on the secure software development in early stages within
play

On the Secure Software Development in Early Stages within UML - PowerPoint PPT Presentation

Sep 16, 2022 •30 likes •480 views

On the Secure Software Development in Early Stages within UML Profiles Ricardo J. Rodr guez rjrodriguez@unizar.es http://www.ricardojrodriguez.es 19 th September, 2011 This work has been developed in collaboration with Simona Bernardi

  1. On the Secure Software Development in Early Stages within UML Profiles Ricardo J. Rodr´ ıguez rjrodriguez@unizar.es http://www.ricardojrodriguez.es 19 th September, 2011 This work has been developed in collaboration with Simona Bernardi (Centro Universitario de la Defensa) and Jos´ e Merseguer (Universidad de Zaragoza) 7 th Hack.LU Luxembourg, Luxembourg Grand-Duch´ e

  2. Motivation Motivation (I) Development Cycle Phases Analysis Requirements (properties): Functional: what the system does Technical data, data processing. . . Non-functional: how the system does No. of clients to attend, transfer speed. . . Requirements engineer role 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 2 / 29

  3. Motivation Motivation (II) Requirements analysis Functional: (more or less) obvious What about non-functional? Constraints, usability, performance. . . After this: systems engineer + software engineer Security: the Forgotten One (1) Non-functional property of the system Lack of interest Consequence: “fix it later” Fix the problem when the problem raises. . . 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 3 / 29

  4. Motivation Motivation (III) Security: the Forgotten One (2) Severe consequences High cost reimplementation/redesign Financial looses Down services → less customers Disclosure of confidential data (e.g., Sony PSN) Who pays? Requirements engineer? Systems engineer? Software engineer? 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 4 / 29

  5. Motivation Motivation (III) Security: the Forgotten One (2) Severe consequences High cost reimplementation/redesign Financial looses Down services → less customers Disclosure of confidential data (e.g., Sony PSN) Who pays? Requirements engineer? Systems engineer? Software engineer? Subprime lending? 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 4 / 29

  6. Motivation Motivation (III) Security: the Forgotten One (2) Severe consequences High cost reimplementation/redesign Financial looses Down services → less customers Disclosure of confidential data (e.g., Sony PSN) Who pays? Requirements engineer? Systems engineer? Software engineer? Subprime lending? All of’em (no, subprime crisis not here. . . ) & nobody 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 4 / 29

  7. Motivation Motivation (IV) So, then what? Minimum of security knowledge Think on security on ALL development phases Methodology change → Secure Software Engineering 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 5 / 29

  8. Motivation Motivation (IV) So, then what? Minimum of security knowledge Think on security on ALL development phases Methodology change → Secure Software Engineering Security: from the beginning to the end 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 5 / 29

  9. Related work Related work (I) Requirements, architecture & aspects. . . Requirements analysis Haley et al. ( SESS , 2006) Wolter et al. ( Requir. Eng. , 2010) Architecture Schmidt et al. ( SA , 2006) Yskout et al. ( ARES , 2008) Abi-Antoun et al. ( ASE , 2010) Heyman et al. ( ESSoS , 2011) Aspect-oriented Braga et al. ( SoSym , 2010) Georg et al. ( TSE , 2011) 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 6 / 29

  10. Related work Related work (II) Methodologies, patterns & formal methods. . . Design frameworks Mouratidis et al. ( CAiSE , 2003) Islan et al. ( SoSym , 2010) Khan ( Comp. F & S, Aug 2011 ) SDL (Microsoft) Security patterns Fern´ andez ( SERP , 2004) Halkidis et al. ( TDSC , 2008) Formal methods (automata or Petri nets) Schneider ( TISSEC , 2000) Horvath et al. ( SESS , 2008) Patzina et al. ( SD4RCES , 2010) 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 7 / 29

  11. Related work Related work (III) Semi-formal methods. . . Using UML J¨ urgens (UMLSec, UML , 2002) Lodderstedt et al. (SecureUML, UML , 2002) Goudalo et al. ( SECURWARE , 2008) 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 8 / 29

  12. Related work Related work (III) Semi-formal methods. . . Using UML J¨ urgens (UMLSec, UML , 2002) Lodderstedt et al. (SecureUML, UML , 2002) Goudalo et al. ( SECURWARE , 2008) UML-based approach Standard de facto Structural and behavioural system aspects Well-known → does it make easier to add security? 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 8 / 29

  13. Background Background (I) UML profile: what? OMG standard Stereotypes and tagged values 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 9 / 29

  14. Background Background (I) UML profile: what? OMG standard Stereotypes and tagged values Annotate UML elements Expressing Non-Functional Properties (NFP) on the UML designs Extending model semantic OMG example Modelling and Analysis of RT Embedded systems (MARTE) Support for performance and schedulability analysis NFPs expressed thru VSL ( Value Specification Language ) syntax OMG. A UML profile for Modeling and Analysis of Real Time Embedded Systems (MARTE). Document ptc/09-11-02 , 2009 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 9 / 29

  15. Background Background (II) Security definition (classic) Confidentiality Integrity Availability 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 10 / 29

  16. Background Background (II) Security definition (classic) Confidentiality Integrity Availability Tight relation with dependability (Avizienis) Dependability UML profile Dependability Analysis and Modelling (DAM) MARTE specialisation Dependability properties into UML ++Literature (many use cases) Avizienis, A. et al. Basic Concepts and Taxonomy of Dependable and Secure Computing. TDSC , 2004 Bernardi, S. et al. A Dependability Profile within MARTE. Journal of Software and Systems Modelling , 2009 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 10 / 29

  17. Background Background (III) s c o a n f f i d e e n t t m i a a i y l y n t i i t l t a i b y n a a i l b e i r l i t y Dependability Security y availability integrity i t n i l t i e b g a r l i i a t v y a 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 11 / 29

  18. Background Background (IV) Ok mate, and all this, what for? Quantitative analysis Conversion to formal models (Petri nets, PN) Powerful analysis techniques 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 12 / 29

  19. Background Background (IV) Ok mate, and all this, what for? Quantitative analysis Conversion to formal models (Petri nets, PN) Powerful analysis techniques Petri net Mathematical model Places (circles, p X ) Transitions (rectangles, t X ) Time transitions interpretation Immediate ( t = 0) Timed (deterministic or probabilistic distribution) Tokens (black dots) 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 12 / 29

  20. SecAM UML profile A general overview. . . SecAM UML profile (I): a general overview. . . Security Analysis and Modelling 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 13 / 29

  21. SecAM UML profile Cryptography package SecAM UML profile (II): Cryptography package (1) 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 14 / 29

  22. SecAM UML profile Cryptography package SecAM UML profile (II): Cryptography package (2) 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 15 / 29

  23. SecAM UML profile SecurityMechanisms package SecAM UML profile (II): SecurityMechanisms package (1) 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 16 / 29

  24. SecAM UML profile SecurityMechanisms package SecAM UML profile (II): SecurityMechanisms package (2) <<gaCommHost>> «secaFirewall» WAN {location=Network; defenceType=Reactive; «secaFirewall» filterLevel=Stateful} {location=Network; defenceType=Reactive; filterLevel=Packet} <<deviceResource>> <<secaFirewall>> <<gaCommHost>> <<secaFirewall>> <<deviceResource>> LAN firewall InternalFirewall <<secaDMZ>> <<secaBastion>> <<secaBastion>> <<gaCommHost>> WebServer TestServer InternaLAN <<secaBastion>> <<secaBastion>> MailServer ProxyServer «secaBastion» <<secaBastion>> <<secaLink>> {service=Mail} «secaLink» VPNServer <<gaCommHost>> {nFactor=2; SecureInternalLAN layer=Network; «secaBastion» protocol=IPsec} {service=VPN} 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 17 / 29

  25. SecAM UML profile Resilience package SecAM UML profile (III): Resilience package (1) 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 18 / 29

  26. SecAM UML profile Resilience package SecAM UML profile (III): Resilience package (2) 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 19 / 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Agenda Securing the software

1.91k views • 65 slides
To Your Health: Software Development in Genentech Research and Early Development (gRED) Erik

To Your Health: Software Development in Genentech Research and Early Development (gRED) Erik

To Your Health: Software Development in Genentech Research and Early Development (gRED) Erik Bierwagen Genentech Bioinformatics and Computational Biology Scientific Software development/engineering Big data Large, distributed

837 views • 46 slides
Development*Process*for*Secure* So2ware Development Processes ( Lecture outline ) Emphasis on

Development*Process*for*Secure* So2ware Development Processes ( Lecture outline ) Emphasis on

Development*Process*for*Secure* So2ware Development Processes ( Lecture outline ) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development Lifecycle

598 views • 34 slides
Software Engineering Software Applications A.Y. 2020/2021 What is software engineering? What is

Software Engineering Software Applications A.Y. 2020/2021 What is software engineering? What is

Software Engineering Software Applications A.Y. 2020/2021 What is software engineering? What is software engineering? An engineering discipline that is concerned with all aspects of software production from the early stages of system

676 views • 29 slides
Shallow NLP Three Early Stages: Pre-processing, Tokenization &amp; Morphological Analysis by

Shallow NLP Three Early Stages: Pre-processing, Tokenization &amp; Morphological Analysis by

CoLi USb Resources for com putational linguists Sem inar Shallow NLP Three Early Stages: Pre-processing, Tokenization &amp; Morphological Analysis by Achmad Yani CoLi Saarland University Contents 1 STAGES IN NLP SYSTEMS PRE-PROCESSING 2 3

644 views • 19 slides
The Impedance Budget Toolbox Structure and main concepts Introduction Early stages of

The Impedance Budget Toolbox Structure and main concepts Introduction Early stages of

The Impedance Budget Toolbox Structure and main concepts Introduction Early stages of development Outline of general structure Based on impedance_toolbox of D. Amorim and IW2D toolbox of N. Mounet Aims to provide a set

351 views • 9 slides
What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Recent Security Incidents Garmin Ransomware -- $10 million Sync servers down for many days

506 views • 21 slides
Migration to Stages V7 Stages V7 UI Concept 2 Stages V7 Reporting Migration Guide:

Migration to Stages V7 Stages V7 UI Concept 2 Stages V7 Reporting Migration Guide:

Migration to Stages V7 Stages V7 UI Concept 2 Stages V7 Reporting Migration Guide: https://doc.stagesasaservice.com/doku.php?id=v7migrate:reports 3 Stages V7 Compliance 4 Stages V7 Tailoring 5 Stages V7 User Management 6

694 views • 15 slides
5 STAGES OF INTIMACY Dr. Jessica Higgins THE DEVELOPMENT OF INTIMACY Every couple goes

5 STAGES OF INTIMACY Dr. Jessica Higgins THE DEVELOPMENT OF INTIMACY Every couple goes

5 STAGES OF INTIMACY Dr. Jessica Higgins THE DEVELOPMENT OF INTIMACY Every couple goes through clear and predictable developmental stages within their relationship. The stages are not linear, as sometimes life challenges require us to

353 views • 32 slides
Toward a Field Study on the Impact of Hacking Competitions on Secure Development Daniel Votipka ,

Toward a Field Study on the Impact of Hacking Competitions on Secure Development Daniel Votipka ,

Toward a Field Study on the Impact of Hacking Competitions on Secure Development Daniel Votipka , Hongyi Hu, Bryan Eastes, and Michelle L. Mazurek 12 Aug 2018 SECURE DEVELOPMENT 2 SECURE DEVELOPMENT 2 SECURE DEVELOPMENT 2 SECURE

565 views • 39 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE

Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE

Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE SECURITY SPECIALIST Agenda Software Security Overview Software Security Methodologies Security Test Methods Analysis Tools Tools

497 views • 25 slides
CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are

725 views • 23 slides
Outline Big-Picture Introduction CSci 4271W Development of Secure Software Systems

Outline Big-Picture Introduction CSci 4271W Development of Secure Software Systems

Outline Big-Picture Introduction CSci 4271W Development of Secure Software Systems Breakout-group Introductions Day 1: Introduction and logistics Stephen McCamant (he/him/his) Course Logistics University of Minnesota, Computer Science &amp;

637 views • 6 slides
Use Case Evaluation (UCE): A Method for Early Usability Evaluation in Software Development Kasper

Use Case Evaluation (UCE): A Method for Early Usability Evaluation in Software Development Kasper

The USE Project: Usability Evaluation and Software Design: Bridging the Gap University of Copenhagen Aalborg University Use Case Evaluation (UCE): A Method for Early Usability Evaluation in Software Development Kasper Hornbk Department of

359 views • 14 slides
A brief historic overview of Syntax &amp; Early stages in Transformational Syntax Syntactic

A brief historic overview of Syntax &amp; Early stages in Transformational Syntax Syntactic

A brief historic overview Generative Grammar A brief historic overview of Syntax &amp; Early stages in Transformational Syntax Syntactic Theory Winter Semester 2009/2010 Antske Fokkens Department of Computational Linguistics Saarland

828 views • 56 slides
The American Consumer: Reforming, or Just Resting? Christopher Carroll 1 Jirka Slacalek 2 1 Johns

The American Consumer: Reforming, or Just Resting? Christopher Carroll 1 Jirka Slacalek 2 1 Johns

The American Consumer: Reforming, or Just Resting? Christopher Carroll 1 Jirka Slacalek 2 1 Johns Hopkins and NBER 2 European Central Bank May 31, 2009 Household Net Worth and Its Components Figure: Wealth Components as a Ratio to Disposable

514 views • 23 slides
Discussion of Mian and Sufis House Price Gains and U.S. Household Spending from 2002 to

Discussion of Mian and Sufis House Price Gains and U.S. Household Spending from 2002 to

Discussion of Mian and Sufis House Price Gains and U.S. Household Spending from 2002 to 2006 Robert E. Hall Hoover Institution and Department of Economics Stanford University with help from Susan E. Woodward Lessons from the

654 views • 38 slides
Breach-Resistant Structured Encryption Ghous Amjad, Seny Kamara &amp; Tarik Moataz 2 Databases

Breach-Resistant Structured Encryption Ghous Amjad, Seny Kamara &amp; Tarik Moataz 2 Databases

Breach-Resistant Structured Encryption Ghous Amjad, Seny Kamara &amp; Tarik Moataz 2 Databases A database is an organized collection of data --- Wikipedia 3 Encrypted Database Enc K 4 Q : can we encrypt DBs even in use? 5 Efficiency

770 views • 44 slides
MSHA Investigations and Document Requests Energy and Mineral Law

MSHA Investigations and Document Requests Energy and Mineral Law

MSHA Investigations and Document Requests Energy and Mineral Law Foundation Mineral Law Conference October 19-20, 2016 Lexington, KY Mark E. Heath Jeffrey K.

815 views • 36 slides
of benefits (DOB) What is a DOB? A duplication occurs when a beneficiary receives assistance

of benefits (DOB) What is a DOB? A duplication occurs when a beneficiary receives assistance

Procedures &amp; Tools for Reviewing and Preventing Duplication of Benefits Overview of duplication of benefits (DOB) What is a DOB? A duplication occurs when a beneficiary receives assistance from multiple sources for a cumulative amount

708 views • 31 slides
Thurs. Mar. 29 University of Houston Law Center D. C. Toedt III Z&amp;B Chapter 5D Legal

Thurs. Mar. 29 University of Houston Law Center D. C. Toedt III Z&amp;B Chapter 5D Legal

Contract Drafting Class 20 Thurs. Mar. 29 University of Houston Law Center D. C. Toedt III Z&amp;B Chapter 5D Legal opinions Legal opinions takeaways: 1. Third parties might rely on it sue the lawyer if things go wrong 2. Limitations

628 views • 29 slides
9-month 2011 results 15 November 2011 Q3 2011 results 15 November 2011 2 This presentation

9-month 2011 results 15 November 2011 Q3 2011 results 15 November 2011 2 This presentation

15/11/2011 1 9-month 2011 results 15 November 2011 Q3 2011 results 15 November 2011 2 This presentation contains projections and forecasts. They express objectives based on the current assessments and estimates of the Groups senior

345 views • 17 slides
Formal Methods for Database Application Evolution I l Dillig University of Texas at Austin

Formal Methods for Database Application Evolution I l Dillig University of Texas at Austin

Formal Methods for Database Application Evolution I l Dillig University of Texas at Austin VSTTE 2020 1 Database Applications DB application: program that interacts with underlying database Database applications are ubiquitous

1.07k views • 49 slides

More recommend