Using model-based security analysis in component-oriented system development: A Case-based Evaluation

Proceedings of the 2nd ACM Workshop on Quality of Protection, QoP'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06

Volumn , Issue , 2006, Pages 11-17

  Brændeland, Gyrd ^a   Stølen, Ketil ^a  

^a UNIVERSITY OF OSLO   (Norway)

Author keywords

Case studies; Security risk analysis

Indexed keywords

COMPUTER SOFTWARE SELECTION AND EVALUATION; MATHEMATICAL MODELS; MESSAGE PASSING; RISK ANALYSIS; SECURITY OF DATA;

INSTANT MESSAGING; SECURITY RISK ANALYSIS; STAKEHOLDERS;

SOFTWARE ENGINEERING;

EID: 34547449378     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1179494.1179498     Document Type: Conference Paper

References (23)

1. G. Brændeland and K. Stølen. A semantic paradigm for component-based specification integrating a notion of security risk. To appear in Proceedings of the fourth international Workshop on Formal Aspects in Security and Trust (FAST'06), 2006.
2. G. Brændeland and K. Stølen. Using model-based security analysis in component-oriented system development, a case-based evaluation. Technical Report 342, University of Oslo, Department of Informatics, 2006.
3. J. Cheesman and J. Daniels. UML Components. A simple process for specifying component-based software. Component software series. Addison-Wesley, 2001.
4. V. Cortellessa, K. Goseva-Popstojanova, K. Appukkutty, A. Guedem, A. E. Hassan, R. Elnaggar, W. Abdelmoez, and H. H. Ammar. Model-based performance risk analysis. IEEE Transactions on Software Engineering, 31(1):3-20, 2005.
5. F. den Braber, T. Dimitrakos, B. A. Gran, M. S. Lund, K. Stolen, and J. Ø. Aagedal. UML and the Unified Process, chapter The CORAS methodology: model-based risk management using UML and UP, pages 332-357. IRM Press, 2003.
6. K. Goseva-Popstojanova, A. E. Hassan, A. Guedem, W. Abdelmoez, D. E. M. Nasser, H. H. Ammar, and A. Mili. Architectural-level risk analysis using UML. IEEE Transactions on Software Engineering, 29(10):946-960, 2003.
7. Ø. Haugen, K. E. Husa, R. K. Runde, and K. Stølen. Why timed sequence diagrams require three-event semantics. Technical Report 309, University of Oslo, Department of Informatics, 2004.
8. Ø. Haugen and K. Stølen. STAIRS - steps to analyze interactions with refinement semantics. In UML, volume 2863 of Lecture Notes in Computer Science, pages 388-402. Springer, 2003.
9. ISO/IEC. Information Technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004. TR 13335-1.
10. J. Jürjens, editor. Secure systems develoment with UML. Springer, 2005.
11. P. Kruchten, editor. The rational unified process. An introduction. Addison-Wesley, 2004.
12. T. Lodderstedt, D. A. Basin, and J. Doser. SecureUML: A UML-based modeling language for model-driven security. In UML, volume 2460 of Lecture Notes in Computer Science, pages 426-441. Springer, 2002.
13. J. P. McDermott. Abuse-case-based assurance arguments. In ACSAC, pages 366-376. IEEE Computer Society, 2001.
14. J. P. McDermott and C. Fox. Using abuse case models for security requirements analysis. In ACSAC, pages 55-. IEEE Computer Society, 1999.
15. G. McGraw. Sofware security: Building security in. Software security. Adison-Wesley, 2006.
16. F. Redmill, M. Chudleigh, and J. Catmir. System safety: HazOp and software HazOp. Wiley, 1999.
17. A. Refsdal, K. E. Husa, and K. Stølen. Specification and refinement of soft real-time requirements using sequence diagrams. In FORMATS, volume 3829 of Lecture Notes in Computer Science, pages 32-48. Springer, 2005.
18. J. Rumbaugh, I. Jacobsen, and G. Booch. The unified modeling language reference manual. Addison-Wesley, 2005.
19. G. Sindre and A. L. Opdahl. Eliciting security requirements by misuse cases. In 37th Technology of Object-Oriented Languages and Systems (TOOLS-37 Pacific 2000), pages 120-131. IEEE Computer Society, 2000.
20. G. Sindre and A. L. Opdahl. Eliciting security requirements with misuse cases. Requirements Engineering, 10(1):34-44, 2005.
21. Standards Australia, Standards New Zealand. Information security risk management guidelines, 2004. HB 231:2004.
22. Symantec. Symantec internet security threat report. Trends for July 05-December 05, March 2006.
23. T. Watson and P. Kriens. OSGi component programming. Tutorial held at Eclipsecon 2006, 2006.