Skip to main content
SpringerLink
Log in

Moving from Requirements to Design Confronting Security Issues: A Case Study

  • Conference paper
Book cover On the Move to Meaningful Internet Systems: OTM 2009 (OTM 2009)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 5871))

Abstract

Since the emergence of software security as a research area, it has been evident that security should be incorporated as early as possible in the software lifecycle. The advantage is that large gains can be achieved in terms of cost and effort compared to the introduction of security as an afterthought. The earliest possible phase to consider possible attacks is during requirements specification. A widely accepted approach to consider security in the requirements is the employment of misuse cases. In this paper we examine a case study to automatically generate a class diagram, based on the use and misuse cases present in the requirements. Particularly, we extend a natural language processing approach to move beyond a general domain model and produce a detailed class diagram. Moreover, security patterns are introduced in appropriate places of the design to confront the documented attacks and protect the threatened resources. Additionally, we perform an experimental study to investigate the tradeoff between the additional effort to mitigate the attacks and the security risk of the resulting system. Finally, the optimization problem of finding the smallest system regarding additional effort given a maximum acceptable risk is established and an appropriate algorithm to solve it is proposed.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Alexander, I.: Misuse Cases: Use Cases with Hostile Intent. IEEE Software, 58–66 (January/February 2003)

    Google Scholar 

  2. Allen, J.: Natural Language Understanding. Addison Wesley, Reading (1994)

    Google Scholar 

  3. Bikel, D.: Design of a Multi-lingual Parallel-Processing Statistical Parser Engine. In: Proceedings of Human Language Technology Conference, HLT 2002 (2002)

    Google Scholar 

  4. Blakley, B., Heath, C., Members of the Open Group Security Forum: Security Design Patterns. Open Group Technical Guide (2004)

    Google Scholar 

  5. Braga, A., Rubira, C., Dahab, R.: Tropyc: A Pattern Language for Cryptographic Software. In: Proceedings of the 5th Conference on Pattern Languages of Programming, PLoP 1998 (1998)

    Google Scholar 

  6. Caldiera, G., Antoniol, G., Fiutem, R., Lokan, C.: A Definition and Experimental Evaluation of Function Points for Object-Oriented Systems. In: Proceedings of the Fifth International Symposium on Software Metrics-METRICS 1998, pp. 167–178 (1998)

    Google Scholar 

  7. Cgisecurity.com, Cross Site Scripting questions and answers, http://www.cgisecurity.com/articles/xss-faq.shtml

  8. Charniak, E.: Statistical Techniques for Natural Language Parsing. AI Magazine 18(4), 33–44 (1997)

    Google Scholar 

  9. Chen, S.-J., Chen, S.-M.: Fuzzy Risk Analysis Based on Similarity Measures of General-ized Fuzzy Numbers. IEEE Transactions on Fuzzy Sets and Systems 11(1) (2003)

    Google Scholar 

  10. Collins, M.: A New Statistical Parser Based on Bigram Lexical Dependencies. In: Proceedings of the 34th Annual Meeting of the Association for Computational Linguistics, pp. 184–191 (1996)

    Google Scholar 

  11. Costagliola, G., Ferruci, F., Tortora, G., Vitello, G.: Class Point: An Approach for the Size Estimation of Object Oriented Systems. IEEE Transactions on Software Engineering 31(1) (January 2005)

    Google Scholar 

  12. Dražan, J.: Natural Language Processing of Textual Use Cases. M.Sc. Thesis, Department of Software Engineering, Faculty of Mathematics and Physics, Charles University in Prague (2005)

    Google Scholar 

  13. Fernandez, E.: Metadata and authorization patterns (2000), http://www.cse.fau.edu/~ed/MetadataPatterns.pdf

  14. Friedl, S.: SQL Injection Attacks by Example, http://www.unixwiz.net/techtips/sql-injection.html

  15. Georg, G., Ray, I., Anastasakis, K., Bordbar, B., Toachoodee, M., Humb, S.H.: An Aspect Oriented Methodology for Desigining Secure Applications. Information and Software Technology 51, 846–864 (2009)

    Article  Google Scholar 

  16. Halkidis, S.T., Tsantalis, N., Chatzigeorgiou, A., Stephanides, G.: Architectural Risk Analysis of Software Systems Based on Security Patterns. IEEE Transactions on Depend-able and Secure Computing 5(3), 129–142 (2008)

    Article  Google Scholar 

  17. Harmain, H.M., Gaizauskas, R.: CM-Builder: An Automated NL-based CASE Tool. In: Proceedings of the 15th IEEE International Conference on Automated Software Engineering, pp. 45–53 (2000)

    Google Scholar 

  18. Hoglund, G., McGraw, G.: Exploiting Software, How to Break Code. Addison Wesley, Reading (2004)

    Google Scholar 

  19. Howard, M., LeBlanc, D.: Writing Secure Code. Microsoft Press, Redmond (2002)

    Google Scholar 

  20. Hu, D.: Preventing Cross-Site Scripting Vulnerability. SANS Institute whitepaper (2004)

    Google Scholar 

  21. Ilieva, M.G., Ormanijeva, O.: Automatic Transition of Natural Language Software Requirements Specification into Formal Presentation. In: Montoyo, A., Muńoz, R., Métais, E. (eds.) NLDB 2005. LNCS, vol. 3513, pp. 392–397. Springer, Heidelberg (2005)

    Google Scholar 

  22. Jűrjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005)

    Google Scholar 

  23. Kienzle, D., Elder, M.: Security Patterns for Web Application Development. Univ. of Virginia Technical Report (2002)

    Google Scholar 

  24. Klein, A.: Divide and Conquer., HTTP Response Splitting, Web Cache Poisoning Attacks and Related Topics, Sanctum whitepaper (2004)

    Google Scholar 

  25. Kruchten, P.: The Rational Unified Process: An Introduction. Addison Wesley, Reading (2000)

    Google Scholar 

  26. van Lamsweerde, A.: Elaborating Security Requirements by Construction of Intentional Anti-Models. In: Proceedings of ICSE 2004, 26th International Conference on Software Engineering, Edinburgh, May 2004, pp. 148–157. ACM-IEEE (2004)

    Google Scholar 

  27. van Lamsweerde, A.: Engineering Requirements for System Reliability and Security, in Software System Reliability and Security. In: Broy, M., Grunbauer, J., Hoare, C.A.R. (eds.) NATO Security through Science Series - D: Information and Communication Security, vol. 9, pp. 196–238. IOS Press, Amsterdam (2007)

    Google Scholar 

  28. Larman, C.: Applying UML and Patterns: An Introduction to Object-Oriented Analysis and Design and the Unified Process. Prentice-Hall, Englewood Cliffs (2002)

    Google Scholar 

  29. Lee Brown, F., Di Vietri, J., Diaz de Villegas, G., Fernandez, E.: The Authenticator Pattern. In: Proceedings of the 6th Conference on Pattern Languages of Programming, PLoP 1999 (1999)

    Google Scholar 

  30. Li, L.: A Semi-Automatic Approach to Translating Use Cases to Sequence Diagrams. In: Proceedings of Technology of Object Oriented Languages and Systems, pp. 184–193 (1999)

    Google Scholar 

  31. Liu, D., Subramaniam, K., Eberlein, A., Far, B.H.: Natural Language Requirements Analy-sis and Class Model Generation Using UCDA. In: Orchard, B., Yang, C., Ali, M. (eds.) IEA/AIE 2004. LNCS (LNAI), vol. 3029, pp. 295–304. Springer, Heidelberg (2004)

    Google Scholar 

  32. Mahmoud, Q.: Security Policy: A Design Pattern for Mobile Java Code. In: Proceedings of the 7th Conference on Pattern Languages of Programming, PLoP 2000 (2000)

    Google Scholar 

  33. Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model Driven Security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)

    Google Scholar 

  34. Marcus, M., Kim, G., Marciniewicz, M.A., MacIntire, R., Bies, A., Ferguson, M., Katz, K., Schasberger, B.: The Penn Treebank: annotating predicate argument structure. In: Proceedings of the 1994 ARPA Human Language Technology Workshop (1994)

    Google Scholar 

  35. Martello, X., Toth, P.: Knapsack Problems: Algorithms and Computer Implementations. John Wiley and Sons, Chichester (1990)

    MATH  Google Scholar 

  36. McGraw, G.: Software Security, Building Security. Addison Wesley, Reading (2006)

    Google Scholar 

  37. Mouratidis, H., Giorgini, P., Manson, G.: An Ontology for Modelling Security: The Tro-pos Approach, in Knowledge-Based Intelligent Information and Engineering Systems. In: Palade, V., Howlett, R.J., Jain, L. (eds.) KES 2003. LNCS, vol. 2773. Springer, Heidelberg (2003)

    Google Scholar 

  38. Mouratidis, H., Giorgini, P., Schumacher, M.: Security Patterns for Agent Systems. In: Proceedings of the Eighth European Conference on Pattern Languages of Programs, EuroPLoP 2003 (2003)

    Google Scholar 

  39. Overmyer, S.P., Lavoie, B., Owen, R.: Conceptual Modeling through Linguistic Analysis Using LIDA. In: Proceedings of the 23rd International Conference on Software Engineering, pp. 401–410 (2001)

    Google Scholar 

  40. Pauli, J.J., Xu, D.: Misuse Case Based Design and Analysis of Secure Software Architecture. In: Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC 2005). IEEE, Los Alamitos (2005)

    Google Scholar 

  41. Romanosky, S.: Enterprise Security Patterns. Information Systems Security Association Journal (March 2003)

    Google Scholar 

  42. Rosenberg, D., Stephens, M.: Use Case Driven Modeling with UML: Theory and Practice. Apress (2007)

    Google Scholar 

  43. Sindre, G., Opdahl, A.L.: Capturing Security Requirements with Misuse Cases. In: Proceedings of the 14th annual Norwegian Informatics Conference, Norway (2001)

    Google Scholar 

  44. Sindre, G., Opdahl, A.L.: Eliciting Security Requirements with Misuse Cases. Requirements Engineering 10, 34–44 (2005)

    Article  Google Scholar 

  45. Sindre, G., Opdahl, A.L.: Templates for Misuse Case Description. In: Proceedings of the 7th International Workshop on Requirements Engineering, Foundations for Software Quality, REFSQ 2001 (2001)

    Google Scholar 

  46. Spett, K.: Cross-Site Scripting, Are your web applications vulnerable? SPI Labs whitepaper

    Google Scholar 

  47. SPI Labs, SQL Injection, Are Your Web Applications Vulnerable? SPI Labs whitepaper

    Google Scholar 

  48. Spinellis, D.: Code Quality: The Open Source Perspective. Addison Wesley, Reading (2006)

    Google Scholar 

  49. Steel, C., Nagappan, R., Lai, R.: Core Security Patterns: Best Practices and Strategies for J2EE. In: Web Services and Identity Management. Prentice Hall, Englewood Cliffs (2006)

    Google Scholar 

  50. Viega, J., McGraw, G.: Building Secure Software, How to Avoid Security Problems the Right Way. Addison Wesley, Reading (2002)

    Google Scholar 

  51. Weiss, M.: Patterns for Web Applications. In: Proceedings of the 10th Conference on Pattern Languages of Programming, PLoP 2003 (2003)

    Google Scholar 

  52. Yoder, J., Barcalow, J.: Architectural Patterns for enabling application security. In: Proceedings of the 4th Conference on Pattern Languages of Programming, PLoP 1997 (1997)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computational Systems and Software Engineering Laboratory, Department of Applied Informatics, University of Macedonia, Egnatia 156, Thessaloniki, 54006, Greece

    Spyros T. Halkidis, Alexander Chatzigeorgiou & George Stephanides

Authors
  1. Spyros T. Halkidis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alexander Chatzigeorgiou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. George Stephanides
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. STARLab, Vrije Universiteit Brussel (VUB), Bldg G/10, Pleinlaan 2, 1050, Brussels, Belgium

    Robert Meersman

  2. DEBII - CBS, De Laeter Way, Curtin University of Technology, 6102, Bentley, WA, Australia

    Tharam Dillon

  3. Facultad de Informática, Universidad Politécnica de Madrid, , , , ,, Campus de Montegancedo S/N, Boadilla del Monte, 28660, Madrid, Spain

    Pilar Herrero

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Halkidis, S.T., Chatzigeorgiou, A., Stephanides, G. (2009). Moving from Requirements to Design Confronting Security Issues: A Case Study. In: Meersman, R., Dillon, T., Herrero, P. (eds) On the Move to Meaningful Internet Systems: OTM 2009. OTM 2009. Lecture Notes in Computer Science, vol 5871. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-05151-7_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-05151-7_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-05150-0

  • Online ISBN: 978-3-642-05151-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation