Incorporating Database Systems into a Secure Software Development Methodology

We have proposed in the past three separate methodologies for secure software development. We have found that they have many common and complementary aspects and we proposed a combination of them that appears as a good approach to secure software development. The combined methodology applies security at all stages, considers the architectural levels of the system, applies security policies through the use of patterns, and formalizes some portions of the design. We have studied in some detail how to elicit and describe security requirements, how to reflect these requirements in the conceptual model, how to estimate some performance aspects, how to formalize some aspects such as communication protocols, and how to map the conceptual requirements into design artifacts. A design aspect which we have not studied is the incorporation of databases as part of the secure architecture. The database system is a fundamental aspect for security because it stores the persistent information, which constitutes most of the information assets of the institution. We present here some ideas on how to make sure that the database system has the same level of security than the rest of the secure application.

[1]  Shinichi Honiden,et al.  Security patterns: a method for constructing secure and efficient inter-company coordination systems , 2004, Proceedings. Eighth IEEE International Enterprise Distributed Object Computing Conference, 2004. EDOC 2004..

[2]  Maria Grazia Fugini Secure Database Development Methodologies , 1987, DBSec.

[3]  Jan Jürjens Sound methods and effective tools for model-based security engineering with UML , 2005, ICSE '05.

[4]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[5]  Michael Stonebraker,et al.  The design and implementation of INGRES , 1976, TODS.

[6]  Xiaohong Yuan,et al.  Securing analysis patterns , 2007, ACM-SE 45.

[7]  Eduardo B. Fernandez,et al.  A Methodology to Develop Secure Systems Using Patterns , 2006 .

[8]  Jie Wu,et al.  On building secure SCADA systems using security patterns , 2009, CSIIRW '09.

[9]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[10]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[11]  Bashar Nuseibeh,et al.  Model-Based Security Engineering of Distributed Information Systems Using UMLsec , 2007, 29th International Conference on Software Engineering (ICSE'07).

[12]  Irving L. Traiger,et al.  System R: relational approach to database management , 1976, TODS.

[13]  Mario Piattini,et al.  Designing secure databases , 2005, Inf. Softw. Technol..

[14]  Silvana Castano,et al.  Database Security , 1997, IFIP Advances in Information and Communication Technology.

[15]  Haralambos Mouratidis,et al.  Integrating Security and Software Engineering: Advances and Future Visions , 2006 .

[16]  Eduardo B. Fernández,et al.  A UML-Based Methodology for Secure Systems: The Design Stage , 2005, WOSIS.

[17]  Jan Jürjens,et al.  Secure Database Development , 2009 .