Abstract
Software engineers need to find effective methods, appropriate notations and tools that support the development of secure applications along the different phases of the Software Development Life Cycle (SDLC). Our evaluation approach, called SecEval, supports the search and comparison of these artifacts. SecEval comprises: (1) a workflow that defines the evaluation process, which can be easily customized and extended; (2) a security context model describing security features, methods, notations and tools; (3) a data collection model, which records how data is gathered when researchers or practitioners are looking for artifacts that solve a specific problem; (4) a data analysis model specifying how analysis, using previously collected data, is performed; and (5) the possibility to easily extend the models, which is exemplarily shown for risk rating and experimental approaches. The validation of SecEval was performed for tools in the web testing domain.
This work has been supported by the EU-NoE project NESSoS, GA 256980.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
CBK: Common Body of Knowledge (2013), http://nessos-project.eu/cbk
NESSoS: Network of Excellence on Engineering Secure Future Internet Software Services and Systems (2014), http://nessos-project.eu/
Busch, M., Koch, N., Wirsing, M.: SecEval: An Evaluation Framework for Engineering Secure Systems. In: MoK 2014 (2014)
Busch, M., Koch, N.: NESSoS Deliverable D2.4 – Second release of Method and Tool Evaluation (2013)
OWASP Foundation: OWASP Risk Rating Methodology (2013), https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
Moody, D.L.: The method evaluation model: A theoretical model for validating information systems design methods. In: Ciborra, C.U., Mercurio, R., de Marco, M., Martinez, M., Carignani, A. (eds.) ECIS, pp. 1327–1336 (2003)
Lipner, S., Howard, M.: The Trustworthy Computing Security Development Lifecycle. Developer Network - Microsoft (2005), http://msdn.microsoft.com/en-us/library/ms995349.aspx#sdl2_topic2_5
ISO/IEC: 27001: Information technology – Security techniques – Information security management systems – Requirements. Technical report, International Organization for Standardization (ISO) and International Electrotechnical Commission, IEC (2013)
OWASP Foundation: OWASP Top 10 – 2013 (2013), http://owasptop10.googlecode.com/files/OWASPTop10-2013.pdf
Kitchenham, B., Charters, S.: Guidelines for performing Systematic Literature Reviews in Software Engineering. Technical Report EBSE 2007-001, Keele University and Durham University Joint Report (2007)
Beckers, K., Eicker, S., Heisel, M. (UDE), W.S.: NESSoS Deliverable D5.2 – Identification of Research Gaps in the Common Body of Knowledge (2012)
Becker, P., Papa, F., Olsina, L.: Enhancing the Conceptual Framework Capability for a Measurement and Evaluation Strategy. In: 4th International Workshop on Quality in Web Engineering (6360), pp. 1–12 (2013)
RWTH Aachen University: i* notation, http://istar.rwth-aachen.de/
Elahi, G., Yu, E., Zannone, N.: A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities. Requirements Engineering 15(1), 41–62 (2010)
Wang, J.A., Guo, M.: Security data mining in an ontology for vulnerability management. In: International Joint Conference on Bioinformatics, Systems Biology and Intelligent Computing, IJCBS 2009, pp. 597–603 (2009)
RWTH Aachen University: SWRL: A Semantic Web Rule Language Combining OWL and RuleML (2004), http://www.w3.org/Submission/SWRL/
Moyano, F., Fernandez-Gago, C., Lopez, J.: A conceptual framework for trust models. In: Fischer-Hübner, S., Katsikas, S., Quirchmayr, G. (eds.) TrustBus 2012. LNCS, vol. 7449, pp. 93–104. Springer, Heidelberg (2012)
Fernandez, C., Lopez, J., Moyano, F.: NESSoS Deliverable D4.2 – Engineering Secure Future Internet Services: A Research Manifesto and Agenda from the NESSoS Community (2012)
Bertolino, A., Busch, M., Daoudagh, S., Lonetti, F., Marchetti, E.: A Toolchain for Designing and Testing Access Control Policies. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds.) Engineering Secure Future Internet Services. LNCS, vol. 8431, pp. 266–286. Springer, Heidelberg (2014)
Giorgini, P., Mouratidis, H., Zannone, N.: Modelling Security and Trust with Secure Tropos. In: Integrating Security and Software Engineering: Advances and Future Vision (2006)
Dardenne, A., Fickas, S., Van Lamsweerde, A.: Goal-directed Requirements Acquisition 20(1-2), 3–50 (1993)
Bresciani, P., Perini, A., Giorgini, P., Giunchiglia, F., Mylopoulos, J.: Tropos: An agent-oriented software development methodology. Autonomous Agents and Multi-Agent Systems 8(3), 203–236 (2004)
Gedik, B., Liu, L.: Protecting Location Privacy with Personalized k-anonymity: Architecture and Algorithms 7(1), 1–18 (2008)
Jürjens, J.: Secure Systems Development with UML. Springer (2004)
Basin, D., Doser, J., Lodderstedt, T.: Model Driven security: From UML Models to Access Control Infrastructures. ACM Trans. Softw. Eng. Methodol. 15(1), 39–91 (2006)
Basin, D., Clavel, M., Egea, M., Garcia de Dios, M., Dania, C.: A model-driven methodology for developing secure data-management applications. IEEE Transactions on Software Engineering PP(99), 1 (2014)
de Dios, M.A.G., Dania, C., Basin, D., Clavel, M.: Model-driven Development of a Secure eHealth Application. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds.) Engineering Secure Future Internet Services. LNCS, vol. 8431, pp. 97–118. Springer, Heidelberg (2014)
Busch, M., Knapp, A., Koch, N.: Modeling Secure Navigation in Web Information Systems. In: Grabis, J., Kirikova, M. (eds.) BIR 2011. LNBIP, vol. 90, pp. 239–253. Springer, Heidelberg (2011)
Busch, M., Koch, N., Suppan, S.: Modeling Security Features of Web Applications. In: Engineering Secure Future Internet Services. LNCS, vol. 8431, pp. 119–139. Springer, Heidelberg (2014)
Goldstein, A., Frank, U.: Augmented Enterprise Models as a Foundation for Generating Security-related Software: Requirements and Prospects. In: Model-Driven Security Workshop in Conjunction with MoDELS 2012 (MDsec 2012). ACM Digital Library (2012)
Busch, M., Koch, N., Masi, M., Pugliese, R., Tiezzi, F.: Towards Model-Driven Development of Access Control Policies for Web Applications. In: Model-Driven Security Workshop in Conjunction with MoDELS 2012 (MDsec 2012). ACM Digital Library (2012)
Microsoft: Dafny (2014), https://research.microsoft.com/en-us/projects/dafny/
Jacobs, B., Smans, J., Piessens, F.: VeriFast (2013), http://www.cs.kuleuven.be/~bartj/verifast/
CORAS method: CORAS tool (2013), http://coras.sourceforge.net/
Busch, M., Koch, N.: NESSoS Deliverable D2.1 – First release of Method and Tool Evaluation (2011)
Busch, M.: SecEval – Further Information (2014), http://www.pst.ifi.lmu.de/~busch/SecEval
Bishop, M.: Computer Security: Art and Science, 1st edn. Addison-Wesley Professional (2002)
Schreiner, S.: Comparison of Security-related Tools and Methods for Testing Software, Bachelor Thesis (2013)
Lacek, C.: In-depth Comparison and Integration of Tools for Testing Security features of Web Applications, Bachelor Thesis (2013)
Busch, M., Koch, N.: NESSoS Deliverable D2.3 – Second Release of the SDE for Security-Related Tools (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Busch, M., Koch, N., Wirsing, M. (2014). Evaluation of Engineering Approaches in the Secure Software Development Life Cycle. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds) Engineering Secure Future Internet Services and Systems. Lecture Notes in Computer Science, vol 8431. Springer, Cham. https://doi.org/10.1007/978-3-319-07452-8_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-07452-8_10
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-07451-1
Online ISBN: 978-3-319-07452-8
eBook Packages: Computer ScienceComputer Science (R0)