Abstract
We explain UMLsec and associated techniques to incorporate security aspects in model-based development. Additionally, we show how UMLsec can be used in the context of software evolution. More precisely, we present the SecVolution approach which supports monitoring changes in external security knowledge sources (such as compliance regulations or security databases) in order to react to security related modification and to support the associated co-evolution of the UMLsec models.
Funded by the DFG project SecVolution (JU 2734/2-1, SCHN 1072/4-1), part of the priority programe SPP 1593 “Design For Future - Managed Software Evolution”.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Alam, M., Hafner, M., Breu, R.: Model-Driven Security Engineering for Trust Management in SECTET. Journal of Software 2(1) (February 2007)
AlHogail, A., Berri, J.: Enhancing it security in organizations through knowledge management. In: 2012 International Conference on Information Technology and e-Services (ICITeS), pp. 1–6. IEEE (2012)
Anderson, R.J.: Security engineering - a guide to building dependable distributed systems, 2nd edn. Wiley (2008)
Anquetil, N., de Oliveira, K.M., de Sousa, K.D., Batista Dias, M.G.: Software maintenance seen as a knowledge management issue. Information and Software Technology 49(5), 515–529 (2007)
Basin, D.A., Doser, J., Lodderstedt, T.: Model driven security: From UML models to access control infrastructures. ACM Trans. Softw. Eng. Methodol. 15(1), 39–91 (2006)
Belsis, P., Kokolakis, S., Kiountouzis, E.: Information systems security from a knowledge management perspective. Information Management & Computer Security 13(3), 189–202 (2005)
Blanco, C., Lasheras, J., Valencia-Garc, R., Fern, E., Toval, A., Piattini, M.: A Systematic Review and Comparison of Security Ontologies. In: 2008 Third International Conference on Availability, Reliability and Security, vol. 1(1), pp. 813–820 (March 2008)
Brose, G., Koch, M., Löhr, K.-P.: Integrating Access Control Design into the Software Development Process. In: Integrated Design and Process Technology, IDPT (2002)
Bundesamt für Sicherheit in der Informationstechnik (BSI). IT-Grundschutz-catalogues (2013), https://www.bsi.bund.de/EN/Topics/ITGrundschutz/ITGrundschutzCatalogues/itgrundschutzcatalogues_node.html
Bundesministerium des Inneren. Bundesdatenschutzgesetz. Bundesgesetzblatt, http://www.bfdi.bund.de/DE/GesetzeUndRechtsprechung/BDSG/BDSG_node.html
CARiSMA project homepage, http://carisma.umlsec.de/
Dhillon, G., Torkzadeh, G.: Value-focused assessment of information system security in organizations. Information Systems Journal 16(3), 293–314 (2006)
Eloff, M.M., von Solms, S.H.: Information Security Management: A Hierarchical Framework for Various Approaches. Computers & Security 19(3), 243–256 (2000)
Fenz, S., Ekelhart, A.: Formalizing information security knowledge. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security (ASIACCS), p. 183. ACM Press, New York (2009)
Fernández-Medina, E., Jürjens, J., Trujillo, J., Jajodia, S.: Model-driven development for secure information systems. Information & Software Technology 51(5), 809–814 (2009)
Gärtner, S., Ruhroth, T., Bürger, J., Schneider, K., Jürjens, J.: Maintaining Requirements for Long-Living Software Systems by Incorporating Security Knowledge. In: Proc. of the 22nd International Conference on Requirement Engineering (2014)
Graham-Cumming, J.: Some laws of non-interference (CSP algebra). In: Computer Security Foundations Workshop, pp. 22–33. IEEE Computer Society Press (1992)
Herold, S., et al.: CoCoME - the common component modeling example. In: Rausch, A., Reussner, R., Mirandola, R., Plášil, F. (eds.) The Common Component Modeling Example. LNCS, vol. 5153, pp. 16–53. Springer, Heidelberg (2008)
Höhn, S., Jürjens, J.: Rubacon: Automated support for model-based compliance engineering. In: International Conference on Software Engineering (ICSE), pp. 875–878. ACM (2008)
Houmb, S.H., Georg, G., Jürjens, J., France, R.B.: An integrated approach to security verification and security solution design trade-off analysis. In: Mouratidis, H. (ed.) Integrating Security and Software Engineering: Advances and Future Vision, pp. 190–219. Idea Group (August 2006), Invited chapter
Houmb, S.H., Georg, G., France, R.B., Bieman, J.M., Jürjens, J.: Cost-benefit trade-off analysis using BBN for aspect-oriented risk-driven development. In: 10th International Conference on Engineering of Complex Computer Systems (ICECCS 2005), Shanghai, China, June 16-20, pp. 195–204. IEEE Computer Society (2005)
Jayaraman, K., Lewandowski, G.: Enforcing request integrity in web applications. In: Data and Applications Security, vol. 14, pp. 225–240 (2010)
Jürjens, J.: Secure information flow for concurrent processes. In: Palamidessi, C. (ed.) CONCUR 2000. LNCS, vol. 1877, pp. 395–409. Springer, Heidelberg (2000)
Jürjens, J.: Modelling audit security for smart-card payment schemes with UMLsec. In: Dupuy, M., Paradinas, P. (eds.) Trusted Information: The New Decade Challenge. IFIP, vol. 65, pp. 93–108. Kluwer Academic Publishers (2001), Proceedings of the 16th International Conference on Information Security (SEC 2001)
Jürjens, J.: Model-based security engineering with UML. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds.) FOSAD 2004/2005. LNCS, vol. 3655, pp. 42–77. Springer, Heidelberg (2005)
Jürjens, J.: Secure Systems Development with UML. Springer (2005)
Jürjens, J.: Model-based security testing using UMLsec. Electronic Notes in Theoretical Computer Science 220(1), 93–104 (2008)
Jürjens, J., Wimmel, G.: Formally testing fail-safety of electronic purse protocols. In: 16th International Conference on Automated Software Engineering (ASE 2001), pp. 408–411. IEEE Computer Society (2001)
Jürjens, J., Wimmel, G.: Security modelling for electronic commerce: The Common Electronic Purse Specifications. In: Schmid, B., Stanoevska-Slabeva, K., Tschammer, V. (eds.) Towards the E-Society: E-Commerce, E-Business, and E-Government. IFIP, vol. 74, pp. 489–506. Kluwer Academic Publishers (2001), First IFIP Conference on E-Commerce, E-Business, and E-Government (I3E 2001)
Kesh, S., Ratnasingam, P.: A knowledge architecture for IT security. Communications of the ACM 50(7) (2007)
Kritzinger, E., Smith, E.: Information security management: An information security retrieval and awareness model for industry. Computers & Security 27(5-6), 224–231 (2008)
Lehman, M.M.: Programs, life cycles, and laws of software evolution. Proceedings of the IEEE 68(9), 1060–1076 (1980)
Mantel, H.: Possibilistic definitions of security – an assembly kit. In: Proceedings of the IEEE Computer Security Foundations Workshop, Cambridge, UK, July 3-5, pp. 185–199. IEEE Computer Society (2000)
Mantel, H.: A Uniform Framework for the Formal Specification and Verification of Secure Information Flow. PhD thesis, Saarland University, Saarbrücken, Germany (2003)
McCullough, D.: Noninterference and the composability of security properties. In: IEEE Symposium on Security and Privacy, pp. 177–186 (April 1988)
Miede, A., Nedyalkov, N., Gottron, C., König, A., Repp, N., Steinmetz, R.: A Generic Metamodel for IT Security Attack Modeling for Distributed Systems. In: 2010 International Conference on Availability, Reliability and Security (ARES), pp. 430–437 (2010)
Oechslin, P.: Making a faster cryptanalytic time-memory trade-off. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 617–630. Springer, Heidelberg (2003)
W3C OWL Working Group. OWL 2 Web Ontology Language: Document Overview. W3C Recommendation (October 27, 2009), http://www.w3.org/TR/owl2-overview/
Protégé project homepage, http://protege.stanford.edu/
Raskin, V., Hempelmann, C.F., Triezenberg, K.E., Nirenburg, S.: Ontology in information security: a useful theoretical foundation and methodological tool. In: Proceedings of the 2001 Workshop on New Security Paradigms, pp. 53–59. ACM, New York (2001)
Ray, I., France, R.B., Li, N., Georg, G.: An aspect-based approach to modeling access control concerns. Information & Software Technology 46(9), 575–587 (2004)
Schneider, K., Knauss, E., Houmb, S., Islam, S., Jürjens, J.: Enhancing Security Requirements Engineering by Organizational Learning. Requirements Engineering Journal (REJ), Special Issue on REFSQ 2012 (2012)
Schneider, K., Stapel, K., Knauss, E.: Beyond Documents: Visualizing Informal Communication. In: Proceedings of Third International Workshop on Requirements Engineering Visualization (REV 2008), Barcelona, Spain (November 2008)
Sowa, J.F.: Knowledge representation: logical, philosophical, and computational foundations, vol. 3(1). MIT Press (2000)
Swiderski, F., Snyder, W.: Threat Modeling. Microsoft Press Corp. (2004)
The MITRE Corporation. Vulnerability Summary for CVE-2000-1001 (2001)
The MITRE Corporation. Common Vulnerabilities and Exposures (2013)
Tsoumas, B., Gritzalis, D.: Towards an Ontology-based Security Management. In: Proceedings of the 20th International Conference on Advanced Information Networking and Applications (AINA), vol. 1, pp. 985–992. IEEE (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Bürger, J., Jürjens, J., Ruhroth, T., Gärtner, S., Schneider, K. (2014). Model-Based Security Engineering: Managed Co-evolution of Security Knowledge and Software Models. In: Aldini, A., Lopez, J., Martinelli, F. (eds) Foundations of Security Analysis and Design VII. FOSAD FOSAD 2013 2012. Lecture Notes in Computer Science, vol 8604. Springer, Cham. https://doi.org/10.1007/978-3-319-10082-1_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-10082-1_2
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-10081-4
Online ISBN: 978-3-319-10082-1
eBook Packages: Computer ScienceComputer Science (R0)