A Pattern-Based Method to Develop Secure Software

The authors present a security engineering process based on security problem frames and concretized security problem frames. Both kinds of frames constitute patterns for analyzing security problems and associated solution approaches. They are arranged in a pattern system that makes dependencies between them explicit. The authors describe step-by-step how the pattern system can be used to analyze a given security problem and how solution approaches can be found. Afterwards, the security problems and the solution approaches are formally modeled in detail. The formal models serve to prove that the solution approaches are correct solutions to the security problems. Furthermore, the formal models of the solution approaches constitute a formal specification of the software to be developed. Then, the specification is implemented by generic security components and generic security architectures, which constitute architectural patterns. Finally, the generic security components and the generic security architecture that composes them are refined and the result is a secure software product built from existing and/or tailor-made security components.

State Model Diagrams

The Internet is an integral part of business communications, however it was based on open standards without due regard to security issues consequently security threats are not only persistent but also increasing. The Computer Security Institute (CSI) 2007 reported a doubling of average annual loss by US companies. There are three primary network security threats: policy, technology, and configuration. This chapter is primarily concerned with the configuration and management of network devices. There are a number of different network management tools currently available, however typically it is problematic to concurrently display configuration data from devices and protocols whilst maintaining a navigational context. This chapter demonstrates how the State Model Diagram method is not only a universal model-driven network tool but also useful for the configuration and management of complex security protocols and devices.

Security Over the Information Systems Development Cycle

Information security is currently considered to be a crucial aspect of systems development. However it has traditionally been considered during the final stages of development, once the main components of the system have been developed and therefore provides solutions which are inappropriate for security integration. Software engineering has traditionally been separated from security engineering, and security issues have not usually been included in software engineering processes, activities, techniques, models, and so on. Furthermore, security engineering has not been aligned with information systems, and has focused rather on the definition of protocols, cryptographic algorithms, access control policies, etc. However, the scientific community is beginning to realize the importance of aligning software engineering and security engineering in order to develop more secure systems. Security in software engineering is a branch of research in which many contributions dealing with security integration from the early development stages have recently appeared. This chapter discusses some of the most interesting contributions in this area, and also provides a summary of our contributions through the development of various research lines dealing with different strategies to integrate security into information systems development as early in the development stages as is possible.

Automatic Timed Automata Extraction from Ladder Programs for Model-Based Analysis of Control Systems

Control Systems are used to produce a certain result with little or no human supervision. The principal aim of such systems is to ensure that resources are used efficiently and that the desired product quality is achieved. Moreover for critical systems such as oil and gas plants, it is important to guarantee the safety and dependability of the operation. Therefore, it is necessary to verify whether what is running in the device is in accordance with what was defined in the specification documents. The goal of this chapter is to present a method that automatically generates the timed automata models from the specification ISA 5.2 Binary Logic Diagrams, and the implementation Ladder programs, for model-based analysis, in order to increase the confidence in the behavior of critical Control Systems. This approach is based on the use of the Uppaal tool and the Uppaal-TRON testing tool.

Security Patterns

Addressing the challenges of developing secure software systems remains an active research area in software engineering. Current research efforts have resulted in the documentation of recurring security problems as security patterns. Security patterns provide encapsulated solutions to specific security problems and can be used to build secure systems by designers with little knowledge of security. Despite this benefit, there is lack of work that focus on evaluating the capabilities of security analysis approaches for their support in incorporating security analysis patterns. This chapter presents evaluation results of a study we conducted to examine the extent to which constructs provided by security requirements engineering approaches can support the use of security patterns as part of the analysis of security problems. To achieve this general objective, the authors used a specific security pattern and examined the challenges of representing this pattern in some security modeling approaches. The authors classify the security modeling approaches into two categories: problem and solution and illustrate their capabilities with a well-known security patterns and some practical security examples. Based on the specific security pattern they have used our evaluation results suggest that current approaches to security engineering are, to a large extent, capable of incorporating security analysis patterns.

Privacy Aware Systems

Enterprises have adopted various strategies to protect customers’ privacy and to make public their policies. This chapter presents a conceptual model for supporting the definition of privacy policies. The model, described by means of UML, introduces a set of concepts concerning privacy and defines the existent relationships among those concepts along with the interfaces for the definition of privacy related mechanisms. The chapter also illustrates how the conceptual model can be used to build design solutions for three recurrent requirements for privacy aware systems concerning the definition of anonymity, the acquisition of the informed consent, and privacy policies enforcement. The proposed problems are separately illustrated and a solution based on the conceptual model is described for each of them. Finally, in order to assess the model and the design solutions, this chapter presents an example concerning the health domain.

Static Program Analysis of Multi-Applet JavaCard Applications

Java Card provides a framework of classes and interfaces that hide the details of the underlying smart card interface and make it possible to load and run on the same card several applets, from different application providers with complex trust relationships. This fact paves the way for new business applications, but the card issuer has to secure absence of malicious or faulty card applets. He has to be able to check that (i) applets do not cause illicit method invocations that violate temporal restrictions of inter-applet communication, (ii) applets protect themselves from unwanted information flow to third parties and (iii) it is not possible for an unhandled Java Card API exception to leave an applet in an unpredictable state that is potentially dangerous for the application’s security. The authors explore recent advances in theory and tool support of static program analysis and they present an approach for automatic verification of smart card applications that by definition are security critical.

Incorporating Social Trust into Design Practices for Secure Systems

Companies are increasingly dependent on modern information and communication technology (ICT), yet the successful adoption of ICT systems stubbornly hovers at only around 50%, adding disappointment to business losses. Trust (both inter-personal and technology-related) has significant explanatory power when it comes to technology adoption, but only as part of a systematic methodology. Therefore, understanding more fully the interaction between human process and technology by adding the richness of socio-technical considerations to the design process of ICT systems should significantly improve adoption rates. At the same time, trust-based design has to demonstrate the (often neglected) business value of trust. ‘Designing for trust‘, discussed in this chapter, is a design framework that consolidates trust governance and security management. Trust governance is a complete proposition that makes trust relevant to business practices, including the design and deployment of ICT systems. Trust governance incorporates the business justification of trust with an analytical framework, and a set of relevant tools and methods, as well as a maturity model. This chapter discusses how ‘designing for trust‘ leverages trust governance into the design practices of ICT systems by complementing security-based methodologies, demonstrating the value of this approach.

Designing Privacy Aware Information Systems

A major challenge in the field of software engineering is to make users trust the software that they use in their everyday activities for professional or recreational reasons. Trusting software depends on various elements, one of which is the protection of user privacy. Protecting privacy is about complying with user’s desires when it comes to handling personal information. Users’ privacy can also be defined as the right to determine when, how and to what extend information about them is communicated to others. Current research stresses the need for addressing privacy issues during the system design rather than during the system implementation phase. The aim of this chapter is to elevate the modern practices for ensuring privacy during the software systems’ design phase. Through the presentation of the modern methods, the basic privacy requirements that should be considered during system analysis are introduced. Additionally, a number of well known methods that have been introduced in the research area of requirements engineering which aim on eliciting and analyzing privacy requirements during system design are introduced and analyzed. Finally, a comparative analysis between these methods is presented.

Balancing Security and Performance Properties During System Architectural Design

Developers of critical systems need to address several quality properties, such as security and performance, in the early stages of the development cycle to ensure that the system under construction meets its requirements. Sometimes quality properties conflict with each other and/or with the system’s functionalities, so the developers need to make trade-off decisions. Unreasonable costs, added developer resources and tight project schedules may be other reasons for having to trade-off between alternative solutions. In the context of Model-Driven Development, the analysis of quality properties is done by transforming software design models into different analysis models based on various formalisms, which are then analyzed with existing tools. A major challenge is to integrate different models, transformations and tools into a consistent and coherent process. In this chapter the authors present a methodology called Aspect-Oriented Risk Driven Development (AORDD), which integrates the analysis of two quality properties, namely security and performance, into the development process of critical systems. Each quality property is analyzed separately, and then all results are input to a trade-off analysis that identifies conflicts between the properties. Trade-off analysis aims at supporting designers and developers in choosing the security and performance solutions that best fit their needs, without introducing unacceptable development delays or costs. The security analysis consists of identifying the assets (critical components, such as sensitive information) of an application and the attacks that can compromise these assets, and formally analyzing whether these attacks are actually possible using the tools UML2Alloy and Alloy Analyzer. If the system is vulnerable to the attack, some security solution, modeled as an aspect according to Aspect Oriented Modeling (AOM), is added to the system. The analysis must be repeated to ensure that the resulting system is secure. Performance analysis is accomplished using Layered Queuing Network (LQN) models. Annotated system models are transformed into LQN models and performance experiments are executed on them. If the performance results are unacceptable, the system design has to be changed and the analysis repeated. Finally, the results of the security and performance analysis are input to the system quality property trade-off analysis, which is implemented as a Bayesian Belief Network (BBN) topology, and which also takes as input external parameters, such as time to market and budget constraints. The results of the trade-off analysis help identify how well a particular design meets performance, security and other project goals, which, in turn, can guide the developer in making informed design decisions. The approach is illustrated using a transactional web e-commerce benchmark (TPC-W) originally developed by the Transaction Processing Performance Council.