Special Issue: Software Artifacts Comprehension; Guest Editor: Nenad StankovicNo Access

UNDERSTANDING AND COMMUNICATING IT SECURITY SPECIFICATIONS WITH UML

Nanyang Technological University, School of Computer Engineering, Nanyang Avenue Block N4, Singapore 639798, Singapore

and

Helsinki University of Technology, Telecommunications Software and Multimedia Laboratory, P.O. Box 5400, FIN-02015 HUT, Finland

Search for more papers by this author

https://doi.org/10.1142/S0218194005002580Cited by:0 (Source: Crossref)

Abstract

Security specifications of IT products and systems are inherently complex and may subject products to semantic threats due to misunderstanding of key aspects of security objectives by developers, customers and end users. A study is conducted on expressing the security specifications by specially interpreted UML use case diagrams to avoid misunderstanding by peer groups, i.e. to prevent semantic threats at the development phase through improved comprehension of security specifications. We base our results on engineering frameworks for comprehensive security and demonstrate the need for improved communication by concrete examples of semantic threats. The threats result from the use of complex textual artifacts as a means of communicating the security requirements. We demonstrate the use of a diagrammatic technique for expressing and communicating security specifications in a less ambiguous manner and illustrate how the technique assists in communication.

Keywords:

References

R. Anderson , Security Engineering: A Guide to Building Dependable Distributed Systems ( John Wiley , New York , 2001 ) . Google Scholar
R. Baskerville, The Journal of Management Systems 4(1), 1 (1992). Google Scholar
R. Baskerville, ACM Computing Surveys 25(4), 375 (1993). Crossref, Web of Science, Google Scholar
R. Baskerville, Int. J. Information Management 14(5), 385 (1994). Web of Science, Google Scholar
Information technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and General Model, ISO/IEC 15408-1, 1999 . Google Scholar
Information technology — Security techniques — Evaluation criteria for IT security — Part 2: Security Functional Requirements, ISO/IEC 15408-2, 1999 . Google Scholar
Information technology — Security techniques — Evaluation criteria for IT security — Part 3: Security Assurance Requirements, ISO/IEC 15408-3, 1999 . Google Scholar
Common Evaluation Methodology for Information Technology Security CEM–97/017 Part 1: Introduction and general model, Version 0.6, January 11 1997 . Google Scholar
Common Methodology for Information Technology Security Evaluation CEM–99/045 Part 2: Evaluation Methodology Version 1.0, August 1999 . Google Scholar
Commission Decision of 14 July, 2003 on the publication of reference numbers of generally recognised standards for electronic signature products in accordance with directive 1999/93/ec of the European Parliament and of the Council, Official Journal of the European Union, L 175/45, July 15, 2003 . Google Scholar
Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community Framework for Electronic Signatures, December 1999 . Google Scholar
Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for Secure Electronic Signatures, ETSI Special Report SR 002 176, Version 1.1.1, March 2003 . Google Scholar
A. Hartmann , Comprehensive information technology security: A new approach to respond ethical and social issues surrounding information security in the 21st century , Proc. IFIP TC11 11th Int. Conf. on Information Systems Security ( 1995 ) . Google Scholar
J. Jürjens , Secure Systems Development with UML ( Springer , 2003 ) . Google Scholar
S. Kowalski , Computer ethics and computer abuse: A longitudinal study on Swedish university students , Proc. IFIP TC11 6th Int. Conf. on Information Systems Security ( 1990 ) . Google Scholar
R. Kruger and J. Eloff, A common criteria framework for the evaluation of information technology systems security, Information Security in Research and Business — Proc. IFIP TC11 13th Int. Conf. on Information Security, eds. L. Yngström and J. Carlsen (Chapman & Hall, 1997) pp. 192–197. Google Scholar
J. Leiwo , A mechanism for deriving specifications of security functions in the CC framework , Database and Expert Systems Applications, 10th Int. Conf. DEXA'99 , LNCS 1677 ( Springer-Verlag , 1999 ) . Google Scholar
J. Leiwo, A technique for modeling and analysis of common criteria security environments and security objectives, Proc. 9th Nordic Workshop on Secure IT Systems — Encouraging Co-operation (2004) pp. 45–52. Google Scholar
J. Leiwo and S. Heikkuri , A group-enhanced ISSI model for secure interconnection of information systems , Proc. IFIP TC11 14th Int. Conf. on Information Security, Sec'98 ( 1998 ) . Google Scholar
Text for ISO/IEC 1st DTR, Information technology — Security techniques — A framework for IT security assurance — Part 1: Overview and framework, ISO/IEC JTC1/SC27 N3592, 2003-06-11 . Google Scholar
Text for ISO/IEC 3rd WD 15443–3 Information technology — Security techniques — A framework for IT security assurance — Part 3: Analysis of assurance methods, ISO/IEC JTC1/SC27 Working draft N3614, 2003-07-15 . Google Scholar
Text for ISO/IEC DTR 15443-2 — Information technology — Security techniques — A framwork for IT security assurance — Part 2: Assurance methods, ISO/IEC JTC1/SC27 N3799, 2004-02-26 . Google Scholar
P. G. Neumann, Principled Assuredly Trustworthy Composable Architectures: Final Report, Available at http://www.csl.sri.com/neumann/chats4.pdf, SRI International, Menlo Park, CA, 2003 . Google Scholar
R. E. Smith, ACM Trans. on Information and System Security 4(1), 72 (2001). Crossref, Google Scholar
Secure Signature — Creation Devices `EAL4+', CEN Workshop Agreement CWA14169, March 2002 . Google Scholar
R. Von Solms and H. Van De Haar, From trusted information security controls to a trusted information security environment, Information Security for Global Information Infrastructures — Proc. IFIP TC11 16th Annual Working Conf. on Information Security, eds. S. Qing and J. H. Eloff (Kluwer Academic Publishers, 2000) pp. 29–36. Google Scholar
M. Wetterling, G. Wimmel and A. Wisspeintner, Secure systems development based on the common criteria: The PalME project, Proc. 10th ACM SIGSOFT Symposium on Foundations of Software Engineering, eds. M. L. Soffa and W. Griswold (ACM Press, 2002) pp. 129–138. Google Scholar

Vol. 15, No. 06

Metrics

Downloaded 14 times

History

Keywords

PDF download

System Upgrade on Tue, May 28th, 2024 at 2am (EDT)

UNDERSTANDING AND COMMUNICATING IT SECURITY SPECIFICATIONS WITH UML

Abstract

Recommended