A Structured Approach to Software Security
Security is an important aspect of software that needs to be considered during the entire System Development Life Cycle (SDLC). A structured and practical approach to handle Software Security is proposed by defining the con-cept of Security Architecture and by using this Security Architecture as key concept to relate all security activities that need to be performed as defined by the SDLC. The Security Architecture itself is described using a structured definition format, called the Extensible Security Architecture Description Format (XSADF). XSADF can be used as input format for tools that can assess the security aspects of a system under development.
To support the work on a Security Architecture, a Security Architecture Framework is proposed. Software Architects can use this framework as a template to define the Security Architecture for the system they are developing.
The structured approach using XSADF, with a central place for Security Architecture, is a step to achieve „security by design“.
KeywordsSecurity Requirement Structure Approach Security Control Security Architecture Software Security
Unable to display preview. Download preview PDF.
- Howard, Michael – Lipner, Steve: The Security Development Lifecycle. Microsoft, 2006, ISBN: 978- 0-735-62214-2.Google Scholar
- McGraw, Gary: Software Security Building Security In, Addison-Wesley, 2006, ISBN: 0-321-35670-5Google Scholar
- Kissel, Richard – Stine, Kevin – Scholl, Matthew – Rossman, Hart – Fahlsing, Jim – Gulick, Jessica: NIST Special Publication 800-64, Revision 2, Security Considerations in the Information System Development Life Cycle, NIST, November 2008, http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf
- van Opstal, Ton: A Structured Approach to Software Security, Introducing the Extensible Security Architecture Description Format. Master Thesis TiasNimbas Business School, November 2008Google Scholar
- Ross, Ron – Katzke, Stu – Johnson, Arnold – Swanson, Marianne – Stoneburner, Gary – Rogers, George: NIST Special Publication 800-53, Revision 2, Recommended Security Controls for Federal Information Systems, NIST, December 2007 http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf
- Ziring, Neal – Quinn, Stephen D.: Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4, NIST, January 2008 http://csrc.nist.gov/publications/nistir/ir7275r3/NISTIR-7275r3.pdf