Key Issues of a Formally Based Process Model for Security Engineer-ing

In this paper we outline a new process model for security engineering. This process model extends object oriented, use case oriented software development by systematic security requirements elicitation and realization. In particular, we integrate the modeling of security requirements, threat and risk analysis on the one hand with the modeling of business processes, use cases and the construction of the software architecture on the other hand. Since formal methods play a special role in security engineering we characterize their usage within the process model presented. Key-Words: Process Model for Security Engineering, Security Process Model, Risk Analysis, Object Oriented Software Development

[1]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[2]  Giovanni Maria Sacco,et al.  Timestamps in key distribution protocols , 1981, CACM.

[3]  Julie Johnson What is the Rational Unified Process ? , 1999 .

[4]  Alexander K. Wißpeintner,et al.  Extended Description Techniques for Security Engineering , 2001, SEC.

[5]  Desmond D'Souza,et al.  Objects, Components, and Frameworks with UML: The Catalysis Approach , 1998 .

[6]  Jan Jürjens,et al.  Specification-Based Test Generation for Security-Critical Systems Using Mutations , 2002, ICFEM.

[7]  Miroslav Kis Information Security Antipatterns in Software Requirements Engineering , 2002 .

[8]  Joseph W. Yoder,et al.  Architectural Patterns for Enabling Application Security , 1998 .

[9]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[10]  Markus Schumacher,et al.  Security Engineering with Patterns , 2003, Lecture Notes in Computer Science.

[11]  Bernhard Schätz,et al.  Tool Supported Specification and Simulation of Distributed Systems , 1998, PDSE.

[12]  E. B. Fernandez,et al.  Determining role rights from use cases , 1997, RBAC '97.

[13]  Diomidis Spinellis,et al.  Security protocols over open networks and distributed systems: formal methods for their analysis, design, and verification , 1999, Comput. Commun..

[14]  VetterlingMonika,et al.  Secure systems development based on the common criteria , 2002 .

[15]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[16]  Eduardo B. Fernandez,et al.  A pattern language for security models , 2001 .

[17]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[18]  Ivar Jacobson,et al.  The Unified Software Development Process , 1999 .

[19]  Nancy G. Leveson,et al.  Guest Editor's Introduction Formal Methods in Software Engineering , 1990, IEEE Trans. Software Eng..

[20]  Jan Jürjens,et al.  Use Case Oriented Development of Security-Critical Systems , 2003 .

[21]  Andreas L. Opdahl,et al.  Templates for Misuse Case Description , 2001 .

[22]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.