simple web application scenario and discuss the strengths and limitations of the various techniques, as well as the practicability of MDS for web application security in general.

[1]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[2]  Thomas Neubauer,et al.  Model-Driven Development Meets Security: An Evaluation of Current Approaches , 2011, 2011 44th Hawaii International Conference on System Sciences.

[3]  Ivar Jacobson,et al.  Unified Modeling Language Reference Manual, The (2nd Edition) , 2004 .

[4]  Pierre-Yves Schobbens,et al.  Tool support for code generation from a UMLsec property , 2010, ASE.

[5]  Li Yang,et al.  Secure software architectures design by aspect orientation , 2005, 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'05).

[6]  Vidyasagar Potdar,et al.  Modeling Input Validation in UML , 2008 .

[7]  Axel van Lamsweerde,et al.  The KAOS Project: Knowledge Acquisition in Automated Specification of Software , 1991 .

[8]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[9]  Andreas L. Opdahl,et al.  Templates for Misuse Case Description , 2001 .

[10]  Kevin Lano,et al.  Slicing of UML models using model transformations , 2010, MODELS'10.

[11]  Jan Jürjens,et al.  Security Analysis of a Biometric Authentication System Using UMLsec and JML , 2009, MoDELS.

[12]  Haralambos Mouratidis,et al.  Enhancing Secure Tropos to Effectively Deal with Security Requirements in the Development of Multiagent Systems , 2009, Safety and Security in Multiagent Systems.

[13]  Ivar Jacobson,et al.  The unified modeling language reference manual , 2010 .

[14]  Jean-Marc Jézéquel,et al.  ≪UML≫ 2002 — The Unified Modeling Language , 2002, Lecture Notes in Computer Science.

[15]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[16]  Mohammad Zulkernine,et al.  A model-based aspect-oriented framework for building intrusion-aware software systems , 2009, Inf. Softw. Technol..

[17]  Wesley Kerr,et al.  Safety and Security in Multiagent Systems - Research Results from 2004-2006 , 2009, Safety and Security in Multiagent Systems.

[18]  Fausto Giunchiglia,et al.  Tropos: An Agent-Oriented Software Development Methodology , 2004, Autonomous Agents and Multi-Agent Systems.