A tool for modeling software security requirements using security patterns

Security requirements of today’s software systems are increasing and becoming complex. Software industry has well recognized that security should be incorporated at earlier stages of the software development. It is not easy for the programmers and developers to incorporate security in the softwar...

Full description

Saved in:
Bibliographic Details
Main Author: Maher, Zulfikar Ahmed
Format: Thesis
Language:English
Published: 2016
Subjects:
Online Access:http://psasir.upm.edu.my/id/eprint/69407/1/FSKTM%202016%2049%20-%20IR.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Security requirements of today’s software systems are increasing and becoming complex. Software industry has well recognized that security should be incorporated at earlier stages of the software development. It is not easy for the programmers and developers to incorporate security in the software without proper expertise in it. For that reason different security patterns were proposed by the security experts for implementation of security by non-security experts. A security pattern provides well proven solution for the existing security problem in a specific context provided by the security experts. Security patterns usually are in textual format due to which they are often neglected at the design level. Security patterns do not constitute an intuitive solution that can be used by software designers because they are not useful without a systematic way to apply them. Security patterns lack comprehensive structure that conveys essential information inherent to security engineering (SE). This research presentsmethodology for presenting secure software requirements using Security Patterns that is tailored to meetthe needs of secure system development. In order to maximize comprehensibility, well-known notations of Unified Modeling Language (UML) is used to represent structuraland behavioral aspects of design. Only 13% of the papers published till 2015 involve tooling support for security patterns. To encounter this limitation, a methodology which focuses on the providing solution provided by the security pattern in the form of standard UML notations. As the proposed method results in an extension of Deployment diagram, it is named as Security Patterns Deployment Diagram (SPDD). It represents the solution provided by security patterns in standard UML graphical notation, which includes the compulsory elements of security patterns that are context, problem, actors, relations and solution including where attacks will be fended off in the early design stage of the software system in a single view. SPDD is proposed along with security modeling tool called SPDD Editor for modeling security pattern solution using proposed methodology. Security patterns research uses UML for modeling regardless of security patterns to be dealt with. It could be because UML is the most widely accepted formalism for the analysis and design of software. Therefore, itis considered as security pattern modeling method. This extension of deployment diagram provides a suitable way to define semantics for each solution provided by security pattern and allowing developers to easily understand software security requirements and their implementations in detail. A Plug-in for SeaMonster security designing tool has been developed to support the designing of the proposed diagram using Eclipse Graphical Modeling Framework (GMF) and Eclipse Graphical Editor Framework (GEF). The validation of SPDD has been done with the Hospital Information System (HIS) and E-Commerce System case studies. An expert review was performed to verify the proposed methodology and proposed tool support. SPDD editor tool and both methods SPDD and Component based application (CBA) were also evaluated by three experts in the field. The expert review results showed positive results towards acceptance of SPDD method and tool. Experimental comparison with twenty participants was also performed to validate the effectiveness and to find out the better method in terms of designing solution provided by security patterns from the participant’s point of view. The CBA method was selected to compare with proposed SPDD method because of the fact that most of the programmers and developers usually known to component diagram and there is no need to teach them its application and they can easily perform the tasks related to CBA method and also security pattern modeling application using CBA is previously proposed in literature. The experimental results from participants showed that there is a significant difference in designing threats and mitigation using SPDD editor in two methods. The SPDD method is used to design more threats and mitigation as compared to CBA method. By using proposed methodology and SPDD editor tool it is easier for the non-security expert to incorporate security at earlier stages of software development. It provides the facility of designing the security requirements in the architecture at design stage with incorporating expert knowledge of the security experts provided by the security patterns.