nach oben

Software Quality Journal

Erschienen in:

01.03.2015

Security quality model: an extension of Dromey’s model

verfasst von: Saad Zafar, Misbah Mehboob, Asma Naveed, Bushra Malik

Erschienen in: Software Quality Journal | Ausgabe 1/2015

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The quantity of sensitive data that is stored, processed and transmitted has increased many folds in recent years. With this dramatic increase, comes the need to ensure that the data remain trustworthy, confidential and available at all times. Nonetheless, the recent spate of high-profile security incidents shows that software-based systems remain vulnerable due to the presence of serious security defects. Therefore, there is a clear need to improve the current state of software development to guide the development of more secure software. To this end, we propose a security quality model that provides a framework to identify known security defects, their fixes, the underlying low-level software components along with the properties that positively influence the overall security of the product. The proposed model is based on Dromey’s quality model that addresses the core issue of quality by providing explicit guidelines on how to build quality into a product. Furthermore, to incorporate security, we have introduced several new model components and model construction guidelines as Dromey’s model does not address security explicitly and the model construction guidelines are not specific enough. We use well-known defects and security controls to construct the model as a proof of concept. The constructed model can be used by the programmers during development and can also be used by the quality engineers for audit purposes. We also propose an automated environment in which the model can be used in practice.

Vorheriger Artikel Automating test-based inspection of design models

Nächster Artikel A method for predicting open source software residual defects

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Al-Qutaish, R. E. (2010). Quality models in software engineering literature: An analytical and comparative study. Journal of American Science, 6(3), 166–175.

Anderson, R. (2008). Security engineering: A guide to building dependable distributed systems (2nd ed.). London: Wiley.

Avizienis, A., Laprie, J.-C., & Randell, B. (2000). Fundamental concepts of dependability. In Proceedings of 3rd information survivability workshop, pp. 7–12.

Balfanz, D., & Simon, D. R. (2000). WindowBox: A simple security model for the connected desktop. Paper presented at the proceedings of the 4th conference on USENIX windows systems symposium, Vol. 4, Seattle.

Barbacci, M., Klein, M. H., Longstaff, T. A., & Weinstock, C. B. (1995). Quality attributes. Technical report CMU/SEI-95-TR-021, ESC-TR-95-021.

Bell, D., & Lapadula, L. (1976). Secure computer system: Unified exposition and MULTICS interpretation. http://csrc.nist.gov/publications/history/bell76.pdf.

Biba (1977). Integrity Considerations for secure computer systems. MITRE Co., technical report ESD-TR 76-372.

Boehm, B. W. (1978). Characteristics of software quality. Amsterdam: North-Holland Pub Co.

Brewer, D. F. C., & Nash, M. J. (1989). The Chinese Wall security policy. In Security and privacy, Proceedings of IEEE symposium on, 1–3 May 1989, pp. 206–214. doi:10.1109/secpri.1989.36295.

Brito, I., Moreira, A., & Araújo, J. (2002). A requirements model for quality attributes. In Proceedings of early aspects: Aspect-oriented requirements engineering and architecture design, Amsterdam.

Buehrer, G., Weide, B. W., & Sivilotti, P. A. G. (2005). Using parse tree validation to prevent SQL injection attacks. Paper presented at the proceedings of the 5th international workshop on software engineering and middleware, Lisbon.

Dromey, R. G. (1995). A model for software product quality. Software Engineering, IEEE Transactions on, 21(2), 146–162. doi:10.1109/32.345830.CrossRef

Dromey, R. G. (1996). Cornering the Chimera [software quality]. Software, IEEE, 13(1), 33–43. doi:10.1109/52.476284.CrossRef

Ferraiolo, D. F., Sandhu, R., Gavrila, S., Kuhn, D. R., & Chandramouli, R. (2001). Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security, 4(3), 224–274. doi:10.1145/501978.501980.CrossRef

Firesmith, D. G. (2003). Common concepts underlying safety, security, and survivability engineering. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University.

Franch, X., & Carvallo, J. P. (2003). Using quality models in software package selection. Software, IEEE, 20(1), 34–41. doi:10.1109/ms.2003.1159027.CrossRef

Gordon, L. A., Loeb, M. P., & Sohail, T. (2003). A framework for using insurance for cyber-risk management. Communications of the ACM, 46(3), 81–85. doi:10.1145/636772.636774.CrossRef

Grady, R. B., & Caswell, D. L. (1987). Software metrics: Establishing a company-wide program. New York: Prentice-Hall Inc.

Hofheinz, D., & Unruh, D. (2008). Towards key-dependent message security in the standard model. Paper presented at the proceedings of the theory and applications of cryptographic techniques 27th annual international conference on Advances in cryptology, Istanbul.

Howard, M., LeBlanc, D., & Viega, J. (2006). 19 Deadly sins of software security. New York City: McGraw-Hill Inc.

ISO-9126, I. I. S. (1991). Software product evaluation–quality characteristics and guidelines for their use.

Jamwal, D. (2010). Analysis of software quality models for organizations. International Journal of Latest Trends in Computing, 1(2).

Joshi, J. D., Ghafoor, A., Aref, W., & Spafford, E. (2002). Security and privacy challenges of a digital government. In W. McIver Jr & A. Elmagarmid (Eds.), Advances in digital government, advances in database systems (Vol. 26, pp. 121–136). Berlin: Springer.CrossRef

Kitchenham, B. (1987). Towards a constructive quality model. Part 1: Software quality modelling, measurement and prediction. Software Engineering Journal, 2(4), 105–126. doi:10.1049/sej:19870014.CrossRef

Kraemer, S., & Carayon, P. (2007). Human errors and violations in computer and information security: The viewpoint of network administrators and security specialists. Applied Ergonomics, 38(2), 143–154. doi:http://dx.doi.org/10.1016/j.apergo.2006.03.010.

Kshetri, N. (2006). The simple economics of cybercrimes. Security & Privacy, IEEE, 4(1), 33–39. doi:10.1109/msp.2006.27.CrossRef

Landwehr, C. E., Heitmeyer, C. L., & McLean, J. D. (2001). A security model for military message systems: retrospective. In Computer security applications conference, 2001. ACSAC 2001. Proceedings 17th annual, 10–14 Dec. 2001, pp. 174–190. doi:10.1109/acsac.2001.991535.

Lodderstedt, T., Basin, D. A., & Doser, J. (2002). SecureUML: A UML-based modeling language for model-driven security. Paper presented at the proceedings of the 5th international conference on the unified modeling language.

McCall, J. A., Richards, P. G., & Walters, G. F. (1977). Factors in software quality. AD-A049-014, 015, 055 (Vol. 1–3). Springfield, VA: NTIS.

McGraw, G. (2006). Software security. In Building security in. Boston: IEEE security and Privacy.

Mouratidis, H., & Giorgini, P. (2007). Integrating security and software engineering: Advances and future visions. Hershey, PA: Idea Group Pub.CrossRef

Mouratidis, H., Giorgini, P., & Manson, G. (2005). When security meets software engineering: A case of modelling secure information systems. Information Systems, 30(8), 609–629. doi:http://dx.doi.org/10.1016/j.is.2004.06.002.

Nagaratnam, N., Janson, P., Dayka, J., Nadalin, A., Siebenlist, F., Welch, V., et al. (2004). The security architecture for open grid services. Paper presented at the global grid forum recommendation draft.

Ortega, M., Pérez, M., & Rojas, T. (2000). A model for software product quality with a systemic focus. In Proceedings of 4th world multi conference on systemic, cybernetics and informatics SCI 2000 and In proceedings of 6th international conference on information systems, analysis and synthesis ISAS 2000, Orlando, FL, pp. 395–401.

Ortega, M., Pérez, M., & Rojas, T. (2003). Construction of a systemic quality model for evaluating a software product. Software Quality Control, 11(3), 219–242. doi:10.1023/a:1025166710988.CrossRef

Rawashdeh, A., & Matalkah, B. (2006). A new software quality model for evaluating COTS components. Journal of Computer Science, 2(4), 373–381.CrossRef

Sidiroglou, S., Giovanidis, G., & Keromytis, A. D. (2005). A dynamic mechanism for recovering from buffer overflow attacks. Paper presented at the Proceedings of the 8th international conference on Information Security, Singapore.

Tawfik, S. M., Abd-Elghany, M. M., & Green, S. (2007). A software cost estimation model based on quality characteristics. Paper presented at the proceedings of workshop on measuring requirements for project and product success (MeReP ‘07), Palma de Mallorca.

Tomar, A. B., & Thakare, V. M. (2011). A systematic study of software quality models. International Journal of Software Engineering & Applications, 2(4), 1–61.CrossRef

Wang, C., & Wulf, W. A. (1997). A framework for security measurement. In Proceedings of the national information systems security conference (NISSC), Baltimore, MD, pp. 522–533.

Younan, Y. (2003). An overview of common programming security vulnerabilities and possible solutions. Belgium: Vrije Universiteit Brussel.

Titel: Security quality model: an extension of Dromey’s model
verfasst von: Saad Zafar
Misbah Mehboob
Asma Naveed
Bushra Malik
Publikationsdatum: 01.03.2015
Verlag: Springer US
Erschienen in: Software Quality Journal / Ausgabe 1/2015
Print ISSN: 0963-9314
Elektronische ISSN: 1573-1367
DOI: https://doi.org/10.1007/s11219-013-9223-1

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Weitere Artikel der Ausgabe 1/2015

A method for predicting open source software residual defects

Eclipse API usage: the good and the bad

Guest editorial: Special section: Software quality and maintainability

A declarative approach for Java code instrumentation

Investigating the effect of evolution and refactorings on feature scattering

In this issue