Practical programmer: inspections—some surprising findings
Communications of the ACM
Sound development of secure service-based systems
Proceedings of the 2nd international conference on Service oriented computing
An overview of JML tools and applications
International Journal on Software Tools for Technology Transfer (STTT) - Special section on formal methods for industrial critical systems
Cost-Benefit Trade-Off Analysis Using BBN for Aspect-Oriented Risk-Driven Development
ICECCS '05 Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems
Preliminary design of JML: a behavioral interface specification language for java
ACM SIGSOFT Software Engineering Notes
Model-Based Security Engineering of Distributed Information Systems Using UMLsec
ICSE '07 Proceedings of the 29th international conference on Software Engineering
Secure Systems Development with UML
Secure Systems Development with UML
Evaluation of the Pattern-based method for Secure Development (PbSD): A controlled experiment
Information and Software Technology
Not Ready for Prime Time: A Survey on Security in Model Driven Development
International Journal of Secure Software Engineering
| Hi-index | 0.00 |
Quality assurance for security-critical systems is particularly challenging: many systems are developed, deployed, and used that do not satisfy their security requirements. A number of software engineering approaches have been developed over the last few years to address this challenge, both in the context of model-level and code-level security assurance. However, there is little experience so far in using these approaches in an industrial context, the challenges and benefits involved and the relative advantages and disadvantages of different approaches. This paper reports on experiences from a practical application of two of these security assurance approaches. As a representative of model-based security analysis, we considered the UMLsec approach and we investigated the JML annotation language as a representative of a code-level assurance approach. We applied both approaches to the development and security analysis of a biometric authentication system and performed a comparative evaluation based on our experiences.