Skip to main content
SpringerLink
Log in

Design notations for secure software: a systematic literature review

  • Regular Paper
  • Published:
Software & Systems Modeling Aims and scope Submit manuscript

Abstract

In the past 10 years, the research community has produced a significant number of design notations to represent security properties and concepts in a design artifact. These notations are aimed at documenting and analyzing security in a software design model. The fragmentation of the research space, however, has resulted in a complex tangle of different techniques. Hence, practitioners are confronted with the challenging task of scouting the right approach from a multitude of proposals. Similarly, it is hard for researchers to keep track of the synergies among the existing notations, in order to identify the existing opportunities for original contributions. This paper presents a systematic literature review that inventorizes the existing notations and provides an in-depth, comparative analysis for each.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Notes

  1. http://www.arc.gov.au/era/era_2010/archive/era_journal_list.htm.

References

  1. Abramov, J., Anson, O., Dahan, M., Shoval, P., Sturm, A.: A methodology for integrating access control policies within database development. Comput. Secur. 31(3), 299–314 (2012)

    Article  Google Scholar 

  2. Abramov, J., Sturm, A., Shoval, P.: Evaluation of the pattern-based method for secure development (PbSD): a controlled experiment. Inf. Softw. Technol. 54(9), 1029–1043 (2012)

    Article  Google Scholar 

  3. Ahn, G.-J., Hong, S.-P., Shin, M.E.: Reconstructing a formal security model. Inf. Softw. Technol. 44(11), 649–657 (2002)

    Article  Google Scholar 

  4. Alam, M., Breu, R., Hafner, M.: Model-driven security engineering for trust management in SECTET. J. Softw. 2(1), 47–59 (2007)

    Article  Google Scholar 

  5. Avizienis, A., Laprie, J.-C., Randell, B., Landwehr, C.: Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. Dependable Secure Comput. 1(1), 11–33 (2004)

    Article  Google Scholar 

  6. Basin, D., Clavel, M., Doser, J., Egea, M.: Automated analysis of security-design models. Inf. Softw. Technol. 51(5), 815–831 (2009)

    Article  Google Scholar 

  7. Basin, D., Doser, J., Lodderstedt, T.: Model driven security: from UML models to access control infrastructures. ACM Trans. Softw. Eng. Methodol. 15(1), 39–91 (2006)

    Article  Google Scholar 

  8. Best, B., Jürjens, J., Nuseibeh, B.: Model-Based Security Engineering of Distributed Information Systems Using UMLsec. In: Proceedings of the 29th International Conference on Software Engineering, ICSE ’07, pp. 581–590. Washington, DC, USA (2007). IEEE Computer Society

  9. Buyens, K., Scandariato, R., Joosen, W.: Least privilege analysis in software architectures. Softw. Syst. Model. 12(2), 1–18 (2011)

    Google Scholar 

  10. Dai, L., Cooper, K.: Modeling and performance analysis for security aspects. Sci. Comput. Program. 61(1), 58–71 (2006)

    Article  MathSciNet  MATH  Google Scholar 

  11. Dai, L., Cooper, K.: A survey of modeling and analysis approaches for architecting secure software systems. Int. J. Netw. Secur. 5(2), 187–198 (2007)

    Google Scholar 

  12. Dai, L., Cooper, K.: Using FDAF to bridge the gap between enterprise and software architectures for security. Sci. Comput. Program. 66(1), 87–102 (2007)

    Article  MathSciNet  Google Scholar 

  13. Dehlinger, J., Subramanian, N.: Architecting Secure Software Systems Using an Aspect-Oriented Approach: A Survey of Current Research. In: Technical Report, Iowa State University (2006)

  14. Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requir. Eng. 16(1), 187–198 (2012)

    Google Scholar 

  15. Díaz, P., Aedo, I., Montero, S.: Ariadne, a development method for hypermedia. In: Mayr, H.C., Lazansky, J., Quirchmayr, G., Vogel, P. (eds.) Database and Expert Systems Applications. Lecture Notes in Computer Science, vol. 2113, pp. 764–774. Springer, Berlin (2001)

  16. Díaz, P., Aedo, I., Sanz, D., Malizia, A.: A Model-Driven Approach for the Visual Specification of Role-Based Access Control Policies in Web Systems. In: IEEE Symposium on Visual Languages and Human-Centric Computing, 2008. VL/HCC 2008. pp. 203–210 (2008)

  17. Fernández-Medina, E., Piattini, M.: Designing secure databases. Inf. Softw. Technol. 47(7), 463–477 (2005)

    Article  Google Scholar 

  18. Fernández-Medina, E., Trujillo, J., Villarroel, R., Piattini, M.: Developing secure data warehouses with a UML extension. Inf. Syst. 32(6), 826–856 (2007)

    Article  Google Scholar 

  19. Georg, G., Ray, I., Anastasakis, K., Bordbar, B., Toahchoodee, M., Houmb, S.H.: An aspect-oriented methodology for designing secure applications. Inf. Softw. Technol. 51(5), 846–864 (2009)

    Article  Google Scholar 

  20. Georg, G., Ray, I., France, R.: Using Aspects to Design a Secure System. In: Proceedings of the Eighth International Conference on Engineering of Complex Computer Systems, ICECCS ’02, p. 117. IEEE Computer Society, Washington (2002)

  21. Giordano, M., Polese, G., Scanniello, G., Tortora, G.: A system for visual role-based policy modelling. J. Vis. Lang. Comput. 21(1), 41–64 (2010)

    Article  Google Scholar 

  22. Gomaa, H., Eonsuk Shin, M.: Modelling Complex Systems by Separating Application and Security Concerns. In: Proceedings of Ninth IEEE International Conference on Engineering Complex Computer Systems, pp. 19–28 (2004)

  23. Hafner, M., Breu, M., Breu, R., Nowak, A.: Modelling Inter-organizational Workflow Security in a Peer-to-Peer Environment. In: Proceedings of 2005 IEEE International Conference on Web Services, 2005. ICWS 2005. p. 540 (2005)

  24. Heldal, R., Hultin, F.: Bridging Model-Based and Language-Based Security. In: Snekkenes E., Gollmann D. (eds) Computer Security ESORICS 2003, volume 2808 of Lecture Notes in Computer Science, pp. 235–252. Springer, Berlin (2003). doi:10.1007/978-3-540-39650-5_14

  25. Hoisl, B., Sobernig, S., Strembeck, M.: Modeling and enforcing secure object flows in process-driven SOAs: an integrated model-driven approach. Softw. Syst. Model. 13(2), 513–548 (2014). doi:10.1007/s10270-012-0263-y

  26. Hu, H., Ahn, G.-J.: Constructing authorization systems using assurance management framework. IEEE Trans. Syst. Man Cybern. Part C Appl. Rev. 40(4), 396–405 (2010)

    Article  Google Scholar 

  27. Hussain, S., Rasool, G., Atef, M., Shahid, A.K.: A review of approaches to model security into software systems. J. Basic Appl. Sci. Res. 3(4), 642–647 (2013)

    Google Scholar 

  28. Jayaram, K.R., Mathur, A.P.: Software Engineering for Secure Software—State of the Art: A Survey. In: Technical Report CERIAS 2005-67, Purdue University (2005)

  29. Jensen, J., Jaatun, M.G.: Security in Model Driven Development: A Survey. In: 2011 Sixth International Conference on Availability, Reliability and Security (ARES), pp. 704–709 (2011)

  30. Jürjens, J.: Secure Systems Development with UML. Springer, Berlin (2004)

    MATH  Google Scholar 

  31. Jürjens, J.: Sound Methods and Effective Tools for Model-Based Security Engineering with UML. In: Proceedings of the 27th International Conference on Software Engineering, ICSE ’05, pp. 322–331. ACM, New York (2005)

  32. Jürjens, J.: Security and dependability engineering. In: Kokolakis, S., Gómez, A.M., Spanoudakis, G. (eds.) Security and Dependability for Ambient Intelligence, Volume 45 of Advances in Information Security, pp. 21–36. Springer, Berlin (2009)

    Chapter  Google Scholar 

  33. Jürjens, J., Lehrhuber, M., Wimmel, G.: Model-Based Design and Analysis of Permission-Based Security. In: Proceedings of 10th IEEE International Conference on Engineering of Complex Computer Systems, 2005. ICECCS 2005. pp. 224–233 (2005)

  34. Jürjens, J., Schreck, J., Bartmann, P.: Model-Based Security Analysis for Mobile Communications. In: Proceedings of the 30th International Conference on Software Engineering, ICSE ’08, pp. 683–692. ACM, New York (2008)

  35. Jürjens, J., Shabalin, P.: Tools for secure systems development with UML. Int. J. Softw. Tools Technol. Transf. 9, 527–544 (2007)

    Article  Google Scholar 

  36. Kasal, K., Heurix, J., Neubauer, T.: Model-Driven Development Meets Security: An Evaluation of Current Approaches. In: 2011 44th Hawaii International Conference on System Sciences (HICSS), pp. 1–9 (2011)

  37. Keller, F., Wendt, S.: FMC: An approach towards architecture-centric system development. In: Proceedings of 10th IEEE International Conference and Workshop on the Engineering of Computer-Based Systems, 2003, pp. 173–182. IEEE (2003)

  38. Khan, M.U.A., Zulkernine, M.: A Survey on Requirements and Design Methods for Secure Software Development. In: Technical Report 2009-562, School of Computing, Queen’s University, Kingston, Ontario, Canada (2009)

  39. Khwaja, A.A., Urban, J.E.: A synthesis of evaluation criteria for software specifications and specification techniques. Int. J. Softw. Eng. Knowl. Eng. 12(5), 581–599 (2002)

    Article  Google Scholar 

  40. Kim, S., Kim, D.-K., Lu, L., Kim, S., Park, S.: A feature-based approach for modeling role-based access control systems. J. Syst. Softw. 84(12), 2035–2052 (2011)

    Article  Google Scholar 

  41. Kitchenham, B., Charters, S.: Guidelines for Performing Systematic Literature Reviews in Software Engineering. In: Technical Report EBSE 2007-001, Keele University and Durham University Joint Report (2007)

  42. Koch, M., Mancini, L.V., Parisi Presicce, F.: A graph-based formalism for RBAC. ACM Trans. Inf. Syst. Secur. 5(3), 332–365 (2002)

    Article  Google Scholar 

  43. Koch, M., Parisi-Presicce, F.: UML specification of access control policies and their formal verification. Softw. Syst. Model. 5(4), 429–447 (2006)

    Article  Google Scholar 

  44. Kong, J., Xu, D., Zeng, X.: UML-based modeling and analysis of security threats. Int. J. Softw. Eng. Knowl. Eng. 20(6), 875–897 (2010)

    Article  Google Scholar 

  45. Lúcio, L., Zhang, Q., Nguyen, P.-H., Amrani, M., Klein, J., Vangheluwe, H., Le Traon, Y.: Advances in Model-Driven Security. Adv. Comput. 93, 103–152 (2013)

  46. Matulevičius, R., Dumas, M.: A Comparison of SecureUML and UMLsec for Role-Based Access Control. In: Databases and Information Systems, pp. 171–185 (2010)

  47. Mayer, P., Koch, N., Schroeder, A., Knapp, A.: The UML4SOA Profile. In: Technical report, LMU Muenchen (2010)

  48. Memon, M., Menghwar, G., Depar, M., Jalbani, A., Mashwani, W.: Security modeling for service-oriented systems using security pattern refinement approach. Softw. Syst. Model. 13(2), 549–572 (2014). doi:10.1007/s10270-012-0268-6

  49. Menzel, M., Meinel, C.: A Security Meta-Model for Service-Oriented Architectures. In: IEEE International Conference on Services Computing, 2009. SCC ’09. , pp. 251–259 (2009)

  50. Menzel, M., Meinel, C.: SecureSOA Modelling Security Requirements for Service-Oriented Architectures. In: 2010 IEEE International Conference on Services Computing (SCC), pp. 146–153 (2010)

  51. Nakamura, Y., Tatsubori, M., Imamura, T., Ono, K.: Model-Driven Security Based on a Web Services Security Architecture. In: 2005 IEEE International Conference on Services Computing, vol. 1, pp. 7–15 (2005)

  52. Nguyen, P.-H., Klein, J., Le Traon, Y., Kramer, M.E.: A Systematic Review of Model-Driven Security. In: Software Engineering Conference (APSEC, 2013 20th Asia-Pacific), vol. 1, pp. 432–441 (2013)

  53. OMG. OMG Unified Modeling Language (OMG UML), Infrastructure (2011). OMG. http://www.omg.org/spec/UML/2.4.1/Infrastructure/PDF

  54. OMG. OMG Unified Modeling Language (OMG UML), Superstructure (2011). OMG. http://www.omg.org/spec/UML/2.4.1/Superstructure/PDF

  55. OMG. OMG Object Constraint Language (OCL) (2012). OMG. http://www.omg.org/spec/OCL/2.3.1/PDF

  56. OMG. Service Oriented architecture Modeling Language (SoaML) Specification (2012). OMG. http://www.omg.org/spec/SoaML/1.0.1/PDF

  57. Pavlich-Mariscal, J.A., Demurjian, S.A., Michel, L.D.: A framework of composable access control features: preserving separation of access control concerns from models to code. Comput. Secur. 29(3), 350–379 (2010)

    Article  Google Scholar 

  58. Ray, I., France, R., Li, N., Georg, G.: An aspect-based approach to modeling access control concerns. Inf. Softw. Technol. 46(9), 575–587 (2004)

    Article  Google Scholar 

  59. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)

    Article  Google Scholar 

  60. Satoh, F., Nakamura, Y., Ono, K.: Adding Authentication to Model Driven Security. In: Proceedings of the IEEE International Conference on Web Services, ICWS ’06, pp. 585–594. IEEE Computer Society, Washington (2006)

  61. Shah, V., Hill, F.: An Aspect-Oriented Security Framework: Lessons Learned. In: AOSD Technology for Application-level Security (AOSDSEC) (2004)

  62. Sohr, K., Ahn, G.-J., Gogolla, M., Migge, L.: Specification and Validation of Authorisation Constraints Using UML and OCL. In: de Capitani, S., di Vimercati, P., Syverson, D. Gollmann, (eds.) Computer Security ESORICS 2005. Lecture Notes in Computer Science, vol. 3679, pp. 64–79. Springer, Berlin Heidelberg (2005)

  63. Standard. The Common Criteria: Security functional components. https://www.commoncriteriaportal.org (2012)

  64. Standard. WS-SecurityPolicy v1.3. OASIS Standard incorporating Approved Errata. http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/errata01/os/ws-securitypolicy-1.3-errata01-os-complete.html (2012)

  65. Standard. WS-Trust 1.4. OASIS Standard Incorporating Approved Errata. http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/errata01/os/ws-trust-1.4-errata01-os-complete.html (2012)

  66. Talhi, C., Mouheb, D., Lima, V., Debbabi, M., Wang, L., Pourzandi, M.: Usability of security specification approaches for UML design: a survey. J. Object Technol. 8(6), 103–122 (2009)

    Article  Google Scholar 

  67. Trujillo, J., Soler, E., Fernández-Medina, E., Piattini, M.: An engineering process for developing secure data warehouses. Inf. Softw. Technol. 51(6), 1033–1051 (2009)

    Article  Google Scholar 

  68. Uzunov, A.V., Fernandez, E.B., Falkner, K.: Engineering security into distributed systems a survey of methodologies. J. Univ. Comput. Sci. 18(20), 2920–3006 (2012)

    Google Scholar 

  69. Vela, B., Blanco, C., Fernández-Medina, E., Marcos, E.: A practical application of our MDD approach for modeling secure XML data warehouses. Decis. Support Syst. 52(4), 899–925 (2012)

    Article  Google Scholar 

  70. Villarroel, R., Fernández-Medina, E., Piattini, M.: Secure information systems development—a survey and comparison. Comput. Secur. 24(4), 308–321 (2005)

    Article  Google Scholar 

  71. Website. https://people.cs.kuleuven.be/alexander.vandenberghe/review/overview.html

  72. Xu, D., Nygard, K.E.: Threat-driven modeling and verification of secure software using aspect-oriented petri nets. IEEE Trans. Softw. Eng. 32(4), 265–278 (2006)

    Article  Google Scholar 

  73. Yu, L., France, R., Ray, Indrakshi, Ghosh, S.: A Rigorous Approach to Uncovering Security Policy Violations in UML Designs. In: 2009 14th IEEE International Conference on Engineering of Complex Computer Systems, pp. 126–135 (2009)

Download references

Acknowledgments

This research is partially funded by the Research Fund KU Leuven and by the EU FP7 project NESSoS, with the financial support from the Prevention of and Fight against Crime Programme of the European Union (B-CCENTRE).

Author information

Authors and Affiliations

  1. iMinds-DistriNet, KU Leuven, 3001, Leuven, Belgium

    Alexander van den Berghe, Koen Yskout & Wouter Joosen

  2. Software Engineering Division, Chalmers and Göteborg University, 41756, Göteborg, Sweden

    Riccardo Scandariato

Authors
  1. Alexander van den Berghe
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Riccardo Scandariato
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Koen Yskout
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Wouter Joosen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alexander van den Berghe.

Additional information

Communicated by Prof. Alexander Pretschner.

This research is partially funded by the Interuniversity Attraction Poles Programme Belgian State, Belgian Science Policy, and by the Research Fund KU Leuven.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

van den Berghe, A., Scandariato, R., Yskout, K. et al. Design notations for secure software: a systematic literature review. Softw Syst Model 16, 809–831 (2017). https://doi.org/10.1007/s10270-015-0486-9

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10270-015-0486-9

Keywords

Search

Navigation