Security and Dependability Engineering

  • Jan J&rjens
Part of the Advances in Information Security book series (ADIS, volume 45)


The current state of the art in security-critical ambient systems is far from satisfactory: New security vulnerabilities are discovered on an almost daily basis. To improve this situation, there has recently been a lot of work on techniques and tools supporting the development of trustworthy security-critical software, in particular for dynamic systems in an ambient environment. This chapter gives an overview over the field of security and dependability engineering, with an emphasis on ambient system security, and on current advances based on model-based development using UML and providing strong assurance results. We give examples for security flaws found in industrial software using such tools and shortly discuss some open research issues.


Access Control Security Requirement Object Constraint Language Access Control Policy Misuse Case 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Agreiter B, Alam M, Hafner M, Seifert J-P, and Zhang X (2007). Model driven configuration of secure operating systems for mobile applications in healthcare. In Sztipanovits et al. [83].Google Scholar
  2. 2.
    Alam M, Hafner M, and Breu R (2007). Model-driven security engineering for trust management in SECTET. Journal of Software, 2(1).Google Scholar
  3. 3.
    Alam M, Hafner M, Memon M, and Hung P (2007). Modeling and enforcing advanced access control policies in healthcare systems with SECTET. In Sztipanovits et al. [83].Google Scholar
  4. 4.
    Anderson R (2001). Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, New York.Google Scholar
  5. 5.
    Apvrille A and Pourzandi M (2005). Secure software development by example. IEEE Security & Privacy, 3(4):10–17.CrossRefGoogle Scholar
  6. 6.
    Arenas A, Aziz B, Bicarregui J, Matthews B, and Yang EY (2008). Modelling security properties in a grid-based operating system with anti-goals. In ARES [42]: 1429–1436.Google Scholar
  7. 7.
    Basin DA, Clavel M, Doser J, Egea M (2007). A Metamodel-Based Approach for Analyzing Security-Design Models. MoDELS 2007: 420–435.Google Scholar
  8. 8.
    Breu R, Burger K, Hafner M, Jürjens J, Popp G, Wimmel G, Lotz V (2003). Key Issues of a Formally Based Process Model for Security Engineering. In Sixteenth Intern. Conference on Software & Systems Engineering & their Applications (ICSSEA 2003).Google Scholar
  9. 9.
    Baldwin A, Beres Y, Shiu S, and Kearney P (2006). A model based approach to trust, security and assurance. BT Technology Journal, 24(4):53–68.CrossRefGoogle Scholar
  10. 10.
    Basin DA, Doser J, and Lodderstedt T (2006). Model driven security: From UML models to access control infrastructures. ACM Trans. Softw. Eng. Methodol., 15(1): 39–91.CrossRefGoogle Scholar
  11. 11.
    Bauer A and Jürjens J (2008). Security protocols, properties, and their monitoring. In Bart De Win, Seok-Won Lee, and Mattia Monga, editors, SESS: 33–40. ACM.Google Scholar
  12. 12.
    Best B, Jürjens J, and Nuseibeh B (2007). Model-based security engineering of distributed information systems using UMLsec. In ICSE. ACM.Google Scholar
  13. 13.
    Bhargavan K, Fournet C, Gordon AD, and Tse S (2006). Verified interoperable implementations of security protocols. In CSFW: 139–152. IEEE Computer Society.Google Scholar
  14. 14.
    Blobel B, Nordberg R, Davis JM, and Pharow P (2006). Modelling privilege management and access control. International Journal of Medical Informatics, 75(8): 597–623.CrossRefGoogle Scholar
  15. 15.
    Blobel B and Pharow P (2007). A model-driven approach for the german health telematics architectural framework and security infrastructure. International Journal of Medical Informatics, 76(2–3): 169–175.CrossRefGoogle Scholar
  16. 16.
    Boehm BW (1981). Software Engineering Economics. Prentice Hall, Englewood Cliffs, NJ.MATHGoogle Scholar
  17. 17.
    Brucker AD, Doser J, and Wolff B (2006). A model transformation semantics and analysis methodology for SecureUML. In MoDELS 2006, volume 4199 of LNCS: 306–320. Springer.Google Scholar
  18. 18.
    Buchholtz M, Gilmore S, Haenel V, and Montangero C (2005). End-to-end integrated security and performance analysis on the DEGAS Choreographer Platform. In FM 2005, volume 3582 of LNCS: 286–301. Springer.Google Scholar
  19. 19.
    Crook R, Ince DC, Lin L, and Nuseibeh B (2002). Security requirements engineering: When anti-requirements hit the fan. In RE 2002: 203–205. IEEE.Google Scholar
  20. 20.
    Daskala B and Maghiros I (2007). Digital Territories – Towards the protection of public and private space in a digital and Ambient Intelligence environment. Institute for Prospective Technological Studies (IPTS).Google Scholar
  21. 21.
    Deubler M, Grünbauer J, Jürjens J, and Wimmel G (2004). Sound development of secure service-based systems. In ICSOC 2004: 115–124. ACM.CrossRefGoogle Scholar
  22. 22.
    Devanbu P and Stubblebine S (2000). Software engineering for security: a roadmap. In The Future of Software Engineering (ICSE 2000): 227–239.Google Scholar
  23. 23.
    Dimitrakos T, Ritchie B, Raptis D, Aagedal JØ, den Braber F, Stølen K, and Houmb SH (2002). Integrating model-based security risk management into ebusiness systems development: The CORAS approach. In Second IFIP Conference on E-Commerce, E-Business, E-Government (I3E 2002): 159–175. Kluwer.Google Scholar
  24. 24.
    Eckert C and Marek D (1997). Developing secure applications: A systematic approach. In 13th International Conference on Information Security (SEC 1998): 267–279.Google Scholar
  25. 25.
    Elahi G and Yu E (2007). A goal oriented approach for modeling and analyzing security trade-offs. In ER 2007, volume 4801 of LNCS: 375–390. Springer.Google Scholar
  26. 26.
    Fernandez EB and Hawkins JC (1997). Determining role rights from use cases. In Workshop on Role-Based Access Control: 121–125. ACM.Google Scholar
  27. 27.
    Fernandez EB, Larrondo-Petrie MM, Sorgente T, and VanHilst M (2006). A methodology to develop secure systems using patterns. In H Mouratidis and P Giorgini, editors, Integrating security and software engineering: Advances and future vision, chapter 5: 107–126. IDEA Press.Google Scholar
  28. 28.
    Fernández-Medina E and Piattini M (2004). Extending OCL for secure database development. In UML 2004, LNCS: 380–394. Springer.Google Scholar
  29. 29.
    Flechais I, Mascolo C, and Sasse MA (2007). Integrating security and usability into the requirements and design process. International Journal of Electronic Security and Digital Forensics, 1(1):12–26.CrossRefGoogle Scholar
  30. 30.
    Model-driven security: Enabling a real-time, adaptive security infrastructure. Gartner Briefing G00151498, 21 Sep. 2007.Google Scholar
  31. 31.
    Gilmore S, Haenel V, Kloul L, and Maidl M (2005). Choreographing security and performance analysis for web services. In EPEW/WS-FM 2005, volume 3670 of LNCS: 200–214. Springer.Google Scholar
  32. 32.
    Giorgini P, Massacci F, and Mylopoulos J (2003). Requirement engineering meets security: A case study on modelling secure electronic transactions by VISA and Mastercard. In I.-Y. Song, S. W. Liddle, T. W. Ling, and P Scheuermann, editors, 22nd International Conference on Conceptual Modeling (ER 2003), volume 2813 of LNCS: 263–276. Springer.Google Scholar
  33. 33.
    Giorgini P, Massacci F, Mylopoulos J, and Zannone N (2005). Modeling security requirements through ownership, permission and delegation. In RE: 167–176. IEEE Computer Society.Google Scholar
  34. 34.
    Gollmann D (2000). On the verification of cryptographic protocols – a tale of two committees. In S Schneider and P Ryan, editors, Workshop on Security Architectures and Information Flow, volume 32 of ENTCS. Elsevier.Google Scholar
  35. 35.
    Goubault-Larrecq J and Parrennes F (2005). Cryptographic protocol analysis on real c code. In VMCAI'05, LNCS. Springer.Google Scholar
  36. 36.
    Gürgens S and Peralta R (2000). Validation of cryptographic protocols by efficient automated testing. In James N. Etheredge and Bill Z. Manaris, editors, FLAIRS Conference: 7–12. AAAI Press.Google Scholar
  37. 37.
    Haley CB, Laney RC, Moffett JD, and Nuseibeh B (2008). Security requirements engineering: A framework for representation and analysis. IEEE Trans. Software Eng., 34(1):133–153.CrossRefGoogle Scholar
  38. 38.
    Haneberg D, Reif W, and Stenzel K (2002). A method for secure smartcard applications. In Hélène Kirchner and Christophe Ringeissen, editors, AMAST, volume 2422 of Lecture Notes in Computer Science: 319–333. Springer.Google Scholar
  39. 39.
    Heldal R and Hultin F (2003). Bridging model-based and language-based security. In E Snekkenes and D Gollmann, editors, 8th European Symposium on Research in Computer Security (ESORICS 2003), volume 2808 of LNCS: 235–252. Springer.Google Scholar
  40. 40.
    Höhn S and Jürjens J (2008). Rubacon: automated support for model-based compliance engineering. In Robby, editor, ICSE: 875–878. ACM.Google Scholar
  41. 41.
    Houmb SH, Georg G, France RB, Bieman JM, and Jürjens J (2005). Cost-benefit trade-off analysis using BBN for aspect-oriented risk-driven development. In ICECCS: 195–204. IEEE Computer Society.Google Scholar
  42. 42.
    IEEE. 3rd Int Conference on Availability, Reliability and Security (ARES 2008), 2008.Google Scholar
  43. 43.
    Jayaram KR and Mathur A (2005). Software engineering for secure software – state of the art: A survey. Technical Report CERIAS-TR-2005-67, SERC-TR-279, CERIAS, Purdue.Google Scholar
  44. 44.
    Jürjens J (2000). Secure information flow for concurrent processes. In C Palamidessi, editor, CONCUR 2000 (11th International Conference on Concurrency Theory), volume 1877 of LNCS: 395–409. Springer.Google Scholar
  45. 45.
    Jürjens J (2001). Secrecy-preserving refinement. In International Symposium on Formal Methods Europe (FME), volume 2021 of LNCS: 135–152. Springer.Google Scholar
  46. 46.
    Jürjens J (2001). Towards development of secure systems using UMLsec. In H Hußmann, editor, 4th International Conference on Fundamental Approaches to Software Engineering (FASE), volume 2029 of LNCS: 187–200. Springer. Also Oxford University Computing Laboratory TR-9-00 (November 2000),
  47. 47.
    Jürjens J (2002). UMLsec: Extending UML for secure systems development. In 5th Int Conf on the Unified Modeling Language (UML), LNCS. Springer.Google Scholar
  48. 48.
    Jürjens J (2002). Formal Semantics for Interacting UML subsystems. In Formal Methods for Open Object-Based Distributed Systems (FMOODS 2002), IFIP, Kluwer: 29–43.Google Scholar
  49. 49.
    Jürjens J, Shabalin P (2004). Automated Verification of UMLsec Models for Security Requirements. In 7th Intern. Conference on The Unified Modeling Language (UML 2004), Lecture Notes in Computer Science: 142–155. Springer.Google Scholar
  50. 50.
    Jürjens J (2005). Secure Systems Development with UML. Springer.Google Scholar
  51. 51.
    Jürjens J (2005). Sound methods and effective tools for model-based security engineering with UML. In 27th Int Conf on Softw Engineering. IEEE.Google Scholar
  52. 52.
    Jürjens J (2006). Security analysis of crypto-based Java programs using automated theorem provers. In S Easterbrook and S Uchitel, editors, 21st IEEE/ACM International Conference on Automated Software Engineering (ASE 2006). ACM.Google Scholar
  53. 53.
    Jürjens J (2009). A domain-specific language for cryptographic protocols based on streams. To appear, Journal of Logic and Algebraic Programming (JLAP): 54–73.Google Scholar
  54. 54.
    Jürjens J and Rumm R (2008). Model-based security analysis of the German Health Card architecture. Methods of Information in Medicine, vol. 47, 5: 409–416. Special section on Model-based Development of Trustworthy Health Information Systems.Google Scholar
  55. 55.
    Jürjens J and Shabalin P (2007). Tools for secure systems development with UML. Intern. Journal on Software Tools for Technology Transfer, 9(5–6):527–544. Invited submission to the special issue for FASE 2004/05.Google Scholar
  56. 56.
    Jürjens J, Wimmel G (2001). Security Modelling for Electronic Commerce: The Common Electronic Purse Specifications. In Towards the E-Society: E-Commerce, E-Business, and E-Government. Intern. Federation for Information Processing (IFIP), Kluwer Academic Publishers: 489–506. First IFIP Conference on E-Commerce, E-Business, and E-Government (I3E 2001).Google Scholar
  57. 57.
    Jürjens J and Yampolskiy M (2005). Code security analysis with assertions. In D.F. Redmiles, T Ellman, and A Zisman, editors, 20th IEEE/ACM International Conference on Automated Software Engineering (ASE 2005): 392–395. ACM.Google Scholar
  58. 58.
    Kearney P and Brügger L (2007). A risk-driven security analysis method and modelling language. BT Technology Journal, 25(1).Google Scholar
  59. 59.
    Koch M and Parisi-Presicce F (2006). UML specification of access control policies and their formal verification. Software and System Modeling, 5(4):429–447.CrossRefGoogle Scholar
  60. 60.
    Kolarczyk S, Koch M, Löhr K-P , and Pauls K (2006). SecTOOL – supporting requirements engineering for access control. In Günter Müller, editor, ETRICS, volume 3995 of Lecture Notes in Computer Science: 254–267. Springer.Google Scholar
  61. 61.
    Lotz V (1997). Threat scenarios as a means to formally develop secure systems. Journal of Computer Security, 5(1):31–68.Google Scholar
  62. 62.
    Maña A, Montenegro JA, Rudolph C, and Vivas JL (2003). A business process-driven approach to security engineering. In DEXA Workshops: 477–481. IEEE Computer Society.Google Scholar
  63. 63.
    Maña A, Rudolph C, Spanoudakis G, Lotz V, Massacci F, Melideo M, and López-Cobo J-M (2006). Security engineering for Ambient Intelligence: A manifesto. In H Mouratidis, editor, Integrating Security and Software Engineering: Advances and Future Vision. Idea Group.Google Scholar
  64. 64.
    Massacci F, Mylopoulos J, and Zannone N (2007). Computer-aided support for secure tropos. Autom. Softw. Eng., 14(3):341–364.CrossRefGoogle Scholar
  65. 65.
    Mathe J, Duncavage S, Werner J, Malin B, Ledeczi A, and Sztipanovits J (2007). Implementing a model-based design environment for clinical information systems. In Sztipanovits et al. [83].Google Scholar
  66. 66.
    McGraw G (2006). Software Security: Building Security In. Addison Wesley.Google Scholar
  67. 67.
    Méry D and Merz S (2007). Specification and refinement of access control. J. UCS, 13(8):1073–1093.Google Scholar
  68. 68.
    Moebius N, Haneberg D, Reif W, and Schellhorn G (2007). A modeling framework for the development of provably secure e-commerce applications. In ICSEA: 8. IEEE Computer Society.Google Scholar
  69. 69.
    Mouratidis H, Giorgini P, and Manson GA (2003). Integrating security and systems engineering: Towards the modelling of secure information systems. In J Eder and M Missikoff, editors, 15th International Conference on Advanced Information Systems Engineering (CAiSE 2003), volume 2681 of LNCS: 63–78. Springer.Google Scholar
  70. 70.
    Mouratidis H, Jürjens J, and Fox J (2006). Towards a comprehensive framework for secure systems development. In 18th International Conference on Advanced Information Systems Engineering (CAiSE 2006), LNCS. Springer.Google Scholar
  71. 71.
    Pironti A, Sisto R (2008). Soundness Conditions for Message Encoding Abstractions in Formal Security Protocol Models. In ARES 2008: 72–79.Google Scholar
  72. 72.
    Ray I, France RB, Li N, and Georg G (2004). An aspect-based approach to modeling access control concerns. Information & Software Technology, 46(9):575–587.CrossRefGoogle Scholar
  73. 73.
    Redwine S (2007). Introduction to modeling tools for software security. In: Build Security In – Setting a Higher Standard for Software Assurance. Software Engineering Institute (SEI), Carnegie Mellon University. Available at
  74. 74.
    Rosado DG, Fernández-Medina E, Piattini M, and Gutiérrez C (2006). A study of security architectural patterns. In ARES: 358–365. IEEE Computer Society.Google Scholar
  75. 75.
    Saltzer J and Schroeder M (1975). The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278–1308.CrossRefGoogle Scholar
  76. 76.
    Santen T (2006). Stepwise development of secure systems. In Janusz Górski, editor, SAFE-COMP, volume 4166 of Lecture Notes in Computer Science: 142–155. Springer.Google Scholar
  77. 77.
    Santen T, Heisel M, and Pfitzmann A (2002). Confidentiality-preserving refinement is compositional – sometimes. In Dieter Gollmann, Günter Karjoth, and Michael Waidner, editors, ESORICS, volume 2502 of Lecture Notes in Computer Science: 194–211. Springer.Google Scholar
  78. 78.
    Schneider F, editor (1999). Trust in Cyberspace. National Academy Press, Washington, DC. Available at
  79. 79.
    Seehusen F and Stølen K (2006). Information flow property preserving transformation of UML interaction diagrams. In David F. Ferraiolo and Indrakshi Ray, editors, SACMAT: 150–159. ACM.Google Scholar
  80. 80.
    Sindre G and Opdahl AL (2005). Eliciting security requirements with misuse cases. Requir. Eng., 10(1):34–44.CrossRefGoogle Scholar
  81. 81.
    Siveroni I, Zisman A, and Spanoudakis G (2008). Property specification and static verification of UML models. In 3rd International Conference on Availability, Reliability, and Security (ARES'08).Google Scholar
  82. 82.
    Spanoudakis G, Kloukinas C, and Androutsopoulos K (2007). Towards security monitoring patterns. In SAC: 1518–1525. ACM.Google Scholar
  83. 83.
    Sztipanovits J, Breu R, Ammenwerth E, Bajcsy R, Mitchell JC, and Pretschner A, editors (2007). Workshop on Model-based Trustworthy Health Information Systems (MOTHIS@Models).Google Scholar
  84. 84.
    UMLsec group. Security analysis tool, 2004.
  85. 85.
    Whittle J, Wijesekera D, and Hartong M (2008). Executable misuse cases for modeling security concerns. In ICSE 2008.Google Scholar
  86. 86.
    Whyte B and Harrison J (2008). Secure software development - a white paper. Knowledge Transfer Network on Cyber Security, UK. Available at
  87. 87.
    Wimmel G and Jürjens J (2002). Specification-based test generation for security-critical systems using mutations. In International Conference on Formal Engineering Methods (ICFEM), volume 2495 of LNCS: 471–482. Springer.Google Scholar
  88. 88.
    Wirsing M (2008). Software engineering for secure software-intensive systems. Consultation meeting on “Engineering Secure Software Systems” in the context of the preparation of the EU FP7 ICT work programme 2009–2010, Brussels. Presentation available at Scholar
  89. 89.
    Woodside M, Petriu DC, Petriu DB, Xu J, Israr T, Georg G, France R, Bieman JM, Houmb SH, and Jürjens J (2008). Performance analysis of security aspects by weaving scenarios from UML models. Journal of Systems and Software, vol. 82, 1: 56–74.Google Scholar
  90. 90.
    Yoshioka N, Honiden S, and Finkelstein A (2004). Security patterns: A method for constructing secure and efficient inter-company coordination systems. In EDOC: 84–97.Google Scholar
  91. 91.
    Yskout K, Scandariato R, De Win B, and Joosen W (2008). Transforming security requirements into architecture. In ARES [42]: 1421–1428.Google Scholar
  92. 92.
    Yu Y, Jürjens J, and Mylopoulos J (2008). Traceability for the maintenance of secure software. In 24th International Conference on Software Maintenance (ICSM). IEEE.Google Scholar
  93. 93.
    Zhang G, Baumeister H, Koch N, and Knapp A (2005). Aspect-oriented modeling of access control in web applications. In 6th International Workshop on Aspect-Oriented Modeling.Google Scholar

Copyright information

© Springer-Verlag US 2009

Authors and Affiliations

  • Jan J&rjens
    • 1
  1. 1.The Open UniversityMilton

Personalised recommendations