nach oben

Software and Systems Modeling

Erschienen in:

06.08.2015 | Regular Paper

Design notations for secure software: a systematic literature review

verfasst von: Alexander van den Berghe, Riccardo Scandariato, Koen Yskout, Wouter Joosen

Erschienen in: Software and Systems Modeling | Ausgabe 3/2017

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

In the past 10 years, the research community has produced a significant number of design notations to represent security properties and concepts in a design artifact. These notations are aimed at documenting and analyzing security in a software design model. The fragmentation of the research space, however, has resulted in a complex tangle of different techniques. Hence, practitioners are confronted with the challenging task of scouting the right approach from a multitude of proposals. Similarly, it is hard for researchers to keep track of the synergies among the existing notations, in order to identify the existing opportunities for original contributions. This paper presents a systematic literature review that inventorizes the existing notations and provides an in-depth, comparative analysis for each.

Vorheriger Artikel Refinement-based Validation of Event-B Specifications

Nächster Artikel A graph-theoretic method for the inductive development of reference process models

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

http://www.arc.gov.au/era/era_2010/archive/era_journal_list.htm.

Abramov, J., Anson, O., Dahan, M., Shoval, P., Sturm, A.: A methodology for integrating access control policies within database development. Comput. Secur. 31(3), 299–314 (2012)CrossRef

Abramov, J., Sturm, A., Shoval, P.: Evaluation of the pattern-based method for secure development (PbSD): a controlled experiment. Inf. Softw. Technol. 54(9), 1029–1043 (2012)CrossRef

Ahn, G.-J., Hong, S.-P., Shin, M.E.: Reconstructing a formal security model. Inf. Softw. Technol. 44(11), 649–657 (2002)CrossRef

Alam, M., Breu, R., Hafner, M.: Model-driven security engineering for trust management in SECTET. J. Softw. 2(1), 47–59 (2007)CrossRef

Avizienis, A., Laprie, J.-C., Randell, B., Landwehr, C.: Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. Dependable Secure Comput. 1(1), 11–33 (2004)CrossRef

Basin, D., Clavel, M., Doser, J., Egea, M.: Automated analysis of security-design models. Inf. Softw. Technol. 51(5), 815–831 (2009)CrossRef

Basin, D., Doser, J., Lodderstedt, T.: Model driven security: from UML models to access control infrastructures. ACM Trans. Softw. Eng. Methodol. 15(1), 39–91 (2006)CrossRef

Best, B., Jürjens, J., Nuseibeh, B.: Model-Based Security Engineering of Distributed Information Systems Using UMLsec. In: Proceedings of the 29th International Conference on Software Engineering, ICSE ’07, pp. 581–590. Washington, DC, USA (2007). IEEE Computer Society

Buyens, K., Scandariato, R., Joosen, W.: Least privilege analysis in software architectures. Softw. Syst. Model. 12(2), 1–18 (2011)

10.

Dai, L., Cooper, K.: Modeling and performance analysis for security aspects. Sci. Comput. Program. 61(1), 58–71 (2006)MathSciNetCrossRefMATH

11.

Dai, L., Cooper, K.: A survey of modeling and analysis approaches for architecting secure software systems. Int. J. Netw. Secur. 5(2), 187–198 (2007)

12.

Dai, L., Cooper, K.: Using FDAF to bridge the gap between enterprise and software architectures for security. Sci. Comput. Program. 66(1), 87–102 (2007)MathSciNetCrossRef

13.

Dehlinger, J., Subramanian, N.: Architecting Secure Software Systems Using an Aspect-Oriented Approach: A Survey of Current Research. In: Technical Report, Iowa State University (2006)

14.

Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requir. Eng. 16(1), 187–198 (2012)

15.

Díaz, P., Aedo, I., Montero, S.: Ariadne, a development method for hypermedia. In: Mayr, H.C., Lazansky, J., Quirchmayr, G., Vogel, P. (eds.) Database and Expert Systems Applications. Lecture Notes in Computer Science, vol. 2113, pp. 764–774. Springer, Berlin (2001)

16.

Díaz, P., Aedo, I., Sanz, D., Malizia, A.: A Model-Driven Approach for the Visual Specification of Role-Based Access Control Policies in Web Systems. In: IEEE Symposium on Visual Languages and Human-Centric Computing, 2008. VL/HCC 2008. pp. 203–210 (2008)

17.

Fernández-Medina, E., Piattini, M.: Designing secure databases. Inf. Softw. Technol. 47(7), 463–477 (2005)CrossRef

18.

Fernández-Medina, E., Trujillo, J., Villarroel, R., Piattini, M.: Developing secure data warehouses with a UML extension. Inf. Syst. 32(6), 826–856 (2007)CrossRef

19.

Georg, G., Ray, I., Anastasakis, K., Bordbar, B., Toahchoodee, M., Houmb, S.H.: An aspect-oriented methodology for designing secure applications. Inf. Softw. Technol. 51(5), 846–864 (2009)CrossRef

20.

Georg, G., Ray, I., France, R.: Using Aspects to Design a Secure System. In: Proceedings of the Eighth International Conference on Engineering of Complex Computer Systems, ICECCS ’02, p. 117. IEEE Computer Society, Washington (2002)

21.

Giordano, M., Polese, G., Scanniello, G., Tortora, G.: A system for visual role-based policy modelling. J. Vis. Lang. Comput. 21(1), 41–64 (2010)CrossRef

22.

Gomaa, H., Eonsuk Shin, M.: Modelling Complex Systems by Separating Application and Security Concerns. In: Proceedings of Ninth IEEE International Conference on Engineering Complex Computer Systems, pp. 19–28 (2004)

23.

Hafner, M., Breu, M., Breu, R., Nowak, A.: Modelling Inter-organizational Workflow Security in a Peer-to-Peer Environment. In: Proceedings of 2005 IEEE International Conference on Web Services, 2005. ICWS 2005. p. 540 (2005)

24.

Heldal, R., Hultin, F.: Bridging Model-Based and Language-Based Security. In: Snekkenes E., Gollmann D. (eds) Computer Security ESORICS 2003, volume 2808 of Lecture Notes in Computer Science, pp. 235–252. Springer, Berlin (2003). doi:10.1007/978-3-540-39650-5_14

25.

Hoisl, B., Sobernig, S., Strembeck, M.: Modeling and enforcing secure object flows in process-driven SOAs: an integrated model-driven approach. Softw. Syst. Model. 13(2), 513–548 (2014). doi:10.1007/s10270-012-0263-y

26.

Hu, H., Ahn, G.-J.: Constructing authorization systems using assurance management framework. IEEE Trans. Syst. Man Cybern. Part C Appl. Rev. 40(4), 396–405 (2010)CrossRef

27.

Hussain, S., Rasool, G., Atef, M., Shahid, A.K.: A review of approaches to model security into software systems. J. Basic Appl. Sci. Res. 3(4), 642–647 (2013)

28.

Jayaram, K.R., Mathur, A.P.: Software Engineering for Secure Software—State of the Art: A Survey. In: Technical Report CERIAS 2005-67, Purdue University (2005)

29.

Jensen, J., Jaatun, M.G.: Security in Model Driven Development: A Survey. In: 2011 Sixth International Conference on Availability, Reliability and Security (ARES), pp. 704–709 (2011)

30.

Jürjens, J.: Secure Systems Development with UML. Springer, Berlin (2004)MATH

31.

Jürjens, J.: Sound Methods and Effective Tools for Model-Based Security Engineering with UML. In: Proceedings of the 27th International Conference on Software Engineering, ICSE ’05, pp. 322–331. ACM, New York (2005)

32.

Jürjens, J.: Security and dependability engineering. In: Kokolakis, S., Gómez, A.M., Spanoudakis, G. (eds.) Security and Dependability for Ambient Intelligence, Volume 45 of Advances in Information Security, pp. 21–36. Springer, Berlin (2009)CrossRef

33.

Jürjens, J., Lehrhuber, M., Wimmel, G.: Model-Based Design and Analysis of Permission-Based Security. In: Proceedings of 10th IEEE International Conference on Engineering of Complex Computer Systems, 2005. ICECCS 2005. pp. 224–233 (2005)

34.

Jürjens, J., Schreck, J., Bartmann, P.: Model-Based Security Analysis for Mobile Communications. In: Proceedings of the 30th International Conference on Software Engineering, ICSE ’08, pp. 683–692. ACM, New York (2008)

35.

Jürjens, J., Shabalin, P.: Tools for secure systems development with UML. Int. J. Softw. Tools Technol. Transf. 9, 527–544 (2007)CrossRef

36.

Kasal, K., Heurix, J., Neubauer, T.: Model-Driven Development Meets Security: An Evaluation of Current Approaches. In: 2011 44th Hawaii International Conference on System Sciences (HICSS), pp. 1–9 (2011)

37.

Keller, F., Wendt, S.: FMC: An approach towards architecture-centric system development. In: Proceedings of 10th IEEE International Conference and Workshop on the Engineering of Computer-Based Systems, 2003, pp. 173–182. IEEE (2003)

38.

Khan, M.U.A., Zulkernine, M.: A Survey on Requirements and Design Methods for Secure Software Development. In: Technical Report 2009-562, School of Computing, Queen’s University, Kingston, Ontario, Canada (2009)

39.

Khwaja, A.A., Urban, J.E.: A synthesis of evaluation criteria for software specifications and specification techniques. Int. J. Softw. Eng. Knowl. Eng. 12(5), 581–599 (2002)CrossRef

40.

Kim, S., Kim, D.-K., Lu, L., Kim, S., Park, S.: A feature-based approach for modeling role-based access control systems. J. Syst. Softw. 84(12), 2035–2052 (2011)CrossRef

41.

Kitchenham, B., Charters, S.: Guidelines for Performing Systematic Literature Reviews in Software Engineering. In: Technical Report EBSE 2007-001, Keele University and Durham University Joint Report (2007)

42.

Koch, M., Mancini, L.V., Parisi Presicce, F.: A graph-based formalism for RBAC. ACM Trans. Inf. Syst. Secur. 5(3), 332–365 (2002)CrossRef

43.

Koch, M., Parisi-Presicce, F.: UML specification of access control policies and their formal verification. Softw. Syst. Model. 5(4), 429–447 (2006)CrossRef

44.

Kong, J., Xu, D., Zeng, X.: UML-based modeling and analysis of security threats. Int. J. Softw. Eng. Knowl. Eng. 20(6), 875–897 (2010)CrossRef

45.

Lúcio, L., Zhang, Q., Nguyen, P.-H., Amrani, M., Klein, J., Vangheluwe, H., Le Traon, Y.: Advances in Model-Driven Security. Adv. Comput. 93, 103–152 (2013)

46.

Matulevičius, R., Dumas, M.: A Comparison of SecureUML and UMLsec for Role-Based Access Control. In: Databases and Information Systems, pp. 171–185 (2010)

47.

Mayer, P., Koch, N., Schroeder, A., Knapp, A.: The UML4SOA Profile. In: Technical report, LMU Muenchen (2010)

48.

Memon, M., Menghwar, G., Depar, M., Jalbani, A., Mashwani, W.: Security modeling for service-oriented systems using security pattern refinement approach. Softw. Syst. Model. 13(2), 549–572 (2014). doi:10.1007/s10270-012-0268-6

49.

Menzel, M., Meinel, C.: A Security Meta-Model for Service-Oriented Architectures. In: IEEE International Conference on Services Computing, 2009. SCC ’09. , pp. 251–259 (2009)

50.

Menzel, M., Meinel, C.: SecureSOA Modelling Security Requirements for Service-Oriented Architectures. In: 2010 IEEE International Conference on Services Computing (SCC), pp. 146–153 (2010)

51.

Nakamura, Y., Tatsubori, M., Imamura, T., Ono, K.: Model-Driven Security Based on a Web Services Security Architecture. In: 2005 IEEE International Conference on Services Computing, vol. 1, pp. 7–15 (2005)

52.

Nguyen, P.-H., Klein, J., Le Traon, Y., Kramer, M.E.: A Systematic Review of Model-Driven Security. In: Software Engineering Conference (APSEC, 2013 20th Asia-Pacific), vol. 1, pp. 432–441 (2013)

53.

OMG. OMG Unified Modeling Language (OMG UML), Infrastructure (2011). OMG. http://www.omg.org/spec/UML/2.4.1/Infrastructure/PDF

54.

OMG. OMG Unified Modeling Language (OMG UML), Superstructure (2011). OMG. http://www.omg.org/spec/UML/2.4.1/Superstructure/PDF

55.

OMG. OMG Object Constraint Language (OCL) (2012). OMG. http://www.omg.org/spec/OCL/2.3.1/PDF

56.

OMG. Service Oriented architecture Modeling Language (SoaML) Specification (2012). OMG. http://www.omg.org/spec/SoaML/1.0.1/PDF

57.

Pavlich-Mariscal, J.A., Demurjian, S.A., Michel, L.D.: A framework of composable access control features: preserving separation of access control concerns from models to code. Comput. Secur. 29(3), 350–379 (2010)CrossRef

58.

Ray, I., France, R., Li, N., Georg, G.: An aspect-based approach to modeling access control concerns. Inf. Softw. Technol. 46(9), 575–587 (2004)CrossRef

59.

Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)CrossRef

60.

Satoh, F., Nakamura, Y., Ono, K.: Adding Authentication to Model Driven Security. In: Proceedings of the IEEE International Conference on Web Services, ICWS ’06, pp. 585–594. IEEE Computer Society, Washington (2006)

61.

Shah, V., Hill, F.: An Aspect-Oriented Security Framework: Lessons Learned. In: AOSD Technology for Application-level Security (AOSDSEC) (2004)

62.

Sohr, K., Ahn, G.-J., Gogolla, M., Migge, L.: Specification and Validation of Authorisation Constraints Using UML and OCL. In: de Capitani, S., di Vimercati, P., Syverson, D. Gollmann, (eds.) Computer Security ESORICS 2005. Lecture Notes in Computer Science, vol. 3679, pp. 64–79. Springer, Berlin Heidelberg (2005)

63.

Standard. The Common Criteria: Security functional components. https://www.commoncriteriaportal.org (2012)

64.

Standard. WS-SecurityPolicy v1.3. OASIS Standard incorporating Approved Errata. http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/errata01/os/ws-securitypolicy-1.3-errata01-os-complete.html (2012)

65.

Standard. WS-Trust 1.4. OASIS Standard Incorporating Approved Errata. http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/errata01/os/ws-trust-1.4-errata01-os-complete.html (2012)

66.

Talhi, C., Mouheb, D., Lima, V., Debbabi, M., Wang, L., Pourzandi, M.: Usability of security specification approaches for UML design: a survey. J. Object Technol. 8(6), 103–122 (2009)CrossRef

67.

Trujillo, J., Soler, E., Fernández-Medina, E., Piattini, M.: An engineering process for developing secure data warehouses. Inf. Softw. Technol. 51(6), 1033–1051 (2009)CrossRef

68.

Uzunov, A.V., Fernandez, E.B., Falkner, K.: Engineering security into distributed systems a survey of methodologies. J. Univ. Comput. Sci. 18(20), 2920–3006 (2012)

69.

Vela, B., Blanco, C., Fernández-Medina, E., Marcos, E.: A practical application of our MDD approach for modeling secure XML data warehouses. Decis. Support Syst. 52(4), 899–925 (2012)CrossRef

70.

Villarroel, R., Fernández-Medina, E., Piattini, M.: Secure information systems development—a survey and comparison. Comput. Secur. 24(4), 308–321 (2005)CrossRef

71.

Website. https://people.cs.kuleuven.be/alexander.vandenberghe/review/overview.html

72.

Xu, D., Nygard, K.E.: Threat-driven modeling and verification of secure software using aspect-oriented petri nets. IEEE Trans. Softw. Eng. 32(4), 265–278 (2006)CrossRef

73.

Yu, L., France, R., Ray, Indrakshi, Ghosh, S.: A Rigorous Approach to Uncovering Security Policy Violations in UML Designs. In: 2009 14th IEEE International Conference on Engineering of Complex Computer Systems, pp. 126–135 (2009)

Titel: Design notations for secure software: a systematic literature review
verfasst von: Alexander van den Berghe
Riccardo Scandariato
Koen Yskout
Wouter Joosen
Publikationsdatum: 06.08.2015
Verlag: Springer Berlin Heidelberg
Erschienen in: Software and Systems Modeling / Ausgabe 3/2017
Print ISSN: 1619-1366
Elektronische ISSN: 1619-1374
DOI: https://doi.org/10.1007/s10270-015-0486-9

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Weitere Artikel der Ausgabe 3/2017

Designing secure business processes with SecBPMN

A fractal enterprise model and its application for business development

Business processes in the agile organisation: a socio-technical perspective

Refinement-based Validation of Event-B Specifications

Theme section of BPMDS’2014: the human perspective in business processes

A graph-theoretic method for the inductive development of reference process models