Access Control Specification in UML

Security requirements have become an integral part of most modern software systems. In order to produce secure systems, it is necessary to provide software engineers with the appropriate systematic support. This chapter discusses a methodology to integrate the speci?cation of access control policies into UML. The methodology, along with the graph-based formal semantics for the UML access control speci?ca-tion, allows to reason about the coherence of the access control speci?cation. The chapter also presents a procedure to modify policy rules to guarantee the satisfaction of constraints, and shows how to generate access control requirements from UML diagrams. The main concepts in the UML access control speci?cation are illustrated with an example access control model for distributed object systems.

An Integrated Security Verification and Security Solution Design Trade-Off Analysis Approach

This chapter describes the integrated security veri?cation and security solution design trade-off analysis (SVDT) approach. SVDT is useful when there is a diverse set of requirements imposed upon a security critical system, such as a required security level, time-to-market and budget constraints and end users’ expectations. Balancing these needs requires developers to evaluate alternative security solutions, and SVDT makes this evaluation effective. UMLsec, an extension to UML for secure systems development, is used to specify security requirements, and UMLsec tools are used to verify if the alternative design solutions satisfy security requirements.

Extending Security in Agile Software Development Methods

Software developers can use agile software development methods to build secure information systems. Current agile methods have few (if any) explicit security fea-tures. While several discrete security methods (such as checklists and management standards) can supplement agile methods, few of these integrate seamlessly into other software development methods. Because of the severe constraints imposed by agile methods, these discrete security techniques integrate very poorly into agile approaches. This chapter demonstrates how the security features can be integrated into an agile method called feature driven development.

A Social Ontology for Integrating Security and Software Engineering

As software becomes more and more entrenched in everyday life in today’s society, security looms large as an unsolved problem. Despite advances in security mecha-nisms and technologies, most software systems in the world remain precarious and vulnerable. There is now widespread recognition that security cannot be achieved by technology alone. All software systems are ultimately embedded in some human social environment. The effectiveness of the system depends very much on the forces in that environment. Yet there are few systematic techniques for treating the social context of security together with technical system design in an integral way. In this chapter, we argue that a social ontology at the core of a requirements engineering process can be the basis for integrating security into a requirements driven software engineering process. We describe the i* agent-oriented modelling framework and show how it can be used to model and reason about security concerns and responses. A smart card example is used to illustrate. Future directions for a social paradigm for security and software engineering are discussed.

Identifying Security Requirements Using the Security Quality Requirements Engineering (SQUARE) Method

In this chapter, we describe general issues in developing security requirements, meth-ods that have been useful, and a method (SQUARE) that can be used for eliciting, analyzing, and documenting security requirements for software systems. SQUARE, which was developed by the CERT Program at Carnegie Mellon University’s Soft-ware Engineering Institute, provides a systematic approach to security requirements engineering. SQUARE has been used on a number of client projects by Carnegie Mellon student teams, prototype tools have been developed, and research is ongoing to improve this promising method.

Arguing Satisfaction of Security Requirements

This chapter presents a process for security requirements elicitation and analysis, based around the construction of a satisfaction argument for the security of a system. The process starts with the enumeration of security goals based on assets in the system, then uses these goals to derive security requirements in the form of constraints. Next, a satisfaction argument for the system is constructed, using a problem-centered representation, a formal proof to analyze properties that can be demonstrated, and structured informal argumentation of the assumptions exposed during construction of the argument. Constructing the satisfaction argument can expose missing and inconsistent assumptions about system context and behavior that effect security, and a completed argument provides assurances that a system can respect its security requirements.

Integrating Security and Software Engineering

The previous chapters of this book have presented promising approaches in the secure software engineering ?eld. However, the ?eld is still in its infancy and a number of challenges still need to be answered. The main aim of this chapter is to list and discuss nine challenges that we ?nd important for the advance of the secure software engineering ?eld. The main idea behind each challenge is presented in a short sentence followed by a discussion, which indicates why the challenge is important. In some cases, the discussion provides some ideas of how the challenge could be met.

Modelling Security Patterns Using NFR Analysis

While many theoretical approaches to security engineering exist, they are often limited to systems of a certain complexity, and require security expertise that is not widely available. Additionally, in the practice of information system development security is but one of many concerns that needs to be addressed, and security concerns are often dealt with in an ad hoc manner. Security patterns promise to ?ll this gap. Patterns enable an ef?cient transfer of experience and skills. However, representing and selecting security patterns remains largely an empirical task. This becomes the more of a challenge as the number of security patterns documented in the literature grows, and as the patterns proposed by different authors often overlap in scope. Our contribution is to use a more explicit representation of the forces addressed by a pattern in the description of security patterns, which is based on non-functional requirements analysis. This representation helps us decide which patterns to ap-ply in a given design context, and anticipate the effect of using several patterns in combination. Speci?cally this chapter describes an approach for selecting security patterns, and exploring the impact of applying these patterns individually, and in concert with other patterns.

Security Engineering for Ambient Intelligence

The scenarios of Ambient Intelligence introduce a new computing paradigm and set new challenges for the design and engineering of secure and dependable sys-tems. This chapter describes SERENITY, a comprehensive approach to overcome those problems. The key to success in this scenario is to capture security expertise in such a way that it can be supported by automated means. SERENITY’s integral model of S&D considers both static and dynamic aspects by relying in two main innovations: (1) the enhanced notion of S&D patterns and integration schemes; and (2) the computer aided run-time monitoring of the implemented security solutions.

A Methodology to Develop Secure Systems Using Patterns

We are developing a methodology to build secure software for complex applications and its related support. This methodology considers the whole software lifecycle, uses security patterns, and is applied at all the architectural levels of the system. A main idea is that security principles should be applied at every stage and that each stage can be tested for compliance with security principles. Patterns help apply security principles. This chapter presents the current status of our work.