On selecting appropriate development processes and requirements engineering methods for secure software

Proceedings - International Computer Software and Applications Conference

Volumn 2, Issue , 2009, Pages 353-358

  Khan, Muhammad Umair Ahmed ^a   Zulkernine, Mohammed ^a  

^a QUEEN S UNIVERSITY   (Canada)

Author keywords

Software security; secure software development process; software security requirements engineering

Indexed keywords

COMPARATIVE STUDIES; DEVELOPMENT PROCESS; ENGINEERING METHODS; IN-BUILDINGS; SECURE SOFTWARE; SECURE SOFTWARE DEVELOPMENT; SECURITY REQUIREMENTS; SECURITY REQUIREMENTS ENGINEERING; SECURITY VULNERABILITIES; SOFTWARE DEVELOPER; SOFTWARE SECURITY;

COMPUTER APPLICATIONS; LINGUISTICS; NETWORK SECURITY; REQUIREMENTS ENGINEERING; SOFTWARE DESIGN; SPECIFICATION LANGUAGES; SPECIFICATIONS; WORD PROCESSING;

COMPUTER SOFTWARE SELECTION AND EVALUATION;

EID: 70449679234     PISSN: 07303157     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/COMPSAC.2009.206     Document Type: Conference Paper

References (33)

1. G. McGraw, Software Security: Building Security In, Addison Wesley, 2006.
2. J. Juerjens, Secure Systems Development with UML, Springer, 2005.
3. J. Gregoire, K. Buyens, B. De Win, R. Scandariato, and W. Joosen, "On the Secure Software Development Process: CLASP and SDL Compared," In Proceedings of the 3rd International Workshop on Software Engineering for Secure Systems (SESS'07), Minneapolis, MN, USA, IEEE CS Press, 2007, pp. 1-1
4. M. Howard and S. Lipner, The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software, Microsoft Press, 2006.
5. OWASP CLASP Project, http://www.owasp.org/index.php/Category:OWASP-CLASP- Project. Last Accessed March 2009.
6. I. Flechais, C. Mascolo, and M.A. Sasse, "Integrating Security and Usability into the Requirements and Design Process," International Journal of Electronic Security and Digital Forensics, Inderscience Publishers, Geneva, Switzerland, 2007, vol.1, no.1, pp. 12-26.
7. A.S. Sodiya, S.A. Onashoga, and O.B. Ajayi, "Towards Building Secure Software Systems," Issues in Informing Science and Information Technology, Informing Science Institute, CA, USA, 2006, vol.3, pp. 635-646.
8. L. Futcher and R.v. Solms, "SecSDM: A Model for Integrating Security into the Software Development Life Cycle," In Proceedings of the 5th World Conference on Information Security Education, Springer, 2007, pp. 41-48.
9. D. Gilliam, J. Powell, E. Haugh, and M. Bishop, "Addressing Software Security Risk and Mitigations in the Life Cycle," In Proceedings of the 28th Annual NASA Goddard Software Engineering Workshop (SEW'03), Greenbelt, MD, USA, 2003, pp. 201-206.
10. M.A. Hadawi, "Vulnerability Prevention in Software Development Process," In Proceedings of the 10th International Conference on Computer & Information Technology (ICCIT'07), Dhaka, Bangladesh, 2007.
11. S.d. Vries, "Software Testing for Security," Network Security, ScienceDirect, 2007, vol.3, pp. 11-15.
12. A. Apvrille and M. Pourzandi, "Secure Software Development by Example," IEEE Security and Privacy, IEEE CS Press, 2005, vol. 3, no. 4, pp. 10-17.
13. M. Essafi, L. Labed, and H.B. Ghezala, "S2D-ProM: A Strategy Oriented Process Model for Secure Software Development," In Proceedings of the 2nd International Conference on Software Engineering Advances (ICSEA'07), Cap Esterel, French Riviera, France, 2007, p. 24.
14. N. Davis, "Secure Software Development Life Cycle Processes: A Technology Scouting Report", Technical Note CMU/SEI-2005-TN-024, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, USA, 2005.
15. C.B. Haley, J.D. Moffett, R. Laney, and B. Nuseibeh, "A Framework for Security Requirements Engineering," In Proceedings of the International Workshop on Software Engineering for Secure Software (SESS'06), Shanghai, China, ACM Press, 2006, pp. 35-41.
16. M. Hussein, M. Raihan, & M. Zulkernine, "Software Specification and Attack Languages," In Advances in Enterprise Information Technology Security, D. Khadraoui and F. Herrmann, Eds. IGI Global, 2007.
17. M. Raihan and M. Zulkernine, "AsmLSec: An Extension of Abstract State Machine Language for Attack Scenario Specification," In Proceedings of the 2nd International Conference on Availability, Reliability and Security (ARES'07), Vienna, Austria, IEEE CS Press, 2007, pp. 775-782.
18. M.U.A. Khan and M. Zulkernine, "Quantifying Security in Secure Software Development Phases," In Proceedings of the 2nd IEEE International Workshop on Secure Software Engineering (IWSSE'08), Turku, Finland, IEEE CS Press, 2008, pp. 955-960, 2008.
19. I.V. Krsul, "Software Vulnerability Analysis," Doctoral Dissertation, Department of Computer Sciences, Purdue University, West Lafayette, IN, USA, 1998.
20. M. Zulkernine, M. Graves, & M.U.A. Khan, "Integrating Software Specification into Intrusion Detection," International Journal on Information Security, Springer, 2007, vol.6, pp. 345-357.
21. G. Sindre, A.L. Opdahl, "Eliciting Security Requirements by Misuse Cases," In Proceedings of the 37th International Conference on Technology of Object-Oriented Languages and Systems (TOOLS'00), Sydney, Australia, IEEE CS Press, 2000, pp. 120-131.
22. J. McDermott and C. Fox, "Using Abuse Case Models for Security Requirements Analysis," In Proceedings of the 15th Computer Security Applications Conference (ACSAC'99), Pheonix, AZ, USA, IEEE CS Press, 1999, pp. 55-64.
23. M. Hussein and M. Zulkernine, "Intrusion Detection Aware Component-Based System: A Specification-Based Framework," Journal of System and Software, Elsevier Science, 2007, vol.80, no 5, pp. 700-710.
24. T. Lodderstedt, D.A. Basin, and J. Doser, "SecureUML: A UML-Based Modeling Language for Model Driven Security," In Proceedings of the 5th International Conference on the Unified Modeling Language (UML'02), Dresden, Germany, Springer, 2002, LNCS 2460/2002, pp. 426-441.
25. H. Mouratidis, P. Giorgini, and G. Manson, "When Security Meets Software Engineering: A Case of Modeling Secure Information Systems," Journal of Information Systems, Elsevier Science, 2005, vol.30, no.8, pp. 609-629.
26. S.T. Eckmann, G. Vigna, and R.A. Kemmerer, "STATL: An Attack Language for State-Based Intrusion Detection," Journal of Computer Security, IOS Press, Amsterdam, 2002, vol. 10, no. 1/2, pp. 71-104.
27. Snort, www.snort.org. Last Accessed March 2009.
28. SecureUML Tool, http://www.foundstone.com/us/resources/proddesc /secureumltemplate.htm. Last Accessed March 2009.
29. Si, http://sesa.dit.unitn.it/sistar-tool/home.php?7. Last Accessed March 2009.
30. Model-Driven Security with SecureUML, http://www.infsec.ethz.ch/people/ doserj/mds. Last Accessed March 2009.
31. J Viega, "Building Security Requirements with CLASP," In Proceedings of the 2005 International Workshop on Software Engineering for Secure Systems (SESS'05), St. Louis, MO, USA, 2005, pp. 1-7.
32. N.R. Mead, E. Hough, and T. Stehney, Security Quality Requirements Engineering (SQUARE) Methodology, Technical Report CMU/SEI-2005-TR-009, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, USA, 2005.
33. D. Mellado, E. Fernandez-Medina, and M. Piattni, "A Common Criteria-Based Security Requirements Engineering Process for the Development of Secure Information Systems," Computer Standards and Interfaces, Elsevier Science, 2007, vol.29, pp. 244-253.