RUPSec: An Extension on RUP for Developing Secure Systems - Requirements Discipline

The world is moving rapidly toward the deployment of information and communication systems. Nowadays, computing systems with their fast growth are found everywhere and one of the main challenges for these systems is increasing attacks and security threats against them. Thus, capturing, analyzing and verifying security requirements becomes a very important activity in development process of computing systems, specially in developing systems such as banking, military and e-business systems. For developing every system, a process model which includes a process, methods and tools is chosen. The Rational Unified Process (RUP) is one of the most popular and complete process models which is used by developers in recent years. This process model should be extended to be used in developing secure software systems. In this paper, the Requirement Discipline of RUP is extended to improve RUP for developing secure software systems. These proposed extensions are adding and integrating a number of Activities, Roles, and Artifacts to RUP in order to capture, document and model threats and security requirements of system. These extensions introduce a group of clear and stepwise activities to developers. By following these activities, developers assure that security requirements are captured and modeled. These models are used in design, implementation and test activitie

Authors:

• Mohammad Reza Ayatollahzadeh Shirazi
• Pooya Jaferian
• Golnaz Elahi
• Hamid Baghi
• Babak Sadeghian

Keywords:

References:

[1] Matt Bishop, Computer Security, Art & Science, Addison-Wesley, First
Edition, 2002
[2] J. J¨urjens. Secure Systems Development with UML. Springer, To be
published. 2004.
[3] Shreyas Doshi, Software Engineering and Security: Towards
Architecting Secure Software, a graduate term paper for ICS 221-
Seminar in Software Engineering, University of California, Irvine, 2001.
[4] Lawrence Chung Brian A. Nixon, Dealing with Non-Functional
Requirements: Three Experimental Studies of a Process-Oriented
Approach ,International Conference on Software Engineering 1995.
[5] Barbara Paech, Allen H. Dutoit, Daniel Kerkow, Antje von Knethen
,Functional requirements, non-functional requirements, and architecture
should not be separated, 8th International Workshop on Requirements
Engineering: Foundation for Software Quality, Essen, Germany, 2002
[6] Robert Grady, Practical Software Metrics for Project Management and
Process Improvement, Prentice Hall, 1992
[7] Philippe Kruchten, The Rational Unified Process: An Introduction,
Third Edition, Addison-Wesley Pub Co, 2003.
[8] Donald G. Firesmith, Engineering Security Requirements, Journal of
Object Technology, Vol. 2, No. 1, January-February 2003.
[9] Donald G. Firesmith, Security Use Cases, Journal Of Object
Technology, Vol. 2, No. 3, May-June 2003.
[10] Robert J. Ellison Richard C. Linger, Andrew P. Moore Attack Modeling
for Information Security and Survivability CMU/SEI-2001-TN-001,
2001
[11] Jeffrey Barcalow, Joseph Yoder Architectural Patterns for Enabling
Application Security, The 4th Pattern Languages of Programming
Conference 1997.
[12] H. Baghi, P. Jaferian, G. Elahi, M.R. Shirazi, B. Sadeghian, An
Extension on RUP for Developing Secure Systems, Proceedings of the
10th Annual International CSI Computer Conference, 2005
[13] Onn Shehory, Arnon Sturm, Evaluation of modeling techniques for
agent-based systems, Proceedings of the fifth international conference
on Autonomous agents,2001
[14] G. Popp and J. J¨urjens and G. WimmelR. Breu. Security-Critical
System Development with Extended Use Cases, Tenth Asia-Pacific
Software Engineering Conference, 2003
[15] Ruth Breu, Klaus Burger, Michael Hafner, Jan J├╝rjens, Gerhard Popp,
Guido Wimmel, Volkmar Lotz , Key Issues of a Formally Based Process
Model for Security Engineering, 16th International Conference
"Software & Systems Engineering & their Applications" (ICSSEA),
2003.
[16] Premkumar T. Devanbu, Stuart Stubblebine. Software engineering for
security: a roadmap, ICSE - Future of SE Track ,2000.
[17] John McDermott and Chris Fox Using Abuse Case Models for Security
Requirements Analysis, Proceedings of the 15th Annual Computer
Security Applications Conference ,1999.
[18] Gunnar Petterson, Collaboration in a Secure Development Process - Part
I, Information Security Bulletin, June 2004.
[19] Ruth Breu, Klaus Burger, Michael Hafner, Gerhard Popp, Towards a
Systematic Development of Secure Systems, WOSIS, 2004.
[20] J¨urgen Doser , Torsten Lodderstedt Model Driven Security For Process
oriented Systems David Basin, Proceedings of the eighth ACM
symposium on Access control models and technologies, 2003.
[21] Ross Anderson ,Security Engineering , a guide to building dependable
system. Wiley, 2001.