An Integrated Secure Software Engineering Approach for Functional, Collaborative, and Information Concerns

An Integrated Secure Software Engineering Approach for Functional, Collaborative, and Information Concerns

J. A. Pavlich-Mariscal (Pontificia Universidad Javeriana, Colombia), S. Berhe (University of Connecticut, USA), A. De la Rosa Algarín (University of Connecticut, USA) and S. Demurjian (University of Connecticut, USA)
DOI: 10.4018/978-1-5225-3923-0.ch012

Abstract

This chapter explores a secure software engineering approach that spans functional (object-oriented), collaborative (sharing), and information (Web modeling and exchange) concerns in support of role-based (RBAC), discretionary (DAC), and mandatory (MAC) access control. By extending UML with security diagrams for RBAC, DAC, and MAC, we are able to design an application with all of its concerns, and not defer security to a later time in the design process that could have significant impact and require potentially wide-ranging changes to a nearly completed design. Through its early inclusion in the software design process, security concerns can be part of the application design process, providing separate abstractions for security via new UML diagrams. From these new UML diagrams, it is then possible to generate security policies and enforcement code for RBAC, DAC, and MAC, which separates security from the application. This modeling and generation allows security changes to have less of an impact on an application. The end result is a secure software engineering approach within a UML context that is capable of modeling an application's functional, collaborative, and information concerns. This is explored in this chapter.
Chapter Preview
Top

1 Introduction

The software development process has had significant improvements of the past forty plus years, from the introduction of the waterfall model (Winston, 1970) to the iterative model (Larman and Basili, 2002) in the late 70s to the spiral model (Boehm, 1986) in the mid-1980s to the unified process model (Scott, 2001) to the agile development lifecycle (Craig, 2003) in the early 21st century. Despite this progress, there remain many challenges when one attempts to design and develop large-scale applications, where there are a myriad of concerns such as user interfaces, server functionality, database support, logging and historical tracking, and secure information modeling, access, and enforcement. Rather than separation, there is often an entanglement of these different concerns, e.g., in an object-oriented application, code to read/write the database can be spread across multiple classes even if the database is abstracted via Hibernate. Also consider that security can be realized across the entire application, with security checks and enforcement at the GUI level, the server level, the database level, the network communications level, etc. All of these different concerns end up being tangled with one another, and spread out across the application’s varied components. As a result, the traceability of security in terms of an application’s functional, collaborative, and information concerns cannot be easily isolated; in such a situation, changes to the security policy often requires code-level alternations which are not acceptable in practice. The intent of this chapter is to elevate security to a primary and early priority in the software development process to provide a secure engineering approach that encompasses functional, collaborative, and information concerns.

Complete Chapter List

Search this Book:
Reset