A Structured Approach to Software Security

  • Ton van Opstal


Security is an important aspect of software that needs to be considered during the entire System Development Life Cycle (SDLC). A structured and practical approach to handle Software Security is proposed by defining the con-cept of Security Architecture and by using this Security Architecture as key concept to relate all security activities that need to be performed as defined by the SDLC. The Security Architecture itself is described using a structured definition format, called the Extensible Security Architecture Description Format (XSADF). XSADF can be used as input format for tools that can assess the security aspects of a system under development.

To support the work on a Security Architecture, a Security Architecture Framework is proposed. Software Architects can use this framework as a template to define the Security Architecture for the system they are developing.

The structured approach using XSADF, with a central place for Security Architecture, is a step to achieve „security by design“.


Security Requirement Structure Approach Security Control Security Architecture Software Security 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Howard, Michael – Lipner, Steve: The Security Development Lifecycle. Microsoft, 2006, ISBN: 978- 0-735-62214-2.Google Scholar
  2. McGraw, Gary: Software Security Building Security In, Addison-Wesley, 2006, ISBN: 0-321-35670-5Google Scholar
  3. Kissel, Richard – Stine, Kevin – Scholl, Matthew – Rossman, Hart – Fahlsing, Jim – Gulick, Jessica: NIST Special Publication 800-64, Revision 2, Security Considerations in the Information System Development Life Cycle, NIST, November 2008,
  4. van Opstal, Ton: A Structured Approach to Software Security, Introducing the Extensible Security Architecture Description Format. Master Thesis TiasNimbas Business School, November 2008Google Scholar
  5. Ross, Ron – Katzke, Stu – Johnson, Arnold – Swanson, Marianne – Stoneburner, Gary – Rogers, George: NIST Special Publication 800-53, Revision 2, Recommended Security Controls for Federal Information Systems, NIST, December 2007
  6. Ziring, Neal – Quinn, Stephen D.: Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4, NIST, January 2008

Copyright information

© Vieweg+Teubner | GWV Fachverlage GmbH 2010

Authors and Affiliations

  • Ton van Opstal
    • 1
  1. 1.Ericsson Telecommunicatie BV Research & DevelopmentRijenThe Netherlands

Personalised recommendations