Abstract
The goal of this paper is to propose the use of the Misuse Case and Obligation use case concepts in the Software Development Life Cycle (SDLC) in order to position security concerns at the very beginning of this process and to get “secure applications”. These concepts are built upon the “use case” concept which is well known by the community of application developers in companies and by the application sponsors. The application sponsors are the key business stakeholders that fund and/or rely on the application for their business benefits. As stated in [1] and [3], the use case concept has proven helpful for the elicitation of, communication about and documentation of requirements [4]. So, we think it is easier to introduce security requirements in the development lifecycle by reusing and/or constructing security requirement artifacts around the use case and UML approach.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Al-Azzani, S.: Security Testing - RSMG 2 (2009), http://www.cs.bham.ac.uk
Bettini, C., Jajodia, S., Wang, S., Wijesekera, D.: Provisions and obligations in policy management and security applications. In: Proceedings of the 28th International Conference on Very Large Data Bases, VLDB Endowment, Hong Kong, pp. 502–513 (2002)
Devambu, P.T., Stubbelbine, S.: Software engineering for security: a roadmap. In: Future of Software Engineering, Special volume of the Proceedings of the 22nd Int. Conf. on Software Engineering (ICSE 2000), pp. 227–239 (2000)
Firesmith, D.: Security Use Cases. Journal of Object Technology 2(3), 53–64 (2003)
European Union: Directive 2004/39/EC on The Markets in Financial Instruments Directive (MiFID). Official Journal of the European Union (2004), http://eurlex.europa.eu
European Union : Directive 2005/60/EC on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing; Official Journal of the European Union (2005), http://eurlex.europa.eu
Giorgini, P., Massacci, F., Mylopoulos, J.: Requirement Engineering meets Security: A Case Study on Modelling Secure Electronic Transactions by VISA and Mastercard. In: 22th of International Conference on Conceptual Modeling (2003)
Giorgini, P., Massacci, F., Zannone, N.: Security and Trust Requirements Engineering; survey. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds.) FOSAD 2005. LNCS, vol. 3655, pp. 237–272. Springer, Heidelberg (2005)
Jürjens, J.: Modelling audit security for smart-card payment schemes with UMLsec. In: 16th Int. Conf.on Inf. Security (IFIP/SEC 2001). Kluwer AP, Dordrecht (2001)
Jürjens, J.: Towards secure systems development with umlsec. In: FASE/ETAPS 2001. LNCS, vol. 2029, pp. 187–200. Springer, Heidelberg (2001)
Kabasele-Tenday, J.-M.: Specifying Security in a Composite System. In: Okamoto, E. (ed.) ISW 1997. LNCS, vol. 1396, pp. 246–255. Springer, Heidelberg (1998)
Kalam, E., et al.: Organization based access control. In: Proceedings of the 4th Int. Workshop on Policies for Distributed Systems and Networks (POLICY 2003). IEEE, Los Alamitos (2003)
Kalam, E., et al.: Multi-OrBAC: un modèle de contrôle d’accès pour les systèmes multi-organisationnels. Centre pour la Communication Scientifique Directe (2006), http://www.ccsd.cnrs.fr/
van Lamsweerde, A., Letier, E.: Handling Obstacles in Goal-Oriented Requirements Engineering. TSE 26(10), 978–1005 (2000)
van Lamsweerde, A., Brohez, S., De Landtsheer, R.: Janssens. D.: From System Goals to Intruder Anti-Goals: Attack Generation and Resolution for Security Requirements Engineering. In: Proceedings of RHAS 2003, pp. 49–56 (2003)
Leiwo, J., Zheng, Y.: A Framework for the Management of Information Security. In: Okamoto, E. (ed.) ISW 1997. LNCS, vol. 1396, pp. 232–245. Springer, Heidelberg (1998)
Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Li, J., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)
Matulevičius, R., Mayer, N., Mouratidis, H., Dubois, E., Heymans, P., Genon, N.: Adapting Secure Tropos for Security Risk Management in the Early Phases of Information Systems Development. In: Bellahsène, Z., Léonard, M. (eds.) CAiSE 2008. LNCS, vol. 5074, pp. 541–555. Springer, Heidelberg (2008)
Matulevicius, R., Mayer, N., Heymans, P.: Alignment of Misuse Cases with Security Risk Management. In: ARES Proceedings of the 2008 Third Int. Conf. on Availability, Reliability and Security. IEEE, Los Alamitos (2008)
Mayer, N., Heymans, P., Matulevičius, R.: Design of a Modelling Language for Information System Security Risk Management. In: Proceedings of the 1st International Conf. on Research Challenges in Information Science (RCIS 2007), pp. 121–131 (2007)
McDermott, J., Fox, C.: Using Abuse Case Models for Security Requirements Analysis. In: Proc. of ACSAC 1999, pp. 55–66. IEEE Press, Los Alamitos (1999)
Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requirements Engineering 10(1), 34–44 (2005)
Wing, J.M.: A Symbiotic Relationship Between Formal Methods and Security, CMU-CS-98-188, Pittsburgh, PA (1998)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kabasele Tenday, JM. (2011). Using Special Use Cases for Security in the Software Development Life Cycle. In: Chung, Y., Yung, M. (eds) Information Security Applications. WISA 2010. Lecture Notes in Computer Science, vol 6513. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17955-6_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-17955-6_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-17954-9
Online ISBN: 978-3-642-17955-6
eBook Packages: Computer ScienceComputer Science (R0)