Secure Web Engineering Supported by an Evaluation Framework - Preliminary Report on a Web Engineering Approach for Secure Applications Supported by a Conceptual Evaluation Framework for Secure Systems Engineering

Marianne Busch

2014

Abstract

Daily news tells that current web applications are often not secure enough, which is a threat to the user's privacy as well as to the image of companies. Our first aim is to make web applications more secure by taking security features into account at the very beginning of the SDLC. During the requirements and design phases, graphical or textual models can help to get an overview of a web application and its security features. Besides, models can be used for documentation purposes and security-related properties in models can be validated and transformed to artifacts for the implementation phase. We extend an existing modeling approach in a way that general security features as secure connections, authentication and access control on data structures can be represented. Additionally, we focus on specific security features, as e.g., access control on the navigation structure of a web application or automated reactions to denial-of-service attacks. Collecting and analyzing data of existing security engineering methods, notations and tools (called mechanisms) is of major importance for security and software engineers, as it helps them to take decisions about solutions for upcoming tasks. These tasks can be related to the design of web applications, but can as well go beyond web engineering. To ease the tasks of recording own results and of getting an overview of existing methods, notations and tools the Common Body of Knowledge (CBK) was implemented as a semantic Wiki within the scope of the EU project NESSoS. As we are members of this project, we gained experience working with the CBK and its underlying ontology and reflected on requirements for a conceptual evaluation framework. Our second aim is to provide an approach for the evaluation of methods, notations and tools for the engineering of secure software systems. Evaluation should also be possible for vulnerabilities, threats and security properties (e.g., integrity). The term "evaluation" covers the collection, analysis and finer-grained representation of (security-specific) knowledge. Another requirement is that the core framework is not overly detailed, but easy to extend.

References

  1. Basin, D., Clavel, M., and Egea, M. (2010). Automatic Generation of Smart, Security-Aware GUI Models. In Engineering Secure Software and Systems, volume 5965 of Lecture Notes in Computer Science, pages 201-217. Springer.
  2. Basin, D., Clavel, M., Egea, M., García de Dios, M. A., Dania, C., Ortiz, G., and Valdazo, J. (2011). ModelDriven Development of Security-Aware GUIs for Data-Centric Applications. In Aldini, A. and Gorrieri, R., editors, Foundations of Security Analysis and Design VI, volume 6858 of Lecture Notes in Computer Science, pages 101-124. Springer Berlin Heidelberg.
  3. Becker, P., Papa, F., and Olsina, L. (2013). Enhancing the Conceptual Framework Capability for a Measurement and Evaluation Strategy. 4th International Workshop on Quality in Web Engineering , 6360:1-12.
  4. Beckers, K., Eicker, S., Heisel, M., and (UDE), W. S. (2012). NESSoS Deliverable D5.2 - Identification of Research Gaps in the Common Body of Knowledge. http://www.nessosproject.eu/media/deliverables/y2/NESSoS-D5.2.pdf.
  5. Bertolino, A., Busch, M., Daoudagh, S., Koch, N., Lonetti, F., and Marchetti, E. (2013). A Toolchain for Designing and Testing XACML Policies. In Proceedings of ICST 2013.
  6. Brambilla, M. and Fraternali, P. (2013). Large-scale ModelDriven Engineering of web user interaction: The WebML and WebRatio experience. Science of Computer Programming.
  7. Busch, M. (2011). Integration of Security Aspects in Web Engineering. Master's thesis, Ludwig-Maximilians-Universität München. http://uwe.pst.ifi.lmu.de/publications/BuschDA.pdf.
  8. Busch, M. (2013). SecEval - Information and Figures. http://www.pst.ifi.lmu.de/ busch/SecEval/.
  9. Busch, M. and García de Díos, M. A. (2012). ActionUWE: Transformation of UWE to ActionGUI Models. Technical report, Ludwig-MaximiliansUniversität München. Number of Report: 1203.
  10. Busch, M., Knapp, A., and Koch, N. (2011). Modeling Secure Navigation in Web Information Systems. In Grabis, J. and Kirikova, M., editors, 10th International Conference on Business Perspectives in Informatics Research, LNBIP, pages 239-253. Springer Verlag.
  11. Busch, M. and Koch, N. (2011). NESSoS Deliverable D2.1 - First release of Method and Tool Evaluation. http://www.nessosproject.eu/media/deliverables/y1/NESSoS-D2.1.pdf.
  12. Busch, M. and Koch, N. (2013). NESSoS Deliverable D2.4 - Second Release of the Method and Tool Evaluation. to appear.
  13. Busch, M., Koch, N., Masi, M., Pugliese, R., and Tiezzi, F. (2012). Towards model-driven development of access control policies for web applications. In ModelDriven Security Workshop in conjunction with MoDELS 2012. ACM Digital Library.
  14. Busch, M., Koch, N., and Wirsing, M. (2014). SecEval: An Evaluation Framework for Engineering Secure Systems. submitted.
  15. Busch, M., Ochoa, M., and Schwienbacher, R. (2013). Modeling, Enforcing and Testing Secure Navigation Paths for Web Applications. Technical Report 1301, Ludwig-Maximilians-Universität München.
  16. Elahi, G., Yu, E., and Zannone, N. (2010). A vulnerabilitycentric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities. Requirements Engineering, 15(1):41-62.
  17. Gilmore, S., Gönczy, L., Koch, N., Mayer, P., Tribastone, M., and Varró, D. (2011). Non-functional Properties in the Model-Driven Development of ServiceOriented Systems. SOSYM, 10(3):287-311.
  18. Hafner, M. and Breu, R. (2008). Security Engineering for Service-Oriented Architectures. Springer.
  19. IFML (2013). Interaction Flow Modeling Language (IFML), FTF - Beta 1. OMG standard. http://www.omg.org/spec/IFML/.
  20. Jürjens, J. (2004). Secure Systems Development with UML. Springer. Tools and further information: http://www.umlsec.de/.
  21. Kitchenham, B. and Charters, S. (2007). Guidelines for performing systematic literature reviews in software engineering. Technical Report EBSE 2007-001, Keele University and Durham University Joint Report.
  22. Koch, N., Knapp, A., Zhang, G., and Baumeister, H. (2008). UML-based Web Engineering: An Approach based on Standards. In Web Engineering: Modelling and Implementing Web Applications, Human-Computer Interaction Series, pages 157-191. Springer.
  23. LMU (2013). UWE - UML-based Web Engineering Homepage. http://uwe.pst.ifi.lmu.de/.
  24. Lodderstedt, T., Basin, D., and Doser, J. (2002). SecureUML: A UML-Based Modeling Language for Model-Driven Security. In Proc. 5th Int. Conf. Unified Modeling Language (UML'02), volume 2460 of Lecture Notes in Computer Science, pages 426-441. Springer.
  25. Meliá, S., Gómez, J., Pérez, S., and Díaz, O. (2008). A Model-Driven Development for GWT-Based Rich Internet Applications with OOH4RIA. In ICWE'08, pages 13-23. IEEE.
  26. Menzel, M. and Meinel, C. (2009). A Security Meta-model for Service-Oriented Architectures. In Proc. 2009 IEEE Int. Conf. Services Computing (SCC'09), pages 251-259. IEEE.
  27. Moody, D. L. (2003). The Method Evaluation Model: a Theoretical Model for Validating Information Systems Design Methods. In Ciborra, C. U., Mercurio, R., de Marco, M., Martinez, M., and Carignani, A., editors, ECIS, pages 1327-1336.
  28. Rzehaczek, K. (2013). Transformation of graphical UWE models to a textual DSL. Bachelor Thesis.
  29. Slimani, N., Khambhammettu, H., Adi, K., and Logrippo, L. (2011). UACML: Unified Access Control Modeling Language. In NTMS 2011, pages 1-8.
  30. Valverde, F. and Pastor, O. (2008). Applying Interaction Patterns: Towards a Model-Driven Approach for Rich Internet Applications Development. In Proc. 7th Int. Wsh. Web-Oriented Software Technologies (IWWOST'08).
  31. Wang, J. A. and Guo, M. (2009). Security Data Mining in an Ontology for Vulnerability Management. In Bioinformatics, Systems Biology and Intelligent Computing, 2009. IJCBS 7809. International Joint Conference on, pages 597-603.
  32. Wolf, K. (2012). Sicherheitsbezogene Model-to-Code Transformation für Webanwendungen (German). Bachelor Thesis.
Download


Paper Citation


in Harvard Style

Busch M. (2014). Secure Web Engineering Supported by an Evaluation Framework - Preliminary Report on a Web Engineering Approach for Secure Applications Supported by a Conceptual Evaluation Framework for Secure Systems Engineering . In Doctoral Consortium - DCMODELSWARD, (MODELSWARD 2014) ISBN Not Available, pages 3-11


in Bibtex Style

@conference{dcmodelsward14,
author={Marianne Busch},
title={Secure Web Engineering Supported by an Evaluation Framework - Preliminary Report on a Web Engineering Approach for Secure Applications Supported by a Conceptual Evaluation Framework for Secure Systems Engineering},
booktitle={Doctoral Consortium - DCMODELSWARD, (MODELSWARD 2014)},
year={2014},
pages={3-11},
publisher={SciTePress},
organization={INSTICC},
doi={},
isbn={Not Available},
}


in EndNote Style

TY - CONF
JO - Doctoral Consortium - DCMODELSWARD, (MODELSWARD 2014)
TI - Secure Web Engineering Supported by an Evaluation Framework - Preliminary Report on a Web Engineering Approach for Secure Applications Supported by a Conceptual Evaluation Framework for Secure Systems Engineering
SN - Not Available
AU - Busch M.
PY - 2014
SP - 3
EP - 11
DO -