Abstract
Since the emergence of software security as a research area, it has been evident that security should be incorporated as early as possible in the software lifecycle. The advantage is that large gains can be achieved in terms of cost and effort compared to the introduction of security as an afterthought. The earliest possible phase to consider possible attacks is during requirements specification. A widely accepted approach to consider security in the requirements is the employment of misuse cases. In this paper we examine a case study to automatically generate a class diagram, based on the use and misuse cases present in the requirements. Particularly, we extend a natural language processing approach to move beyond a general domain model and produce a detailed class diagram. Moreover, security patterns are introduced in appropriate places of the design to confront the documented attacks and protect the threatened resources. Additionally, we perform an experimental study to investigate the tradeoff between the additional effort to mitigate the attacks and the security risk of the resulting system. Finally, the optimization problem of finding the smallest system regarding additional effort given a maximum acceptable risk is established and an appropriate algorithm to solve it is proposed.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Alexander, I.: Misuse Cases: Use Cases with Hostile Intent. IEEE Software, 58–66 (January/February 2003)
Allen, J.: Natural Language Understanding. Addison Wesley, Reading (1994)
Bikel, D.: Design of a Multi-lingual Parallel-Processing Statistical Parser Engine. In: Proceedings of Human Language Technology Conference, HLT 2002 (2002)
Blakley, B., Heath, C., Members of the Open Group Security Forum: Security Design Patterns. Open Group Technical Guide (2004)
Braga, A., Rubira, C., Dahab, R.: Tropyc: A Pattern Language for Cryptographic Software. In: Proceedings of the 5th Conference on Pattern Languages of Programming, PLoP 1998 (1998)
Caldiera, G., Antoniol, G., Fiutem, R., Lokan, C.: A Definition and Experimental Evaluation of Function Points for Object-Oriented Systems. In: Proceedings of the Fifth International Symposium on Software Metrics-METRICS 1998, pp. 167–178 (1998)
Cgisecurity.com, Cross Site Scripting questions and answers, http://www.cgisecurity.com/articles/xss-faq.shtml
Charniak, E.: Statistical Techniques for Natural Language Parsing. AI Magazine 18(4), 33–44 (1997)
Chen, S.-J., Chen, S.-M.: Fuzzy Risk Analysis Based on Similarity Measures of General-ized Fuzzy Numbers. IEEE Transactions on Fuzzy Sets and Systems 11(1) (2003)
Collins, M.: A New Statistical Parser Based on Bigram Lexical Dependencies. In: Proceedings of the 34th Annual Meeting of the Association for Computational Linguistics, pp. 184–191 (1996)
Costagliola, G., Ferruci, F., Tortora, G., Vitello, G.: Class Point: An Approach for the Size Estimation of Object Oriented Systems. IEEE Transactions on Software Engineering 31(1) (January 2005)
Dražan, J.: Natural Language Processing of Textual Use Cases. M.Sc. Thesis, Department of Software Engineering, Faculty of Mathematics and Physics, Charles University in Prague (2005)
Fernandez, E.: Metadata and authorization patterns (2000), http://www.cse.fau.edu/~ed/MetadataPatterns.pdf
Friedl, S.: SQL Injection Attacks by Example, http://www.unixwiz.net/techtips/sql-injection.html
Georg, G., Ray, I., Anastasakis, K., Bordbar, B., Toachoodee, M., Humb, S.H.: An Aspect Oriented Methodology for Desigining Secure Applications. Information and Software Technology 51, 846–864 (2009)
Halkidis, S.T., Tsantalis, N., Chatzigeorgiou, A., Stephanides, G.: Architectural Risk Analysis of Software Systems Based on Security Patterns. IEEE Transactions on Depend-able and Secure Computing 5(3), 129–142 (2008)
Harmain, H.M., Gaizauskas, R.: CM-Builder: An Automated NL-based CASE Tool. In: Proceedings of the 15th IEEE International Conference on Automated Software Engineering, pp. 45–53 (2000)
Hoglund, G., McGraw, G.: Exploiting Software, How to Break Code. Addison Wesley, Reading (2004)
Howard, M., LeBlanc, D.: Writing Secure Code. Microsoft Press, Redmond (2002)
Hu, D.: Preventing Cross-Site Scripting Vulnerability. SANS Institute whitepaper (2004)
Ilieva, M.G., Ormanijeva, O.: Automatic Transition of Natural Language Software Requirements Specification into Formal Presentation. In: Montoyo, A., Muńoz, R., Métais, E. (eds.) NLDB 2005. LNCS, vol. 3513, pp. 392–397. Springer, Heidelberg (2005)
Jűrjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005)
Kienzle, D., Elder, M.: Security Patterns for Web Application Development. Univ. of Virginia Technical Report (2002)
Klein, A.: Divide and Conquer., HTTP Response Splitting, Web Cache Poisoning Attacks and Related Topics, Sanctum whitepaper (2004)
Kruchten, P.: The Rational Unified Process: An Introduction. Addison Wesley, Reading (2000)
van Lamsweerde, A.: Elaborating Security Requirements by Construction of Intentional Anti-Models. In: Proceedings of ICSE 2004, 26th International Conference on Software Engineering, Edinburgh, May 2004, pp. 148–157. ACM-IEEE (2004)
van Lamsweerde, A.: Engineering Requirements for System Reliability and Security, in Software System Reliability and Security. In: Broy, M., Grunbauer, J., Hoare, C.A.R. (eds.) NATO Security through Science Series - D: Information and Communication Security, vol. 9, pp. 196–238. IOS Press, Amsterdam (2007)
Larman, C.: Applying UML and Patterns: An Introduction to Object-Oriented Analysis and Design and the Unified Process. Prentice-Hall, Englewood Cliffs (2002)
Lee Brown, F., Di Vietri, J., Diaz de Villegas, G., Fernandez, E.: The Authenticator Pattern. In: Proceedings of the 6th Conference on Pattern Languages of Programming, PLoP 1999 (1999)
Li, L.: A Semi-Automatic Approach to Translating Use Cases to Sequence Diagrams. In: Proceedings of Technology of Object Oriented Languages and Systems, pp. 184–193 (1999)
Liu, D., Subramaniam, K., Eberlein, A., Far, B.H.: Natural Language Requirements Analy-sis and Class Model Generation Using UCDA. In: Orchard, B., Yang, C., Ali, M. (eds.) IEA/AIE 2004. LNCS (LNAI), vol. 3029, pp. 295–304. Springer, Heidelberg (2004)
Mahmoud, Q.: Security Policy: A Design Pattern for Mobile Java Code. In: Proceedings of the 7th Conference on Pattern Languages of Programming, PLoP 2000 (2000)
Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model Driven Security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)
Marcus, M., Kim, G., Marciniewicz, M.A., MacIntire, R., Bies, A., Ferguson, M., Katz, K., Schasberger, B.: The Penn Treebank: annotating predicate argument structure. In: Proceedings of the 1994 ARPA Human Language Technology Workshop (1994)
Martello, X., Toth, P.: Knapsack Problems: Algorithms and Computer Implementations. John Wiley and Sons, Chichester (1990)
McGraw, G.: Software Security, Building Security. Addison Wesley, Reading (2006)
Mouratidis, H., Giorgini, P., Manson, G.: An Ontology for Modelling Security: The Tro-pos Approach, in Knowledge-Based Intelligent Information and Engineering Systems. In: Palade, V., Howlett, R.J., Jain, L. (eds.) KES 2003. LNCS, vol. 2773. Springer, Heidelberg (2003)
Mouratidis, H., Giorgini, P., Schumacher, M.: Security Patterns for Agent Systems. In: Proceedings of the Eighth European Conference on Pattern Languages of Programs, EuroPLoP 2003 (2003)
Overmyer, S.P., Lavoie, B., Owen, R.: Conceptual Modeling through Linguistic Analysis Using LIDA. In: Proceedings of the 23rd International Conference on Software Engineering, pp. 401–410 (2001)
Pauli, J.J., Xu, D.: Misuse Case Based Design and Analysis of Secure Software Architecture. In: Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC 2005). IEEE, Los Alamitos (2005)
Romanosky, S.: Enterprise Security Patterns. Information Systems Security Association Journal (March 2003)
Rosenberg, D., Stephens, M.: Use Case Driven Modeling with UML: Theory and Practice. Apress (2007)
Sindre, G., Opdahl, A.L.: Capturing Security Requirements with Misuse Cases. In: Proceedings of the 14th annual Norwegian Informatics Conference, Norway (2001)
Sindre, G., Opdahl, A.L.: Eliciting Security Requirements with Misuse Cases. Requirements Engineering 10, 34–44 (2005)
Sindre, G., Opdahl, A.L.: Templates for Misuse Case Description. In: Proceedings of the 7th International Workshop on Requirements Engineering, Foundations for Software Quality, REFSQ 2001 (2001)
Spett, K.: Cross-Site Scripting, Are your web applications vulnerable? SPI Labs whitepaper
SPI Labs, SQL Injection, Are Your Web Applications Vulnerable? SPI Labs whitepaper
Spinellis, D.: Code Quality: The Open Source Perspective. Addison Wesley, Reading (2006)
Steel, C., Nagappan, R., Lai, R.: Core Security Patterns: Best Practices and Strategies for J2EE. In: Web Services and Identity Management. Prentice Hall, Englewood Cliffs (2006)
Viega, J., McGraw, G.: Building Secure Software, How to Avoid Security Problems the Right Way. Addison Wesley, Reading (2002)
Weiss, M.: Patterns for Web Applications. In: Proceedings of the 10th Conference on Pattern Languages of Programming, PLoP 2003 (2003)
Yoder, J., Barcalow, J.: Architectural Patterns for enabling application security. In: Proceedings of the 4th Conference on Pattern Languages of Programming, PLoP 1997 (1997)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Halkidis, S.T., Chatzigeorgiou, A., Stephanides, G. (2009). Moving from Requirements to Design Confronting Security Issues: A Case Study. In: Meersman, R., Dillon, T., Herrero, P. (eds) On the Move to Meaningful Internet Systems: OTM 2009. OTM 2009. Lecture Notes in Computer Science, vol 5871. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-05151-7_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-05151-7_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-05150-0
Online ISBN: 978-3-642-05151-7
eBook Packages: Computer ScienceComputer Science (R0)