Developing secure networked web-based systems using model-based risk assessment and UMLsec

Proceedings - Asia-Pacific Software Engineering Conference, APSEC

Volumn 2003-January, Issue , 2003, Pages 488-497

  Houmb, Siv Hilde ^a   Jürjens, Jan ^b  

^a Department of Computer and Information Science ^*  (Norway)

^b TECHNICAL UNIVERSITY OF MUNICH   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

MODELING LANGUAGES; SOFTWARE ENGINEERING; UNIFIED MODELING LANGUAGE;

DEVELOPMENT PROCESS; INTEGRATED DEVELOPMENT PROCESS; NETWORKED COMPUTING SYSTEMS; NETWORKED SYSTEMS; SECURITY ASPECTS; SECURITY REQUIREMENTS; TECHNICAL LEVELS; WEB-BASED SYSTEM;

RISK ASSESSMENT;

EID: 84944688537     PISSN: 15301362     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/APSEC.2003.01254404     Document Type: Conference Paper

References (27)

1. AS/NZS 4360:1999, Risk Management. Standards Australia, Strathfield, 1999.
2. B. Barber and J. Davey. The use of the ccta risk analysis and management methodology cramm in health information systems. In K. Lun, P. Degoulet, T. Piemme, and O. Rien-hoff, editors, MEDINFO 92, pages 1589-1593, Amsterdam, 1992. North Holland Publishing Co.
3. CORAS, The CORAS Intregrated Platform. Poster at the CORAS public workshop during ICT-2002, 2002.
4. T. Dimitrakos, B. Ritchie, D. Raptis, J. O. Aagedal, F. Den Braber, K. Stølen, and S. Houmb. Intgegrating model-based security risk management into ebusiness systems development: The coras approach. In J. Monteiro, P. Swat-man, and L. Tavares, editors, Second IFIP Conference on E-Commerce, E-Business, E-Government (I3E 2002), volume 233 of IFIP Conference Proceedings, pages 159-175. Kluwer, 2002.
5. E. Fernandez and J. Hawkins. Determining role rights from use cases. In Workshop on Role-Based Access Control, pages 121-125. ACM, 1997.
6. G. Georg, R. France, and I. Ray. An aspect-based approach to modeling security concerns. In Jürjens et al. [15].
7. S. Guarro and D. Okrent. The logic flowgraph: A new approach to process failure modeling and diagnonsis for disturbance analysis applications. Nuclear Technology, page 67, 1984.
8. S.-H. Houmb, F. Den Braber, M. S. Lund, and K. Stolen. Towards a UML profile for model-based risk assessment. In Jürjens et al. [15].
9. IEEE 1471, IEEE Recommended Practice for Architectural Description of Software-Intensive Systems, 2000.
10. ISO/IEC 17799-1: Information technology - Code of Practice for information security managementk, 2000.
11. ISO/IEC TR 13335: Information technology - Guidelines for Management of IT Security. 1996-2000.
12. J. Jürjens. UMLsec: Extending UML for secure systems development. In J.-M. Jézéquel, H. Hussmann, and S. Cook, editors, UML 2002 - The Unified Modeling Language, volume 2460 of LNCS, pages 412-425, Dresden, Sept. 30 - Oct. 4 2002. Springer.
13. J. Jürjens. Developing Security-Critical Systems with UML, 2003. Series of tutorials at international conferences including OMG DOCsec 2002, IFIP SEC 2002, APPLIED INFORMATICS 2003, ETAPS 2003, OMG Workshop On UML for Enterprise Applications 2003, Formal Methods Symposium 2003. Download of material at http://www4.in. tum.de/~juerjens/csdumltut.
14. J. Jürjens. Secure Systems Development with UML. Springer, 2003. In preparation.
15. J. Jürjens, V. Cengarle, E. Fernandez, B. Rumpe, and R. Sandner, editors. Critical Systems Development with UML, number TUM-I0208 in TUM technical report, 2002. UML'02 satellite workshop proceedings.
16. I. Kim and M. Modarres. Application of Goal Tree-Success Tree Model as the Knowledge-Base of Operator Advisory System. Nuclear Engineering & Design J., 104:67-81, 1987.
17. P. Krutchten. The Rational Unified Process, An Introduction. Readings, MA. Addison-Wesley, 1999.
18. K. Lano, K. Androutsopoulos, and D. Clark. Structuring and Design of Reactive Systems using RSDS and B. In FASE 2000, LNCS. Springer-Verlag, 2000.
19. R. Paige and J. Ostroff. A proposal for a lightweight rigorous UML-based development method for reliable systems. In Workshop on Practical UML-Based Rigorous Development Methods, Lecture Notes in Informatics, pages 192-207. German Computer Society (GI), 2001. UML 2001 satellite workshop.
20. G. Popp, J. Jürjens, G. Wimmel, and R. Breu. Security-critical system development with extended use cases. In 10th Asia-Pacific Software Engineering Conference (APSEC 2003), Chiangmai (Thailand), 10-12 December 2003. IEEE Computer Society.
21. J. Putman. Architecting with RM-ODP. Prentice-Hall, 2000.
22. D. Raptis, T. Dimitrakos, B. Gran, and K. Stølen. The CORAS Approach for Model-based Risk Management applied to e-Commerce Domain. In Proc. CMS-2002, pages 169-181. Kluwer, 2002.
23. J. Rumbaugh, I. Jacobson, and G. Booch. The Unified Modeling Language Reference Manual. Addison-Wesley, 1999.
24. G. Sindre and A. Opdahl. Eliciting Security Requirements by Misuse Cases. In Proc. TOOLS-PACIFIC 2000, pages 120-131, Sydney, Australia, 2000. Los Alamitos, CA: IEEE Computer Society Press.
25. K. Stølen, F. Den Braber, T. Dimitrakos, R. Fredriksen, B. Gran, S. Houmb, Y. Stamatiou, and J. Aagedal. Business Component-Based Software Engineering, chapter Model-based Risk Assessment in a Component-Based Software Engineering Process: The CORAS Approach to Identify Security Risks, pages 189-207. Kluwer, 2002. ISBN: 1-4020-7207-4.
26. K. Stølen and E. Mantzoranis. Experience from using model-based risk assessment to evaluate the security of a telemedicine application. In Proc. TICD-2002, 2002.
27. G. Wyss, R. Craft, and D. Funkhouser. The Use of Object-Oriented Analysis Methods in Surety Analysis. Sandia National Laboratories Report, 1999.