Abstract
Security involves technical as well as social challenges. In the development of security-critical applications, system developers must consider both the technical and the social parts. To achieve this, security issues must be considered during the whole development life-cycle of an information system. This paper presents an approach that allows developers to consider both the social and the technical dimensions of security through a structured and well defined process. In particular, the proposed approach takes the high-level concepts and modelling activities of the secure Tropos methodology and enriches them with a low level security-engineering ontology and models derived from the UMLsec approach. A real case study from the e-commerce sector is employed to demonstrate the applicability of the approach.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, New York (2001)
Basin, D., Doser, J., Lodderstedt, T.: Model Driven Security for Process Oriented Systems. In: Proceedings of the 8th ACM symposium on Access Control Models and Technologies, Como, Italy (2003)
Bresciani, P., Giorgini, P., Giunchiglia, F., Mylopoulos, J., Perini, A.: TROPOS: An Agent Oriented Software Development Methodology. Journal of Autonomous Agents and Multi-Agent Systems 8(3), 203–236 (2004)
CEPSCO, Common Electronic Purse Specifications, Business Requirements ver. 7, Functional Requirements ver. 6.3, Technical Specification ver. 2.2 (2000), Available from: http://www.cepsco.com
Crook, R., Ince, D., Lin, L., Nuseibeh, B.: Security Requirements Engineering: When Anti-requirements Hit the Fan. In: Proceedings of the 10th International Requirements Engineering Conference, pp. 203–205. IEEE Press, Los Alamitos (2002)
Cysneiros, L.M., Sampaio do Prado Leite, J.P.: Nonfunctional Requirements: From Elicitation to Conceptual Models. IEEE Trans. Software Eng. 30(5), 328–350 (2004)
Devanbu, P., Stubblebine, S.: Software Engineering for Security: a Roadmap. In: Proceedings of ICSE 2000 (the conference of the future of Software engineering) (2000)
Giorgini, P., Massacci, F., Mylopoulos, J.: Requirement Engineering Meets Security: A Case Study on Modelling Secure Electronic Transactions by VISA and Mastercard. In: Song, I.-Y., Liddle, S.W., Ling, T.-W., Scheuermann, P. (eds.) ER 2003. LNCS, vol. 2813, pp. 263–276. Springer, Heidelberg (2003)
Hermann, G., Pernul, G.: Viewing business-process security from different perspectives. International Journal of electronic Commence 3, 89–103 (1999)
Jürjens, J., Shabalin, P.: Tools for Critical Systems Development with UML (Tool Demo). In: Nunes, N.J., Selic, B., Silva, A., Toval, A. (eds.) UML 2004 Satellite Events. LNCS, Springer, Heidelberg (2004E), [Protected content can be accessed as user: Reader, with password: Ihavethebook]. Available as open-source. Accessible at: http://www.UMLsec.org
Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2004)
McDermott, J., Fox, C.: Using Abuse Case Models for Security Requirements Analysis. In: Proceedings of the 15th Annual Computer Security Applications Conference (December 1999)
Mouratidis, H.: A Security Oriented Approach in the Development of Multiagent Systems: Applied to the Management of the Health and Social Care Needs of Older People in England. PhD thesis, University of Sheffield, U.K. (2004)
Mouratidis, H., Giorgini, P., Manson, G.: Integrating Security and Systems Engineering: towards the modelling of secure information systems. In: Eder, J., Missikoff, M. (eds.) CAiSE 2003. LNCS, vol. 2681. Springer, Heidelberg (2003)
Object Management Group, OMG Unified Modeling Language Specification v1.5. Version 1.5. OMG Document formal/03-03-01 (March 2003)
Saltzer, J., Schroeder, M.: The protection of information in computer systems. Proceedings of the IEEE 63(9), 1278–1308 (1975)
Schneider, F. (ed.): Trust in Cyberspace. National Academy Press, Washington (1999), Available as: http://www.nap.edu/readingroom/books/trust/
Schneier, B.: Secrets & Lies: Digital Security in a Networked World. John Wiley & Sons, Chichester (2000)
Schumacher, M., Roedig, U.: Security Engineering with Patterns. In: Proceedings of the 8th Conference on Pattern Languages for Programs (PLoP 2001), Illinois-USA (September 2001)
Schumacher, M.: Security Engineering with Patterns. LNCS, vol. 2754. Springer, Heidelberg (2003)
Shamir, A.: Crypto Predictions. In: Franklin, M.K. (ed.) FC 1999. LNCS, vol. 1648. Springer, Heidelberg (1999)
The Economist, Digital rights and wrongs (July 17, 1999)
van Lamsweerde, A., Letier, E.: Handling Obstacles in Goal-Oriented Requirements Engineering. Transactions of Software Engineering 26(10), 978–1005 (2000)
Viega, J., McGraw, G.: Building a Secure Software. Addison-Wesley, Reading (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Mouratidis, H., Jürjens, J., Fox, J. (2006). Towards a Comprehensive Framework for Secure Systems Development. In: Dubois, E., Pohl, K. (eds) Advanced Information Systems Engineering. CAiSE 2006. Lecture Notes in Computer Science, vol 4001. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11767138_5
Download citation
DOI: https://doi.org/10.1007/11767138_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-34652-4
Online ISBN: 978-3-540-34653-1
eBook Packages: Computer ScienceComputer Science (R0)