Secure Software Development: Security Use Cases & Model-Driven Security with UML, Slides of Software Engineering

Download Secure Software Development: Security Use Cases & Model-Driven Security with UML and more Slides Software Engineering in PDF only on Docsity!

Secure Software Development

Security Use Cases

Application of Touchpoints

Requirement and Use cases

Architecture and Design Test Plans^ Code^

Tests and Test Results

Feedback from the Field

5. Abuse cases 6. Security Requirements 2. Risk Analysis

External Review

4. Risk-Based Security Tests 1. Code Review (Tools) 2. Risk Analysis 3. Penetration Testing 7. Security Operations

SecureUML

• Lodderstedt, Basin, and Doser

• Role-Based Access Control, MAC

• Use UML to specify access control

• Security is “horizontal” to software

development

• Ad-hoc and “after-the-development” security

integration is error prone, can be costly, and

may have negative impact

SecureUML

• Model-driven software development integrated with

security

• Advantages:
  • Security is integrated during software design, using high- level of abstraction
  • Modeling information can be used to detect design errors and verify correctness
• Limitations: need precise semantics of modeling

language for security assurance

UML Elements

• Actors

• Business processes

• Logical components

• Activities

• Programming language statements

• Database schemas

• Reusable software components

UML Diagrams

Source: Wikipedia, http://en.wikipedia.org/wiki/Unified_Modeling_Language

RBAC

• Intuitive and easy to administer

• Well established and supported by a large

number of software platform

• Limitation: expressing access conditions based

on system state  Authorization Constraints

(Object Constraint Language)

RBAC 3

U

Users

R

Roles

P

Permissions

S^.

Sessions

User assignment

Permission assignment

Constraints

Lecture 17^13

Mandatory Access Control Security Labels: (A,C) , where A: total order, e.g., Top-Secret > Secret > Public C: domain (subset), e.g., subsets of the set {5, 7} are: {5,7}, {5}, {7}, {} and {5,7} ⊇ {5,7}|{5}|{7}|{}, {5} ⊇{5}|{}, {7}⊇{7}|{}, {} ⊇{} but {7} NOT ⊇ {5} Dominance (≥): label l=(A,C) dominates l’=(A’,C’) iff A ≥ A’ and C ⊇ C’ e.g., (confidential,{student-info}) ≥ (public,{student-info}) BUT

(confidential, {student-info}) NOT ≥ (public,{student-info, department-info})

Lecture 17^14

Bell-LaPadula Axioms

• Simple-security property : a subject s is allowed to read an object o only if the security label of s dominates the security label of o - No read up - Applies to all subjects
• *-property : a subject s is allowed to write an object o only if the security label of o dominates the security label of s - No write down - Applies to un-trusted subjects only

Model Driven Architecture

Model Driven Security

Model Driven Architecture

Source: D. Basin et a., ACM Trans. On Software Engineering and Methodology, 15(1), 2005

Model Driven Security

• Security modeling

language

• System design modeling

language

• Dialect: connection

point for integrating

security and system

models

Source: D. Basin et a., ACM Trans. On Software Engineering and Methodology, 15(1), 2005

SecureUML

• Defines vocabulary for annotating UML-based

models with access control information

• Abstract syntax: formal definition, e.g., grammar
• Concrete syntax: notation (UML profile)
• Host language: a modeling language that uses

SecureUML

• SecureUML dialect: SecureUML specifications are

refined in the host language

• E.g., syntactic elements of the modeling language are transformed into constructs of the target platform

Need capability to combine sub-expressions from

different languages!