Automated threat identification for UML Yee, George; Xie, Xingli; Majumdar, Shikharesh
2010 International Conference on Security and Cryptography (SECRYPT),
2010-July
Conference Proceeding
In tandem with the growing important roles of software in modern society is the increasing number of threats to software. Building software systems that are resistant to these threats is one of the ...greatest challenges in information technology. Threat identification methods for secure software development can be found in the literature. However, none of these methods has involved automatic threat identification based on analyzing UML models. Such an automated approach should offer benefits in terms of speed and accuracy when compared to manual methods, and at the same time be widely applicable due to the ubiquity of UML. This paper addresses this shortcoming by proposing an automated threat identification method based on parsing UML diagrams.
Most traditional software development methodologies do not explicitly include a standardised method for incorporating information security into their life cycles. It is argued that security ...considerations should provide input into every phase of the Software Development Life Cycle (SDLC), from requirements gathering to design, implementation, testing and deployment. Therefore, to build more secure software applications, an improved software development process is required. The Secure Software Development Model (SecSDM), as described in this paper, is based on many of the recommendations provided by relevant international standards and best practices, for example, the ISO 7498-2 (1989) standard which addresses the underlying security services and mechanisms that form an integral part of the model.
Guidelines for secure software development Futcher, Lynn; von Solms, Rossouw
Proceedings of the 2008 annual research conference of the South African Institute of Computer Scientists and Information Technologists on IT research in developing countries: riding the wave of technology,
10/2008
Conference Proceeding
It is within highly integrated technology environments that information security is becoming a focal point for designing, developing and deploying software applications. Ensuring a high level of ...trust in the security and quality of these applications is crucial to their ultimate success. Information security has therefore become a core requirement for software applications, driven by the need to protect critical assets and the need to build and preserve widespread trust in computing. The aim of this paper is to provide guidance to software designers and developers by defining a set of guidelines for secure software development. The guidelines established are based on various internationally recognised standards and best practices and some of the processes developed by many key role players.
Building secure software is about taking security into account during all phases of software development. This practice is missing in, widely used, traditional developments due to domain immaturity, ...newness of the field and process complexity. Software development includes two views, a product view and a process view. Product view defines what the product is, whereas process view describes how the product is developed. Here we are concerned with the process view. Modelling the process allows simulate and analyze a software development process, which can help developers better understand, manage and optimize the software development process. In this paper we present our approach S2D-ProM, for Secure Software Development Process Model, which is a strategy oriented process model. This latter, capture steps and strategies that are required for the development of secure software and provide a two level guidance. The first level guidance is strategic helping developers choosing one among several strategies. The second level guidance is tactical helping developers achieving their selection for producing secure software. The proposed process model is easily extensible and allows building customized processes adapted to context, developer's finalities and product state. This flexibility allows the environment evolving through time to support new securing strategies.
In this paper, we present the results of a security assessment performed on a home care system based on SOA, realized as web services. The security design concepts of this platform were specifically ...tailored to meet new security challenges and to be compliant with legal frameworks applicable to the healthcare domain. This security design was fed as input to the development team,which implemented the system. However, our assessment revealed a software platform with severe security weaknesses and vulnerabilities, demonstrating pitfalls that are, or should be, well known. Our experience re-confirms that security must be built as an intrinsic software property and emphasizes the need for security awareness throughout the whole software development lifecycle.
Secure software development has gained momentum during the past couple of years and improvements have been made. Buyers have started to demand secure software and contractual practices for taking ...security into consideration in the software purchasing context have been developed. Software houses naturally are very keen to providing what their potential customers' desire with respect to security and quality of their products. This study analyses the capacity of private bargaining to incite secure software development and suggests methods for improvement.I argue that without appropriate regulatory intervention the level of security will not improve to meet the needs of the network society as a whole. There are not appropriate incentives for secure development in the market for software products. The software houses do not have to bear the costs resulting from vulnerabilities in their software and the buyers' capability to separate a secure product from an insecure one is limited.
Secure software development has become a topic of increasing importance, as a general fear rises due to security holes, vulnerabilities, and attacks. To ensure the security of information in a ...society of file sharing, on-line business transactions, and e-communication, undergraduate students will soon be required to implement software security concepts into their software development processes as soon as they complete their degrees. Consequently, it is imperative for graduates of computer science departments to be trained in the fundamentals of information security and to gain hands-on experience with secure software development. To address this issue computer science educators at the undergraduate level are turning their attentions to incorporating security issues within traditional computer science courses. The paper describes an existing undergraduate software engineering course that has been modified to include software security concepts. Challenges and future work are also presented.
Securing analysis patterns Fernandez, Eduardo B.; Yuan, Xiaohong
ACM Southeast Regional Conference: Proceedings of the 45th annual southeast regional conference; 23-24 Mar. 2007,
03/2007
Conference Proceeding
One of the latest ways to improve software security is based on the use of security patterns. Security patterns provide encapsulated solutions to specific security problems and can be used to build ...secure systems by designers with little knowledge of security. We present here a way to use security patterns to add security to applications. This is accomplished by adding instances of security patterns to the conceptual model of the application. This approach is part of a secure systems development methodology but it can be used on its own.
Siemens' central security team drives secure software development across a diverse product portfolio. From factory automation to wind turbines, Siemens builds security in by activities including ...standardizing roles and responsibilities, threat and risk analysis, and product security risk management across Siemens' 15,000 software developers.