Skip to main content
SpringerLink
Log in

Model-Based Security Engineering: Managed Co-evolution of Security Knowledge and Software Models

  • Chapter
Book cover Foundations of Security Analysis and Design VII (FOSAD 2013, FOSAD 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8604))

Abstract

We explain UMLsec and associated techniques to incorporate security aspects in model-based development. Additionally, we show how UMLsec can be used in the context of software evolution. More precisely, we present the SecVolution approach which supports monitoring changes in external security knowledge sources (such as compliance regulations or security databases) in order to react to security related modification and to support the associated co-evolution of the UMLsec models.

Funded by the DFG project SecVolution (JU 2734/2-1, SCHN 1072/4-1), part of the priority programe SPP 1593 “Design For Future - Managed Software Evolution”.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Alam, M., Hafner, M., Breu, R.: Model-Driven Security Engineering for Trust Management in SECTET. Journal of Software 2(1) (February 2007)

    Google Scholar 

  2. AlHogail, A., Berri, J.: Enhancing it security in organizations through knowledge management. In: 2012 International Conference on Information Technology and e-Services (ICITeS), pp. 1–6. IEEE (2012)

    Google Scholar 

  3. Anderson, R.J.: Security engineering - a guide to building dependable distributed systems, 2nd edn. Wiley (2008)

    Google Scholar 

  4. Anquetil, N., de Oliveira, K.M., de Sousa, K.D., Batista Dias, M.G.: Software maintenance seen as a knowledge management issue. Information and Software Technology 49(5), 515–529 (2007)

    Article  Google Scholar 

  5. Basin, D.A., Doser, J., Lodderstedt, T.: Model driven security: From UML models to access control infrastructures. ACM Trans. Softw. Eng. Methodol. 15(1), 39–91 (2006)

    Article  Google Scholar 

  6. Belsis, P., Kokolakis, S., Kiountouzis, E.: Information systems security from a knowledge management perspective. Information Management & Computer Security 13(3), 189–202 (2005)

    Article  Google Scholar 

  7. Blanco, C., Lasheras, J., Valencia-Garc, R., Fern, E., Toval, A., Piattini, M.: A Systematic Review and Comparison of Security Ontologies. In: 2008 Third International Conference on Availability, Reliability and Security, vol. 1(1), pp. 813–820 (March 2008)

    Google Scholar 

  8. Brose, G., Koch, M., Löhr, K.-P.: Integrating Access Control Design into the Software Development Process. In: Integrated Design and Process Technology, IDPT (2002)

    Google Scholar 

  9. Bundesamt für Sicherheit in der Informationstechnik (BSI). IT-Grundschutz-catalogues (2013), https://www.bsi.bund.de/EN/Topics/ITGrundschutz/ITGrundschutzCatalogues/itgrundschutzcatalogues_node.html

  10. Bundesministerium des Inneren. Bundesdatenschutzgesetz. Bundesgesetzblatt, http://www.bfdi.bund.de/DE/GesetzeUndRechtsprechung/BDSG/BDSG_node.html

  11. CARiSMA project homepage, http://carisma.umlsec.de/

  12. Dhillon, G., Torkzadeh, G.: Value-focused assessment of information system security in organizations. Information Systems Journal 16(3), 293–314 (2006)

    Article  Google Scholar 

  13. Eloff, M.M., von Solms, S.H.: Information Security Management: A Hierarchical Framework for Various Approaches. Computers & Security 19(3), 243–256 (2000)

    Article  Google Scholar 

  14. Fenz, S., Ekelhart, A.: Formalizing information security knowledge. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security (ASIACCS), p. 183. ACM Press, New York (2009)

    Google Scholar 

  15. Fernández-Medina, E., Jürjens, J., Trujillo, J., Jajodia, S.: Model-driven development for secure information systems. Information & Software Technology 51(5), 809–814 (2009)

    Article  Google Scholar 

  16. Gärtner, S., Ruhroth, T., Bürger, J., Schneider, K., Jürjens, J.: Maintaining Requirements for Long-Living Software Systems by Incorporating Security Knowledge. In: Proc. of the 22nd International Conference on Requirement Engineering (2014)

    Google Scholar 

  17. Graham-Cumming, J.: Some laws of non-interference (CSP algebra). In: Computer Security Foundations Workshop, pp. 22–33. IEEE Computer Society Press (1992)

    Google Scholar 

  18. Herold, S., et al.: CoCoME - the common component modeling example. In: Rausch, A., Reussner, R., Mirandola, R., Plášil, F. (eds.) The Common Component Modeling Example. LNCS, vol. 5153, pp. 16–53. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  19. Höhn, S., Jürjens, J.: Rubacon: Automated support for model-based compliance engineering. In: International Conference on Software Engineering (ICSE), pp. 875–878. ACM (2008)

    Google Scholar 

  20. Houmb, S.H., Georg, G., Jürjens, J., France, R.B.: An integrated approach to security verification and security solution design trade-off analysis. In: Mouratidis, H. (ed.) Integrating Security and Software Engineering: Advances and Future Vision, pp. 190–219. Idea Group (August 2006), Invited chapter

    Google Scholar 

  21. Houmb, S.H., Georg, G., France, R.B., Bieman, J.M., Jürjens, J.: Cost-benefit trade-off analysis using BBN for aspect-oriented risk-driven development. In: 10th International Conference on Engineering of Complex Computer Systems (ICECCS 2005), Shanghai, China, June 16-20, pp. 195–204. IEEE Computer Society (2005)

    Google Scholar 

  22. Jayaraman, K., Lewandowski, G.: Enforcing request integrity in web applications. In: Data and Applications Security, vol. 14, pp. 225–240 (2010)

    Google Scholar 

  23. Jürjens, J.: Secure information flow for concurrent processes. In: Palamidessi, C. (ed.) CONCUR 2000. LNCS, vol. 1877, pp. 395–409. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  24. Jürjens, J.: Modelling audit security for smart-card payment schemes with UMLsec. In: Dupuy, M., Paradinas, P. (eds.) Trusted Information: The New Decade Challenge. IFIP, vol. 65, pp. 93–108. Kluwer Academic Publishers (2001), Proceedings of the 16th International Conference on Information Security (SEC 2001)

    Google Scholar 

  25. Jürjens, J.: Model-based security engineering with UML. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds.) FOSAD 2004/2005. LNCS, vol. 3655, pp. 42–77. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  26. Jürjens, J.: Secure Systems Development with UML. Springer (2005)

    Google Scholar 

  27. Jürjens, J.: Model-based security testing using UMLsec. Electronic Notes in Theoretical Computer Science 220(1), 93–104 (2008)

    Article  Google Scholar 

  28. Jürjens, J., Wimmel, G.: Formally testing fail-safety of electronic purse protocols. In: 16th International Conference on Automated Software Engineering (ASE 2001), pp. 408–411. IEEE Computer Society (2001)

    Google Scholar 

  29. Jürjens, J., Wimmel, G.: Security modelling for electronic commerce: The Common Electronic Purse Specifications. In: Schmid, B., Stanoevska-Slabeva, K., Tschammer, V. (eds.) Towards the E-Society: E-Commerce, E-Business, and E-Government. IFIP, vol. 74, pp. 489–506. Kluwer Academic Publishers (2001), First IFIP Conference on E-Commerce, E-Business, and E-Government (I3E 2001)

    Google Scholar 

  30. Kesh, S., Ratnasingam, P.: A knowledge architecture for IT security. Communications of the ACM 50(7) (2007)

    Google Scholar 

  31. Kritzinger, E., Smith, E.: Information security management: An information security retrieval and awareness model for industry. Computers & Security 27(5-6), 224–231 (2008)

    Article  Google Scholar 

  32. Lehman, M.M.: Programs, life cycles, and laws of software evolution. Proceedings of the IEEE 68(9), 1060–1076 (1980)

    Article  Google Scholar 

  33. Mantel, H.: Possibilistic definitions of security – an assembly kit. In: Proceedings of the IEEE Computer Security Foundations Workshop, Cambridge, UK, July 3-5, pp. 185–199. IEEE Computer Society (2000)

    Google Scholar 

  34. Mantel, H.: A Uniform Framework for the Formal Specification and Verification of Secure Information Flow. PhD thesis, Saarland University, Saarbrücken, Germany (2003)

    Google Scholar 

  35. McCullough, D.: Noninterference and the composability of security properties. In: IEEE Symposium on Security and Privacy, pp. 177–186 (April 1988)

    Google Scholar 

  36. Miede, A., Nedyalkov, N., Gottron, C., König, A., Repp, N., Steinmetz, R.: A Generic Metamodel for IT Security Attack Modeling for Distributed Systems. In: 2010 International Conference on Availability, Reliability and Security (ARES), pp. 430–437 (2010)

    Google Scholar 

  37. Oechslin, P.: Making a faster cryptanalytic time-memory trade-off. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 617–630. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  38. W3C OWL Working Group. OWL 2 Web Ontology Language: Document Overview. W3C Recommendation (October 27, 2009), http://www.w3.org/TR/owl2-overview/

  39. Protégé project homepage, http://protege.stanford.edu/

  40. Raskin, V., Hempelmann, C.F., Triezenberg, K.E., Nirenburg, S.: Ontology in information security: a useful theoretical foundation and methodological tool. In: Proceedings of the 2001 Workshop on New Security Paradigms, pp. 53–59. ACM, New York (2001)

    Google Scholar 

  41. Ray, I., France, R.B., Li, N., Georg, G.: An aspect-based approach to modeling access control concerns. Information & Software Technology 46(9), 575–587 (2004)

    Article  Google Scholar 

  42. Schneider, K., Knauss, E., Houmb, S., Islam, S., Jürjens, J.: Enhancing Security Requirements Engineering by Organizational Learning. Requirements Engineering Journal (REJ), Special Issue on REFSQ 2012 (2012)

    Google Scholar 

  43. Schneider, K., Stapel, K., Knauss, E.: Beyond Documents: Visualizing Informal Communication. In: Proceedings of Third International Workshop on Requirements Engineering Visualization (REV 2008), Barcelona, Spain (November 2008)

    Google Scholar 

  44. Sowa, J.F.: Knowledge representation: logical, philosophical, and computational foundations, vol. 3(1). MIT Press (2000)

    Google Scholar 

  45. Swiderski, F., Snyder, W.: Threat Modeling. Microsoft Press Corp. (2004)

    Google Scholar 

  46. The MITRE Corporation. Vulnerability Summary for CVE-2000-1001 (2001)

    Google Scholar 

  47. The MITRE Corporation. Common Vulnerabilities and Exposures (2013)

    Google Scholar 

  48. Tsoumas, B., Gritzalis, D.: Towards an Ontology-based Security Management. In: Proceedings of the 20th International Conference on Advanced Information Networking and Applications (AINA), vol. 1, pp. 985–992. IEEE (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Technische Universität Dortmund, Germany

    Jens Bürger & Thomas Ruhroth

  2. Leibniz Universität Hannover, Germany

    Stefan Gärtner & Kurt Schneider

  3. Technische Universität Dortmund and Fraunhofer ISST, Germany

    Jan Jürjens

Authors
  1. Jens Bürger
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jan Jürjens
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thomas Ruhroth
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Stefan Gärtner
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Kurt Schneider
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento di Scienze di Base e Fondamenti, University of Urbino "Carlo Bo", Piazza dekka Repubblica 13, 61029, Urbino, Italy

    Alessandro Aldini

  2. Department of Computer Science, Network, Information and Computer Security Laboratory, University of Malaga, Campus de Teatinos s/n, 29071, Malaga, Spain

    Javier Lopez

  3. Istituto di Informatica e Telematica - IIT, Security Group, National Research Council - CNR, Via G. Moruzzi 1, 56124, Pisa, Italy

    Fabio Martinelli

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Bürger, J., Jürjens, J., Ruhroth, T., Gärtner, S., Schneider, K. (2014). Model-Based Security Engineering: Managed Co-evolution of Security Knowledge and Software Models. In: Aldini, A., Lopez, J., Martinelli, F. (eds) Foundations of Security Analysis and Design VII. FOSAD FOSAD 2013 2012. Lecture Notes in Computer Science, vol 8604. Springer, Cham. https://doi.org/10.1007/978-3-319-10082-1_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-10082-1_2

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-10081-4

  • Online ISBN: 978-3-319-10082-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation