Authors: Mohammad Reza Ayatollahzadeh Shirazi, Pooya Jaferian, Golnaz Elahi, Hamid Baghi, Babak Sadeghian

Abstract:

The world is moving rapidly toward the deployment of information and communication systems. Nowadays, computing systems with their fast growth are found everywhere and one of the main challenges for these systems is increasing attacks and security threats against them. Thus, capturing, analyzing and verifying security requirements becomes a very important activity in development process of computing systems, specially in developing systems such as banking, military and e-business systems. For developing every system, a process model which includes a process, methods and tools is chosen. The Rational Unified Process (RUP) is one of the most popular and complete process models which is used by developers in recent years. This process model should be extended to be used in developing secure software systems. In this paper, the Requirement Discipline of RUP is extended to improve RUP for developing secure software systems. These proposed extensions are adding and integrating a number of Activities, Roles, and Artifacts to RUP in order to capture, document and model threats and security requirements of system. These extensions introduce a group of clear and stepwise activities to developers. By following these activities, developers assure that security requirements are captured and modeled. These models are used in design, implementation and test activitie

Keywords:

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1055024

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 2753

References:

[1] Matt Bishop, Computer Security, Art & Science, Addison-Wesley, First Edition, 2002
[2] J. J¨urjens. Secure Systems Development with UML. Springer, To be published. 2004.
[3] Shreyas Doshi, Software Engineering and Security: Towards Architecting Secure Software, a graduate term paper for ICS 221- Seminar in Software Engineering, University of California, Irvine, 2001.
[4] Lawrence Chung Brian A. Nixon, Dealing with Non-Functional Requirements: Three Experimental Studies of a Process-Oriented Approach ,International Conference on Software Engineering 1995.
[5] Barbara Paech, Allen H. Dutoit, Daniel Kerkow, Antje von Knethen ,Functional requirements, non-functional requirements, and architecture should not be separated, 8th International Workshop on Requirements Engineering: Foundation for Software Quality, Essen, Germany, 2002
[6] Robert Grady, Practical Software Metrics for Project Management and Process Improvement, Prentice Hall, 1992
[7] Philippe Kruchten, The Rational Unified Process: An Introduction, Third Edition, Addison-Wesley Pub Co, 2003.
[8] Donald G. Firesmith, Engineering Security Requirements, Journal of Object Technology, Vol. 2, No. 1, January-February 2003.
[9] Donald G. Firesmith, Security Use Cases, Journal Of Object Technology, Vol. 2, No. 3, May-June 2003.
[10] Robert J. Ellison Richard C. Linger, Andrew P. Moore Attack Modeling for Information Security and Survivability CMU/SEI-2001-TN-001, 2001
[11] Jeffrey Barcalow, Joseph Yoder Architectural Patterns for Enabling Application Security, The 4th Pattern Languages of Programming Conference 1997.
[12] H. Baghi, P. Jaferian, G. Elahi, M.R. Shirazi, B. Sadeghian, An Extension on RUP for Developing Secure Systems, Proceedings of the 10th Annual International CSI Computer Conference, 2005
[13] Onn Shehory, Arnon Sturm, Evaluation of modeling techniques for agent-based systems, Proceedings of the fifth international conference on Autonomous agents,2001
[14] G. Popp and J. J¨urjens and G. WimmelR. Breu. Security-Critical System Development with Extended Use Cases, Tenth Asia-Pacific Software Engineering Conference, 2003
[15] Ruth Breu, Klaus Burger, Michael Hafner, Jan J├╝rjens, Gerhard Popp, Guido Wimmel, Volkmar Lotz , Key Issues of a Formally Based Process Model for Security Engineering, 16th International Conference "Software & Systems Engineering & their Applications" (ICSSEA), 2003.
[16] Premkumar T. Devanbu, Stuart Stubblebine. Software engineering for security: a roadmap, ICSE - Future of SE Track ,2000.
[17] John McDermott and Chris Fox Using Abuse Case Models for Security Requirements Analysis, Proceedings of the 15th Annual Computer Security Applications Conference ,1999.
[18] Gunnar Petterson, Collaboration in a Secure Development Process - Part I, Information Security Bulletin, June 2004.
[19] Ruth Breu, Klaus Burger, Michael Hafner, Gerhard Popp, Towards a Systematic Development of Secure Systems, WOSIS, 2004.
[20] J¨urgen Doser , Torsten Lodderstedt Model Driven Security For Process oriented Systems David Basin, Proceedings of the eighth ACM symposium on Access control models and technologies, 2003.
[21] Ross Anderson ,Security Engineering , a guide to building dependable system. Wiley, 2001.