Skip to main content
SpringerLink
Log in

Evaluation of Engineering Approaches in the Secure Software Development Life Cycle

  • Chapter
Engineering Secure Future Internet Services and Systems

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8431))

Abstract

Software engineers need to find effective methods, appropriate notations and tools that support the development of secure applications along the different phases of the Software Development Life Cycle (SDLC). Our evaluation approach, called SecEval, supports the search and comparison of these artifacts. SecEval comprises: (1) a workflow that defines the evaluation process, which can be easily customized and extended; (2) a security context model describing security features, methods, notations and tools; (3) a data collection model, which records how data is gathered when researchers or practitioners are looking for artifacts that solve a specific problem; (4) a data analysis model specifying how analysis, using previously collected data, is performed; and (5) the possibility to easily extend the models, which is exemplarily shown for risk rating and experimental approaches. The validation of SecEval was performed for tools in the web testing domain.

This work has been supported by the EU-NoE project NESSoS, GA 256980.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. CBK: Common Body of Knowledge (2013), http://nessos-project.eu/cbk

  2. NESSoS: Network of Excellence on Engineering Secure Future Internet Software Services and Systems (2014), http://nessos-project.eu/

  3. Busch, M., Koch, N., Wirsing, M.: SecEval: An Evaluation Framework for Engineering Secure Systems. In: MoK 2014 (2014)

    Google Scholar 

  4. Busch, M., Koch, N.: NESSoS Deliverable D2.4 – Second release of Method and Tool Evaluation (2013)

    Google Scholar 

  5. OWASP Foundation: OWASP Risk Rating Methodology (2013), https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology

  6. Moody, D.L.: The method evaluation model: A theoretical model for validating information systems design methods. In: Ciborra, C.U., Mercurio, R., de Marco, M., Martinez, M., Carignani, A. (eds.) ECIS, pp. 1327–1336 (2003)

    Google Scholar 

  7. Lipner, S., Howard, M.: The Trustworthy Computing Security Development Lifecycle. Developer Network - Microsoft (2005), http://msdn.microsoft.com/en-us/library/ms995349.aspx#sdl2_topic2_5

  8. ISO/IEC: 27001: Information technology – Security techniques – Information security management systems – Requirements. Technical report, International Organization for Standardization (ISO) and International Electrotechnical Commission, IEC (2013)

    Google Scholar 

  9. OWASP Foundation: OWASP Top 10 – 2013 (2013), http://owasptop10.googlecode.com/files/OWASPTop10-2013.pdf

  10. Kitchenham, B., Charters, S.: Guidelines for performing Systematic Literature Reviews in Software Engineering. Technical Report EBSE 2007-001, Keele University and Durham University Joint Report (2007)

    Google Scholar 

  11. Beckers, K., Eicker, S., Heisel, M. (UDE), W.S.: NESSoS Deliverable D5.2 – Identification of Research Gaps in the Common Body of Knowledge (2012)

    Google Scholar 

  12. Becker, P., Papa, F., Olsina, L.: Enhancing the Conceptual Framework Capability for a Measurement and Evaluation Strategy. In: 4th International Workshop on Quality in Web Engineering (6360), pp. 1–12 (2013)

    Google Scholar 

  13. RWTH Aachen University: i* notation, http://istar.rwth-aachen.de/

  14. Elahi, G., Yu, E., Zannone, N.: A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities. Requirements Engineering 15(1), 41–62 (2010)

    Article  Google Scholar 

  15. Wang, J.A., Guo, M.: Security data mining in an ontology for vulnerability management. In: International Joint Conference on Bioinformatics, Systems Biology and Intelligent Computing, IJCBS 2009, pp. 597–603 (2009)

    Google Scholar 

  16. RWTH Aachen University: SWRL: A Semantic Web Rule Language Combining OWL and RuleML (2004), http://www.w3.org/Submission/SWRL/

  17. Moyano, F., Fernandez-Gago, C., Lopez, J.: A conceptual framework for trust models. In: Fischer-Hübner, S., Katsikas, S., Quirchmayr, G. (eds.) TrustBus 2012. LNCS, vol. 7449, pp. 93–104. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  18. Fernandez, C., Lopez, J., Moyano, F.: NESSoS Deliverable D4.2 – Engineering Secure Future Internet Services: A Research Manifesto and Agenda from the NESSoS Community (2012)

    Google Scholar 

  19. Bertolino, A., Busch, M., Daoudagh, S., Lonetti, F., Marchetti, E.: A Toolchain for Designing and Testing Access Control Policies. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds.) Engineering Secure Future Internet Services. LNCS, vol. 8431, pp. 266–286. Springer, Heidelberg (2014)

    Google Scholar 

  20. Giorgini, P., Mouratidis, H., Zannone, N.: Modelling Security and Trust with Secure Tropos. In: Integrating Security and Software Engineering: Advances and Future Vision (2006)

    Google Scholar 

  21. Dardenne, A., Fickas, S., Van Lamsweerde, A.: Goal-directed Requirements Acquisition 20(1-2), 3–50 (1993)

    Google Scholar 

  22. Bresciani, P., Perini, A., Giorgini, P., Giunchiglia, F., Mylopoulos, J.: Tropos: An agent-oriented software development methodology. Autonomous Agents and Multi-Agent Systems 8(3), 203–236 (2004)

    Article  Google Scholar 

  23. Gedik, B., Liu, L.: Protecting Location Privacy with Personalized k-anonymity: Architecture and Algorithms 7(1), 1–18 (2008)

    Google Scholar 

  24. Jürjens, J.: Secure Systems Development with UML. Springer (2004)

    Google Scholar 

  25. Basin, D., Doser, J., Lodderstedt, T.: Model Driven security: From UML Models to Access Control Infrastructures. ACM Trans. Softw. Eng. Methodol. 15(1), 39–91 (2006)

    Article  Google Scholar 

  26. Basin, D., Clavel, M., Egea, M., Garcia de Dios, M., Dania, C.: A model-driven methodology for developing secure data-management applications. IEEE Transactions on Software Engineering PP(99), 1 (2014)

    Google Scholar 

  27. de Dios, M.A.G., Dania, C., Basin, D., Clavel, M.: Model-driven Development of a Secure eHealth Application. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds.) Engineering Secure Future Internet Services. LNCS, vol. 8431, pp. 97–118. Springer, Heidelberg (2014)

    Google Scholar 

  28. Busch, M., Knapp, A., Koch, N.: Modeling Secure Navigation in Web Information Systems. In: Grabis, J., Kirikova, M. (eds.) BIR 2011. LNBIP, vol. 90, pp. 239–253. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  29. Busch, M., Koch, N., Suppan, S.: Modeling Security Features of Web Applications. In: Engineering Secure Future Internet Services. LNCS, vol. 8431, pp. 119–139. Springer, Heidelberg (2014)

    Google Scholar 

  30. Goldstein, A., Frank, U.: Augmented Enterprise Models as a Foundation for Generating Security-related Software: Requirements and Prospects. In: Model-Driven Security Workshop in Conjunction with MoDELS 2012 (MDsec 2012). ACM Digital Library (2012)

    Google Scholar 

  31. Busch, M., Koch, N., Masi, M., Pugliese, R., Tiezzi, F.: Towards Model-Driven Development of Access Control Policies for Web Applications. In: Model-Driven Security Workshop in Conjunction with MoDELS 2012 (MDsec 2012). ACM Digital Library (2012)

    Google Scholar 

  32. Microsoft: Dafny (2014), https://research.microsoft.com/en-us/projects/dafny/

  33. Jacobs, B., Smans, J., Piessens, F.: VeriFast (2013), http://www.cs.kuleuven.be/~bartj/verifast/

  34. CORAS method: CORAS tool (2013), http://coras.sourceforge.net/

  35. Busch, M., Koch, N.: NESSoS Deliverable D2.1 – First release of Method and Tool Evaluation (2011)

    Google Scholar 

  36. Busch, M.: SecEval – Further Information (2014), http://www.pst.ifi.lmu.de/~busch/SecEval

  37. Bishop, M.: Computer Security: Art and Science, 1st edn. Addison-Wesley Professional (2002)

    Google Scholar 

  38. Schreiner, S.: Comparison of Security-related Tools and Methods for Testing Software, Bachelor Thesis (2013)

    Google Scholar 

  39. Lacek, C.: In-depth Comparison and Integration of Tools for Testing Security features of Web Applications, Bachelor Thesis (2013)

    Google Scholar 

  40. Busch, M., Koch, N.: NESSoS Deliverable D2.3 – Second Release of the SDE for Security-Related Tools (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute for Informatics, Ludwig-Maximilians-Universität München, Oettingenstraße 67, 80538, München, Germany

    Marianne Busch, Nora Koch & Martin Wirsing

Authors
  1. Marianne Busch
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nora Koch
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Martin Wirsing
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. INKO, Software Engineering, Universität Duisburg-Essen, 47048, Duisburg, Germany

    Maritta Heisel

  2. Department of Computer Science, KU Leuven, Celestijnenlaan 200A, 3001, Heverlee, Belgium

    Wouter Joosen

  3. Computer Science Department, Network, Information and Computer Security Lab, University of Malaga, 29071, Malaga, Spain

    Javier Lopez

  4. Istituto di Informatica e Telematica (IIT), Consiglio Nazionale delle Ricerche (CNR), Via G. Moruzzi 1, 56124, Pisa, Italy

    Fabio Martinelli

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Busch, M., Koch, N., Wirsing, M. (2014). Evaluation of Engineering Approaches in the Secure Software Development Life Cycle. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds) Engineering Secure Future Internet Services and Systems. Lecture Notes in Computer Science, vol 8431. Springer, Cham. https://doi.org/10.1007/978-3-319-07452-8_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-07452-8_10

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-07451-1

  • Online ISBN: 978-3-319-07452-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation