Connecting security requirements analysis and secure design using patterns and UMLsec

Authors:
Holger Schmidt;Jan Jürjens
Affiliations:
Software Engineering, Department of Computer Science, TU Dortmund, Germany;Software Engineering, Department of Computer Science, TU Dortmund, Germany and Fraunhofer ISST, Germany
Venue:
CAiSE'11 Proceedings of the 23rd international conference on Advanced information systems engineering
Year:
2011

Citing 10
Cited 2

Software architecture: perspectives on an emerging discipline

Software architecture: perspectives on an emerging discipline
Problem frames: analyzing and structuring software development problems

Problem frames: analyzing and structuring software development problems
Security in Computing

Security in Computing
Relating Software Requirements and Architectures Using Problem Frames

RE '02 Proceedings of the 10th Anniversary IEEE Joint International Conference on Requirements Engineering
Architecture-driven Problem Decomposition

RE '04 Proceedings of the Requirements Engineering Conference, 12th IEEE International
Component composition through architectural patterns for problem frames

APSEC '06 Proceedings of the XIII Asia Pacific Software Engineering Conference
An Analysis of the Security Patterns Landscape

SESS '07 Proceedings of the Third International Workshop on Software Engineering for Secure Systems
From goal-driven security requirements engineering to secure design

International Journal of Intelligent Systems - Goal-driven Requirements Engineering
The security twin peaks

ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Designing security requirements models through planning

CAiSE'06 Proceedings of the 18th international conference on Advanced Information Systems Engineering

Evaluation of the Pattern-based method for Secure Development (PbSD): A controlled experiment

Information and Software Technology
Comparing attack trees and misuse cases in an industrial setting

Information and Software Technology

Quantified Score

Hi-index	0.00

Visualization

Abstract

Existing approaches only provide informal guidelines for the transition from security requirements to secure design. Carrying out this transition is highly non-trivial and error-prone, leaving the risk of introducing vulnerabilities. This paper presents a pattern-oriented approach to connect security requirements analysis and secure architectural design. Following the divide & conquer principle, a software development problem is divided into simpler subproblems based on security requirements analysis patterns. We complement each of these patterns with architectural security patterns tailored to solve classes of security subproblems.We use UMLsec together with the advanced modeling possibilities for software architectures of UML 2.3 to equip the architectural security patterns with security properties, and to allow tool-supported analysis and composition of instances of these patterns. We validate our approach using two case studies and illustrate its support for Common Criteria certifications.