Article Preview
Top1. Introduction
The application of ICT to the financial services industry can support the automation of a number of functions, which are crucial for the further development of the sector, such as the management of pre-employment screening, coordination of financial teams, compliance with relevant regulations and analysis of financial data. The credit crunch and the events of the last couple of years meant that the financial services industry is faced with large changes and as such the development of software systems to support the financial services industry and peripheral sectors introduces a number of new challenges and difficulties.
Security is arguably one of the most crucial and necessary features of software systems that support the financial services industry and an acceptable financial software system may under no circumstances endanger the risk of monetary lose and the leakage of relevant sensitive (private or otherwise) data.
In software engineering practice the usual approach is to perform the analysis, design and implementation of a software system without considering security, and then add security as an afterthought (Devanbu & Stubblebine, 2000; Mouratidis et al., 2006). Nevertheless, recent research has shown that such approach introduces a number of problematic areas and it leads to security vulnerabilities that are usually identified after the implementation and deployment of the system. Since at this point it is quite expensive to redevelop the system to completely overcome such vulnerabilities, the usual approach is to “patch” some of these vulnerabilities as they are identified. However, this is not an acceptable standard for the development of high risk software systems software systems (Blobel & France, 2001; Mouratidis, 2004).
The last few years, it has been widely argued, especially within the requirements engineering (Haley et al., 2006; Basin et al., 2003; Hermann & Pernul, 1999) and information systems (Devanbu, 2000; McDermott & Fox, 1999; Mouratidis & Giorgini, 2006) research communities, that the number of security vulnerabilities could be reduced if security is considered from the early stages of the development process, i.e., a Secure by Design (SbD) approach is employed to support the development of secure software systems. Generally speaking, Secure by Design, within the context of software engineering, means that the software has been designed from the ground up to be secure. In academia, this practice is mostly known as secure software systems engineering or software engineering for secure systems amongst other terms. Our work is not the only effort at integrating security considerations into software engineering practices and methods. Security requirements frameworks have been proposed (Haley et al., 2006; Mead, 2006) for security requirements elicitation, specification and analysis. On another line of work, the behaviour of potential attackers is used to model security (Lamsweerde & Letier, 2000; Lin et al., 2003). Works have also been presented that extended use cases with respect to security analysis (Hermann & Pernul, 1999; Alexander, 2003). In addition, a large number of efforts are focused on extending existing methods and languages for software systems development (Basin et al., 2003; McDermott & Fox, 1999). Apart from the academic works, industry has also started to recognize the advantages of developing software systems following the Secure by Design principles. Microsoft has introduced the Security Development Process (http://www.siliconrepublic.com/strategy/item/18252-citrix-and-mcafee-release/).