on the secure software development in early stages within
play

On the Secure Software Development in Early Stages within UML - PowerPoint PPT Presentation

Sep 16, 2022 •30 likes •480 views

On the Secure Software Development in Early Stages within UML Profiles Ricardo J. Rodr guez rjrodriguez@unizar.es http://www.ricardojrodriguez.es 19 th September, 2011 This work has been developed in collaboration with Simona Bernardi

  1. On the Secure Software Development in Early Stages within UML Profiles Ricardo J. Rodr´ ıguez rjrodriguez@unizar.es http://www.ricardojrodriguez.es 19 th September, 2011 This work has been developed in collaboration with Simona Bernardi (Centro Universitario de la Defensa) and Jos´ e Merseguer (Universidad de Zaragoza) 7 th Hack.LU Luxembourg, Luxembourg Grand-Duch´ e

  2. Motivation Motivation (I) Development Cycle Phases Analysis Requirements (properties): Functional: what the system does Technical data, data processing. . . Non-functional: how the system does No. of clients to attend, transfer speed. . . Requirements engineer role 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 2 / 29

  3. Motivation Motivation (II) Requirements analysis Functional: (more or less) obvious What about non-functional? Constraints, usability, performance. . . After this: systems engineer + software engineer Security: the Forgotten One (1) Non-functional property of the system Lack of interest Consequence: “fix it later” Fix the problem when the problem raises. . . 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 3 / 29

  4. Motivation Motivation (III) Security: the Forgotten One (2) Severe consequences High cost reimplementation/redesign Financial looses Down services → less customers Disclosure of confidential data (e.g., Sony PSN) Who pays? Requirements engineer? Systems engineer? Software engineer? 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 4 / 29

  5. Motivation Motivation (III) Security: the Forgotten One (2) Severe consequences High cost reimplementation/redesign Financial looses Down services → less customers Disclosure of confidential data (e.g., Sony PSN) Who pays? Requirements engineer? Systems engineer? Software engineer? Subprime lending? 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 4 / 29

  6. Motivation Motivation (III) Security: the Forgotten One (2) Severe consequences High cost reimplementation/redesign Financial looses Down services → less customers Disclosure of confidential data (e.g., Sony PSN) Who pays? Requirements engineer? Systems engineer? Software engineer? Subprime lending? All of’em (no, subprime crisis not here. . . ) & nobody 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 4 / 29

  7. Motivation Motivation (IV) So, then what? Minimum of security knowledge Think on security on ALL development phases Methodology change → Secure Software Engineering 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 5 / 29

  8. Motivation Motivation (IV) So, then what? Minimum of security knowledge Think on security on ALL development phases Methodology change → Secure Software Engineering Security: from the beginning to the end 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 5 / 29

  9. Related work Related work (I) Requirements, architecture & aspects. . . Requirements analysis Haley et al. ( SESS , 2006) Wolter et al. ( Requir. Eng. , 2010) Architecture Schmidt et al. ( SA , 2006) Yskout et al. ( ARES , 2008) Abi-Antoun et al. ( ASE , 2010) Heyman et al. ( ESSoS , 2011) Aspect-oriented Braga et al. ( SoSym , 2010) Georg et al. ( TSE , 2011) 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 6 / 29

  10. Related work Related work (II) Methodologies, patterns & formal methods. . . Design frameworks Mouratidis et al. ( CAiSE , 2003) Islan et al. ( SoSym , 2010) Khan ( Comp. F & S, Aug 2011 ) SDL (Microsoft) Security patterns Fern´ andez ( SERP , 2004) Halkidis et al. ( TDSC , 2008) Formal methods (automata or Petri nets) Schneider ( TISSEC , 2000) Horvath et al. ( SESS , 2008) Patzina et al. ( SD4RCES , 2010) 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 7 / 29

  11. Related work Related work (III) Semi-formal methods. . . Using UML J¨ urgens (UMLSec, UML , 2002) Lodderstedt et al. (SecureUML, UML , 2002) Goudalo et al. ( SECURWARE , 2008) 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 8 / 29

  12. Related work Related work (III) Semi-formal methods. . . Using UML J¨ urgens (UMLSec, UML , 2002) Lodderstedt et al. (SecureUML, UML , 2002) Goudalo et al. ( SECURWARE , 2008) UML-based approach Standard de facto Structural and behavioural system aspects Well-known → does it make easier to add security? 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 8 / 29

  13. Background Background (I) UML profile: what? OMG standard Stereotypes and tagged values 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 9 / 29

  14. Background Background (I) UML profile: what? OMG standard Stereotypes and tagged values Annotate UML elements Expressing Non-Functional Properties (NFP) on the UML designs Extending model semantic OMG example Modelling and Analysis of RT Embedded systems (MARTE) Support for performance and schedulability analysis NFPs expressed thru VSL ( Value Specification Language ) syntax OMG. A UML profile for Modeling and Analysis of Real Time Embedded Systems (MARTE). Document ptc/09-11-02 , 2009 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 9 / 29

  15. Background Background (II) Security definition (classic) Confidentiality Integrity Availability 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 10 / 29

  16. Background Background (II) Security definition (classic) Confidentiality Integrity Availability Tight relation with dependability (Avizienis) Dependability UML profile Dependability Analysis and Modelling (DAM) MARTE specialisation Dependability properties into UML ++Literature (many use cases) Avizienis, A. et al. Basic Concepts and Taxonomy of Dependable and Secure Computing. TDSC , 2004 Bernardi, S. et al. A Dependability Profile within MARTE. Journal of Software and Systems Modelling , 2009 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 10 / 29

  17. Background Background (III) s c o a n f f i d e e n t t m i a a i y l y n t i i t l t a i b y n a a i l b e i r l i t y Dependability Security y availability integrity i t n i l t i e b g a r l i i a t v y a 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 11 / 29

  18. Background Background (IV) Ok mate, and all this, what for? Quantitative analysis Conversion to formal models (Petri nets, PN) Powerful analysis techniques 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 12 / 29

  19. Background Background (IV) Ok mate, and all this, what for? Quantitative analysis Conversion to formal models (Petri nets, PN) Powerful analysis techniques Petri net Mathematical model Places (circles, p X ) Transitions (rectangles, t X ) Time transitions interpretation Immediate ( t = 0) Timed (deterministic or probabilistic distribution) Tokens (black dots) 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 12 / 29

  20. SecAM UML profile A general overview. . . SecAM UML profile (I): a general overview. . . Security Analysis and Modelling 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 13 / 29

  21. SecAM UML profile Cryptography package SecAM UML profile (II): Cryptography package (1) 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 14 / 29

  22. SecAM UML profile Cryptography package SecAM UML profile (II): Cryptography package (2) 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 15 / 29

  23. SecAM UML profile SecurityMechanisms package SecAM UML profile (II): SecurityMechanisms package (1) 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 16 / 29

  24. SecAM UML profile SecurityMechanisms package SecAM UML profile (II): SecurityMechanisms package (2) <<gaCommHost>> «secaFirewall» WAN {location=Network; defenceType=Reactive; «secaFirewall» filterLevel=Stateful} {location=Network; defenceType=Reactive; filterLevel=Packet} <<deviceResource>> <<secaFirewall>> <<gaCommHost>> <<secaFirewall>> <<deviceResource>> LAN firewall InternalFirewall <<secaDMZ>> <<secaBastion>> <<secaBastion>> <<gaCommHost>> WebServer TestServer InternaLAN <<secaBastion>> <<secaBastion>> MailServer ProxyServer «secaBastion» <<secaBastion>> <<secaLink>> {service=Mail} «secaLink» VPNServer <<gaCommHost>> {nFactor=2; SecureInternalLAN layer=Network; «secaBastion» protocol=IPsec} {service=VPN} 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 17 / 29

  25. SecAM UML profile Resilience package SecAM UML profile (III): Resilience package (1) 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 18 / 29

  26. SecAM UML profile Resilience package SecAM UML profile (III): Resilience package (2) 7 th Hack.LU R.J. Rodr´ ıguez SSD in Early Stages within UML Profiles 19 / 29

Recommend

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Agenda Securing the software

1.91k views • 65 slides
To Your Health: Software Development in Genentech Research and Early Development (gRED) Erik

To Your Health: Software Development in Genentech Research and Early Development (gRED) Erik

To Your Health: Software Development in Genentech Research and Early Development (gRED) Erik Bierwagen Genentech Bioinformatics and Computational Biology Scientific Software development/engineering Big data Large, distributed

837 views • 46 slides
Development*Process*for*Secure* So2ware Development Processes ( Lecture outline ) Emphasis on

Development*Process*for*Secure* So2ware Development Processes ( Lecture outline ) Emphasis on

Development*Process*for*Secure* So2ware Development Processes ( Lecture outline ) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development Lifecycle

598 views • 34 slides
Software Engineering Software Applications A.Y. 2020/2021 What is software engineering? What is

Software Engineering Software Applications A.Y. 2020/2021 What is software engineering? What is

Software Engineering Software Applications A.Y. 2020/2021 What is software engineering? What is software engineering? An engineering discipline that is concerned with all aspects of software production from the early stages of system

676 views • 29 slides
Shallow NLP Three Early Stages: Pre-processing, Tokenization &amp; Morphological Analysis by

Shallow NLP Three Early Stages: Pre-processing, Tokenization &amp; Morphological Analysis by

CoLi USb Resources for com putational linguists Sem inar Shallow NLP Three Early Stages: Pre-processing, Tokenization &amp; Morphological Analysis by Achmad Yani CoLi Saarland University Contents 1 STAGES IN NLP SYSTEMS PRE-PROCESSING 2 3

644 views • 19 slides
The Impedance Budget Toolbox Structure and main concepts Introduction Early stages of

The Impedance Budget Toolbox Structure and main concepts Introduction Early stages of

The Impedance Budget Toolbox Structure and main concepts Introduction Early stages of development Outline of general structure Based on impedance_toolbox of D. Amorim and IW2D toolbox of N. Mounet Aims to provide a set

351 views • 9 slides
What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Recent Security Incidents Garmin Ransomware -- $10 million Sync servers down for many days

506 views • 21 slides
Migration to Stages V7 Stages V7 UI Concept 2 Stages V7 Reporting Migration Guide:

Migration to Stages V7 Stages V7 UI Concept 2 Stages V7 Reporting Migration Guide:

Migration to Stages V7 Stages V7 UI Concept 2 Stages V7 Reporting Migration Guide: https://doc.stagesasaservice.com/doku.php?id=v7migrate:reports 3 Stages V7 Compliance 4 Stages V7 Tailoring 5 Stages V7 User Management 6

694 views • 15 slides
5 STAGES OF INTIMACY Dr. Jessica Higgins THE DEVELOPMENT OF INTIMACY Every couple goes

5 STAGES OF INTIMACY Dr. Jessica Higgins THE DEVELOPMENT OF INTIMACY Every couple goes

5 STAGES OF INTIMACY Dr. Jessica Higgins THE DEVELOPMENT OF INTIMACY Every couple goes through clear and predictable developmental stages within their relationship. The stages are not linear, as sometimes life challenges require us to

353 views • 32 slides
Toward a Field Study on the Impact of Hacking Competitions on Secure Development Daniel Votipka ,

Toward a Field Study on the Impact of Hacking Competitions on Secure Development Daniel Votipka ,

Toward a Field Study on the Impact of Hacking Competitions on Secure Development Daniel Votipka , Hongyi Hu, Bryan Eastes, and Michelle L. Mazurek 12 Aug 2018 SECURE DEVELOPMENT 2 SECURE DEVELOPMENT 2 SECURE DEVELOPMENT 2 SECURE

565 views • 39 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE

Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE

Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE SECURITY SPECIALIST Agenda Software Security Overview Software Security Methodologies Security Test Methods Analysis Tools Tools

497 views • 25 slides
CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are

725 views • 23 slides
Outline Big-Picture Introduction CSci 4271W Development of Secure Software Systems

Outline Big-Picture Introduction CSci 4271W Development of Secure Software Systems

Outline Big-Picture Introduction CSci 4271W Development of Secure Software Systems Breakout-group Introductions Day 1: Introduction and logistics Stephen McCamant (he/him/his) Course Logistics University of Minnesota, Computer Science &amp;

637 views • 6 slides
Use Case Evaluation (UCE): A Method for Early Usability Evaluation in Software Development Kasper

Use Case Evaluation (UCE): A Method for Early Usability Evaluation in Software Development Kasper

The USE Project: Usability Evaluation and Software Design: Bridging the Gap University of Copenhagen Aalborg University Use Case Evaluation (UCE): A Method for Early Usability Evaluation in Software Development Kasper Hornbk Department of

359 views • 14 slides
A brief historic overview of Syntax &amp; Early stages in Transformational Syntax Syntactic

A brief historic overview of Syntax &amp; Early stages in Transformational Syntax Syntactic

A brief historic overview Generative Grammar A brief historic overview of Syntax &amp; Early stages in Transformational Syntax Syntactic Theory Winter Semester 2009/2010 Antske Fokkens Department of Computational Linguistics Saarland

828 views • 56 slides
A brief historic overview of Syntax &amp; Early stages in Transformational Syntax Syntactic

A brief historic overview of Syntax &amp; Early stages in Transformational Syntax Syntactic

A brief historic overview Generative Grammar A brief historic overview of Syntax &amp; Early stages in Transformational Syntax Syntactic Theory Winter Semester 2009/2010 Antske Fokkens Department of Computational Linguistics Saarland

778 views • 38 slides
Summary of presentation COUNTY VARIATION IN THE EARLY STAGES OF OREGON DEPENDENCY CASES: CAUSES

Summary of presentation COUNTY VARIATION IN THE EARLY STAGES OF OREGON DEPENDENCY CASES: CAUSES

Summary of presentation COUNTY VARIATION IN THE EARLY STAGES OF OREGON DEPENDENCY CASES: CAUSES AND CONSEQUENCES Leslie Harris Professor, University of Oregon School of Law Juvenile Court Representation Task Force Nov. 23, 2015 I. Goals of

359 views • 14 slides
Cryptocurrency just got reliable Important Disclaimer: The Centric protocol is in the early stages

Cryptocurrency just got reliable Important Disclaimer: The Centric protocol is in the early stages

Cryptocurrency just got reliable Important Disclaimer: The Centric protocol is in the early stages of establishing network consensus. During this period, Centric is highly volatile and users should trade and interact with the protocol with

347 views • 10 slides
Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020

Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020

Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Recap Symmetric keys Benefit: fastest, mathematically the strongest Drawback:

425 views • 23 slides
References 1. OA system language design and modeling framework Early development and application

References 1. OA system language design and modeling framework Early development and application

References 1. OA system language design and modeling framework Early development and application of ADLs Choi, S. and Scacchi, W. (1990). Extracting and Restructuring the Design of Large Software Systems, IEEE Software , 7(1), 66-73.

310 views • 3 slides
Open Source secure software updates for Linux-based IVI systems Arthur Taylor, CTO, ATS Advanced

Open Source secure software updates for Linux-based IVI systems Arthur Taylor, CTO, ATS Advanced

Open Source secure software updates for Linux-based IVI systems Arthur Taylor, CTO, ATS Advanced Telematic Systems Abstract Cyber security and vehicle recalls are two of the hottest topics in automotive software development right now.

351 views • 23 slides
Course Overview Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

Course Overview Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

Course Overview Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering Secure Software Benjamin S. Meyers 1 In-Person Procedures When you enter/leave the classroom: Grab a towel and wipe down your work station

299 views • 10 slides
Who we are Consultancy Services International Development Creating value from and managing

Who we are Consultancy Services International Development Creating value from and managing

Who we are Consultancy Services International Development Creating value from and managing strategic Undertaking ambitious long term international assets by engaging with clients in the early stages development projects that make a positive

554 views • 19 slides

More recommend