Abstract
Securing web applications is a difficult task not only, because it is hard to implement bulletproof techniques, but also because web developers struggle to get an overview of how to avoid security flaws in a concrete application. This is aggravated by the fact that the description of a web application’s security concept is often scattered over lengthy requirements documents, if documented at all. In this chapter, we extend the graphical, UML-based Web Engineering (UWE) language to model security concepts within web applications, thus providing the aforementioned overview. Our approach is applied to a case study of an Energy Management System that provides a web interface for monitoring energy consumption and for configuring appliances. Additionally, we give an overview of how our approach contributes to the development of secure web applications along the software development life cycle.
Keywords
This work has been supported by the EU-NoE project NESSoS, GA 256980.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Basin, D., Clavel, M., Egea, M., Schläpfer, M.: Automatic Generation of Smart, Security-Aware GUI Models. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 201–217. Springer, Heidelberg (2010)
Busch, M., Knapp, A., Koch, N.: Modeling Secure Navigation in Web Information Systems. In: Grabis, J., Kirikova, M. (eds.) BIR 2011. LNBIP, vol. 90, pp. 239–253. Springer, Heidelberg (2011)
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 75–88. ACM, New York (2008)
NESSoS: Network of Excellence on Engineering Secure Future Internet Software Services and Systems (2014), http://nessos-project.eu/
Bertolino, A., Busch, M., Daoudagh, S., Lonetti, F., Marchetti, E.: A Toolchain for Designing and Testing Access Control Policies. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds.) Engineering Secure Future Internet Services and Systems. LNCS, vol. 8431, pp. 266–286. Springer, Heidelberg (2014)
Cuellar, J., Suppan, S.: A smart metering scenario (2013), https://securitylab.disi.unitn.it/lib/exe/fetch.php?media=research_activities:erise:erise_2013:erise2013-smartmeteering-description.pdf
Cuellar, J.: NESSoS deliverable D11.4 – Pilot applications, evaluating NESSoS solutions (to appear, 2014)
Guerrero, J.M.: Microgrids: Integration of distributed energy resources into the smart-grid. In: IEEE International Symposium on Industrial Electronics, pp. 4281–4414 (2010)
LMU. Web Engineering Group.: UWE Website (2014), http://uwe.pst.ifi.lmu.de/
Cubo, J., Cuellar, J., Fries, S., Martín, J.A., Moyano, F., Fernández, G., Gago, M.C.F., Pasic, A., Román, R., Dieguez, R.T., Vinagre, I.: Selection and documentation of the two major applicationcase studies. NESSoS deliverable D11.2 (2011)
Gómez, A., Tellechea, M., Rodríguez, C.: D1.1 Requirements of AMI. Technical report, OPEN meter project (2009)
Bennett, C., Wicker, S.: Decreased time delay and security enhancement recommendations for ami smart meter networks. In: Innovative Smart Grid Technologies (ISGT), pp. 1–6 (2010)
OWASP Foundation: OWASP Top 10 – 2013 (2013), http://owasptop10.googlecode.com/files/OWASPTop10-2013.pdf
OMG.: OCL 2.0 (2011), http://www.omg.org/spec/OCL/2.0/
No Magic Inc.: Magicdraw (2014), http://www.magicdraw.com/
Busch, M., Koch, N.: NESSoS Deliverable D2.3 – Second Release of the SDE for Security-Related Tools (2012)
Busch, M., Koch, N.: MagicUWE — A CASE Tool Plugin for Modeling Web Applications. In: Gaedke, M., Grossniklaus, M., Díaz, O. (eds.) ICWE 2009. LNCS, vol. 5648, pp. 505–508. Springer, Heidelberg (2009)
Busch, M., Ochoa, M., Schwienbacher, R.: Modeling, Enforcing and Testing Secure Navigation Paths for Web Applications. Technical Report 1301, Ludwig-Maximilians-Universität München (2013)
Busch, M., García de Dios, M.A.: ActionUWE: Transformation of UWE to ActionGUI Models. Technical report, Ludwig-Maximilians-Universität München, Number 1203 (2012)
Kroiss, C., Koch, N., Knapp, A.: UWE4JSF - A Model-Driven Generation Approach for Web Applications. In: Gaedke, M., Grossniklaus, M., Díaz, O. (eds.) ICWE 2009. LNCS, vol. 5648, pp. 493–496. Springer, Heidelberg (2009)
Eclipse: XPand (2013), http://wiki.eclipse.org/Xpand
OASIS: eXtensible Access Control Markup Language (XACML) Version 2.0 (2005), http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf
Wolf, K.: Sicherheitsbezogene Model-to-Code Transformation für Webanwendungen (German), Bachelor Thesis (2012)
Busch, M., Koch, N., Masi, M., Pugliese, R., Tiezzi, F.: Towards model-driven development of access control policies for web applications. In: Model-Driven Security Workshop in Conjunction with MoDELS 2012. ACM Digital Library (2012)
Masi, M., Pugliese, R., Tiezzi, F.: Formalisation and Implementation of the XACML Access Control Mechanism. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) ESSoS 2012. LNCS, vol. 7159, pp. 60–74. Springer, Heidelberg (2012)
SDE: Service Development Environment (2014), http://www.nessos-project.eu/sde
Soriano, R., Alberto, M., Collazo, J., Gonzales, I., Kupzo, F., Moreno, L., Lugmaier, A., Lorenzo, J.: OpenNode. Open Architecture for Secondary Nodes of the Electricity SmartGrid. In: 21st International Conference on Electricity Distribution (2011)
Department of Energy and Climate Change: Smart Metering Implementation Programme, Response to Prospectus Consultation, Overview Document. Technical report, Office of Gas and Electricity Markets (2011)
Beckers, K., Fabender, S., Heisel, M., Suppan, S.: A threat analysis methodology for smart home scenarios. In: SmartGridSec 2014. LNCS. Springer (2014)
Grossman, J.: Website security statistics report. Technical report, WhiteHat Security (2013), https://www.whitehatsec.com/resource/stats.html
Busch, M.: Secure Web Engineering supported by an Evaluation Framework. In: Modelsward 2014. Scitepress (2014)
Jürjens, J.: Secure Systems Development with UML. Springer (2004), Tools and further information: http://www.umlsec.de/
Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)
Slimani, N., Khambhammettu, H., Adi, K., Logrippo, L.: UACML: Unified Access Control Modeling Language. In: NTMS 2011, pp. 1–8 (2011)
Hafner, M., Breu, R.: Security Engineering for Service-Oriented Architectures. Springer (2008)
Gilmore, S., Gönczy, L., Koch, N., Mayer, P., Tribastone, M., Varró, D.: Non-functional Properties in the Model-Driven Development of Service-Oriented Systems. J. Softw. Syst. Model. 10(3), 287–311 (2011)
Menzel, M., Meinel, C.: A Security Meta-model for Service-Oriented Architectures. In: Proc. 2009 IEEE Int. Conf. Services Computing (SCC 2009), pp. 251–259. IEEE (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Busch, M., Koch, N., Suppan, S. (2014). Modeling Security Features of Web Applications. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds) Engineering Secure Future Internet Services and Systems. Lecture Notes in Computer Science, vol 8431. Springer, Cham. https://doi.org/10.1007/978-3-319-07452-8_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-07452-8_5
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-07451-1
Online ISBN: 978-3-319-07452-8
eBook Packages: Computer ScienceComputer Science (R0)