ABSTRACT
Cost effective development of secure software is a key goal for many software organizations as they seek to manage the risks of misbehaving software. Employing Formal Methods (FMs) in the Model-Based Software Engineering (MBSE) paradigm that systematically produces software systems through modeling, simulation, reuse and automation provides a reasonable approach for developing highly secure software in a productive manner. MBSE approaches introduce some complexities at the beginning of the lifecycle, but save substantial time in production and delivery by identifying and resolving defects/errors early and reducing rework. On the other hand, the expertise needed for FMs and the concomitant costs often inhibit their wide employment in securing large and complex software systems. In this paper, we report our experience with Formal Analysis and Design for Engineering Security (FADES) an approach we introduced two years ago at this venue. Through systematic and automated transformation from semiformal requirements specifications to formal design, FADES facilitates embedding FMs into the development lifecycle of secure software systems. We outline the case studies and validation of FADES feasibility for the design and implementation of secure software systems. Promising experience with FADES was a necessary precursor to our work on generalizing FADES and our proposal to direct FADES toward being an MBSE approach. We discuss how the formality, transformation, reuse and automation in FADES may further enhance the MBSE-based production and delivery of secure software.
Supplemental Material
Available for Download
- A. van Lamsweerde, "Elaborating Security Requirements by Construction of Intentional Anti-Models", Proc. ICSE'04: 26th Intl. Conf. on Software Engineering, May 2004. Google ScholarDigital Library
- Hassan, R., "Formal Analysis and Design for Engineering Security (FADES)," Ph.D Thesis, Virginia Tech, 2009.Google Scholar
- Hassan, R., Eltoweissy, M., Bohner, S., and El-Kassas, S., "The FADES Automated Derivation of Formal Software Security Specifications from Goal-Oriented Security Requirements", IET Software Journal, in press.Google Scholar
- Fontaine, P. J., Goal-Oriented Elaboration of Security Requirements, M. S. Thesis, Dept. Computing Science, University of Louvain, June 2001.Google Scholar
- Stepney, Susan, Cooper, et. al., "An Electronic Purse Specification, Refinement, and Proof", Programming Research Group, Oxford University Computing Labarotory, July 2000.Google Scholar
- A. van Lamsweerde and E. Letier, "Handling Obstacles in Goal-Oriented Requirements Engineering", IEEE Transactions on Software Engineering, Special Issue on Exception Handling, Vol. 26 No. 10, Oct. 2000, 978--1005. Google ScholarDigital Library
- S. Bohner, "An Era of Change-Tolerant Systems," IEEE Computer, Vol. 40, No. 6, pp. 100--102, 2007. Google ScholarDigital Library
- T. Stahl and M. Volter, "Model-Driven Software Development," John Wiley and Sons, Ltd. Publishing, 2005.Google Scholar
- S. Bohner and S. Mohan, "Model-Based Engineering of Software: Three Productivity Perspectives," IEEE Software Engineering Workshop, Skovede, Sweden, November 2009. Google ScholarDigital Library
- Homeland Security, A Roadmap for Cybersecurity Research, Nov. 2009, http://www.cyber.st.dhs.gov/docs/DHS-Cybersecurity-Roadmap.pdf.Google Scholar
- National Cyber Leap Year Summit 2009, Co-Chairs' Report, http://www.nitrd.gov/NCLYSummit.aspx.Google Scholar
Index Terms
- Towards safe and productive development of secure software: FADES and model-based software engineering
Recommendations
Software development: what it is, what it should be, and how to get there
Developing large software systems is notoriously difficult and unpredictable. Software projects are often canceled, finish late and over budget, or yield low quality results --- setting software engineering apart from established engineering ...
Costing Secure Software Development: A Systematic Mapping Study
ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and SecurityBuilding more secure software is a recent concern for software engineers due to increasing incidences of data breaches and other types of cyber attacks. However, software security, through the introduction of specialized practices in the software ...
Comments