skip to main content
10.1145/1179494.1179498acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
Article

Using model-based security analysis in component-oriented system development

Published: 30 October 2006 Publication History

Abstract

We propose an integrated process for component-based system development and security risk analysis. The integrated process is evaluated in a case study involving an instant messaging component for smart phones. We specify the risk behaviour and functional behaviour of components using the same kinds of description techniques. We represent main security risk analysis concepts, such as assets, stakeholders, threats and risks, at the component level.

References

[1]
G. Brændeland and K. Stølen. A semantic paradigm for component-based specification integrating a notion of security risk. To appear in Proceedings of the fourth international Workshop on Formal Aspects in Security and Trust (FAST'06), 2006.
[2]
G. Brændeland and K. Stølen. Using model-based security analysis in component-oriented system development. a case-based evaluation. Technical Report 342, University of Oslo, Department of Informatics, 2006.
[3]
J. Cheesman and J. Daniels. UML Components. A simple process for specifying component-based software. Component software series. Addison-Wesley, 2001.
[4]
V. Cortellessa, K. Goseva-Popstojanova, K. Appukkutty, A. Guedem, A. E. Hassan, R. Elnaggar, W. Abdelmoez, and H. H. Ammar. Model-based performance risk analysis. IEEE Transactions on Software Engineering, 31(1):3--20, 2005.
[5]
F. den Braber, T. Dimitrakos, B. A. Gran, M. S. Lund, K. Stølen, and J. ø. Aagedal. UML and the Unified Process, chapter The CORAS methodology: model-based risk management using UML and UP, pages 332--357. IRM Press, 2003.
[6]
K. Goseva-Popstojanova, A. E. Hassan, A. Guedem, W. Abdelmoez, D. E. M. Nassar, H. H. Ammar, and A. Mili. Architectural-level risk analysis using UML. IEEE Transactions on Software Engineering, 29(10):946--960, 2003.
[7]
ø. Haugen, K. E. Husa, R. K. Runde, and K. Stølen. Why timed sequence diagrams require three-event semantics. Technical Report 309, University of Oslo, Department of Informatics, 2004.
[8]
ø. Haugen and K. Stølen. STAIRS -- steps to analyze interactions with refinement semantics. In UML, volume 2863 of Lecture Notes in Computer Science, pages 388--402. Springer, 2003.
[9]
ISO/IEC. Information Technology -- Security techniques -- Management of information and communications technology security -- Part 1: Concepts and models for information and communications technology security management, 2004. TR 13335-1.
[10]
J. Jürjens, editor. Secure systems develoment with UML. Springer, 2005.
[11]
P. Kruchten, editor. The rational unified process. An introduction. Addison-Wesley, 2004.
[12]
T. Lodderstedt, D. A. Basin, and J. Doser. SecureUML: A UML-based modeling language for model-driven security. In UML, volume 2460 of Lecture Notes in Computer Science, pages 426--441. Springer, 2002.
[13]
J. P. McDermott. Abuse-case-based assurance arguments. In ACSAC, pages 366--376. IEEE Computer Society, 2001.
[14]
J. P. McDermott and C. Fox. Using abuse case models for security requirements analysis. In ACSAC, pages 55--. IEEE Computer Society, 1999.
[15]
G. McGraw. Sofware security: Building security in. Software security. Adison-Wesley, 2006.
[16]
F. Redmill, M. Chudleigh, and J. Catmir. System safety: HazOp and software HazOp. Wiley, 1999.
[17]
A. Refsdal, K. E. Husa, and K. Stølen. Specification and refinement of soft real-time requirements using sequence diagrams. In FORMATS, volume 3829 of Lecture Notes in Computer Science, pages 32--48. Springer, 2005.
[18]
J. Rumbaugh, I. Jacobsen, and G. Booch. The unified modeling language reference manual. Addison-Wesley, 2005.
[19]
G. Sindre and A. L. Opdahl. Eliciting security requirements by misuse cases. In 37th Technology of Object-Oriented Languages and Systems (TOOLS-37 Pacific 2000), pages 120--131. IEEE Computer Society, 2000.
[20]
G. Sindre and A. L. Opdahl. Eliciting security requirements with misuse cases. Requirements Engineering, 10(1):34--44, 2005.
[21]
Standards Australia, Standards New Zealand. Information security risk management guidelines, 2004. HB 231:2004.
[22]
Symantec. Symantec internet security threat report. Trends for July 05-December 05, March 2006.
[23]
T. Watson and P. Kriens. OSGi component programming. Tutorial held at Eclipsecon 2006, 2006.

Cited By

View all
  • (2018)Optimizing the Use and Adoption of Healthcare Information SystemsHealth Care Delivery and Clinical Science10.4018/978-1-5225-3926-1.ch003(49-61)Online publication date: 2018
  • (2016)Optimizing the Use and Adoption of Healthcare Information SystemsApplying Business Intelligence to Clinical and Healthcare Organizations10.4018/978-1-4666-9882-6.ch007(136-152)Online publication date: 2016
  • (2015)Investigating fulfilment of traceability requirements in a combined process for safety and security assessmentsInternational Journal of Critical Computer-Based Systems10.1504/IJCCBS.2015.0735306:2(100-132)Online publication date: 1-Dec-2015
  • Show More Cited By

Index Terms

  1. Using model-based security analysis in component-oriented system development

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    QoP '06: Proceedings of the 2nd ACM workshop on Quality of protection
    October 2006
    70 pages
    ISBN:1595935533
    DOI:10.1145/1179494
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 30 October 2006

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. case studies
    2. security risk analysis

    Qualifiers

    • Article

    Conference

    CCS06
    Sponsor:

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)3
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 16 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2018)Optimizing the Use and Adoption of Healthcare Information SystemsHealth Care Delivery and Clinical Science10.4018/978-1-5225-3926-1.ch003(49-61)Online publication date: 2018
    • (2016)Optimizing the Use and Adoption of Healthcare Information SystemsApplying Business Intelligence to Clinical and Healthcare Organizations10.4018/978-1-4666-9882-6.ch007(136-152)Online publication date: 2016
    • (2015)Investigating fulfilment of traceability requirements in a combined process for safety and security assessmentsInternational Journal of Critical Computer-Based Systems10.1504/IJCCBS.2015.0735306:2(100-132)Online publication date: 1-Dec-2015
    • (2010)Controlling security of software development with multi-agent systemProceedings of the 14th international conference on Knowledge-based and intelligent information and engineering systems: Part IV10.5555/1893971.1893983(98-107)Online publication date: 8-Sep-2010
    • (2008)Extending UML sequence diagrams to model trust-dependent behavior with the aim to support risk analysisScience of Computer Programming10.1016/j.scico.2008.09.00374:1-2(34-42)Online publication date: 1-Dec-2008
    • (2008)Extending UML Sequence Diagrams to Model Trust-dependent Behavior With the Aim to Support Risk AnalysisElectronic Notes in Theoretical Computer Science (ENTCS)10.1016/j.entcs.2007.12.014197:2(15-29)Online publication date: 1-Feb-2008
    • (2007)AMBRAProceedings of the 2007 ACM workshop on Quality of protection10.1145/1314257.1314272(43-48)Online publication date: 29-Oct-2007
    • (2006)A semantic paradigm for component-based specification integrating a notion of security riskProceedings of the 4th international conference on Formal aspects in security and trust10.5555/1777688.1777691(31-46)Online publication date: 26-Aug-2006

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media