CoSMo: An Approach Towards Conceptual Security Modeling

Security is generally believed to be a very important topic. However, during software development security requirements are hardly ever properly treated, least of all on the conceptual level. Security is considered as some kind of add-on which will be applied to the system after development. To fill this gap we work on the development of a conceptual security modeling method we refer to as CoSMo (Conceptual Security Modeling). In this paper first a comprehensive summary of available security modeling methodologies is presented. Second, various security requirements and mechanisms which are necessary for building secure software systems are described systematically to give a clear distinction between requirements and mechanisms to enforce the security requirements. Finally, a modeling example is given to illustrate particular security requirements and mechanisms.

[1]  Pierangela Samarati,et al.  Authentication, access control, and audit , 1996, CSUR.

[2]  Wilfried Thoben Sicherheitsanforderungen im Rahmen der Bedrohungs- und Risikoanalyse von IT-Systemen , 1997, BTW.

[3]  Peter P. Chen The entity-relationship model: toward a unified view of data , 1975, VLDB '75.

[4]  G.W. Smith The semantic data model for security: representing the security semantics of an application , 1990, [1990] Proceedings. Sixth International Conference on Data Engineering.

[5]  Alexander W. Röhm,et al.  A secure electronic market for anonymous transferable emission permits , 1998, Proceedings of the Thirty-First Hawaii International Conference on System Sciences.

[6]  Günther Pernul,et al.  COPS: a model and infrastructure for secure and fair electronic markets , 2000, Decis. Support Syst..

[7]  Dieter Gollmann,et al.  Computer Security , 1979, Lecture Notes in Computer Science.

[8]  Hannes Federrath,et al.  Project “anonymity and unobservability in the Internet” , 2000, CFP '00.

[9]  Gary W. Smith Modeling Security-Relevant Data Semantics , 1991, IEEE Trans. Software Eng..

[10]  Arndt Schönberg,et al.  Ein unscharfes Bewertungskonzept für die Bedrohungs- und Risikoanalyse Workflow-basierter Anwendungen , 1999 .

[11]  Hannes Federrath,et al.  Anonymity and Unobservability in the Internet , 1999 .

[12]  Silvana Castano,et al.  Database Security , 1997, IFIP Advances in Information and Communication Technology.

[13]  Günther Pernul,et al.  Viewing Business-Process Security from Different Perspectives , 1999, Int. J. Electron. Commer..

[14]  William E. Lorensen,et al.  Object-Oriented Modeling and Design , 1991, TOOLS.