Journal of Information Processing Systems

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

The ISDF Framework: Towards Secure Software Development

  • Published : 2010.03.31
Download PDF
⟨ Previous Next ⟩

Abstract

The rapid growth of communication and globalization has changed the software engineering process. Security has become a crucial component of any software system. However, software developers often lack the knowledge and skills needed to develop secure software. Clearly, the creation of secure software requires more than simply mandating the use of a secure software development lifecycle; the components produced by each stage of the lifecycle must be correctly implemented for the resulting system to achieve its intended goals. This study demonstrates that a more effective approach to the development of secure software can result from the integration of carefully selected security patterns into appropriate stages of the software development lifecycle to ensure that security designs are correctly implemented. The goal of this study is to provide developers with an Integrated Security Development Framework (ISDF) that can assist them in building more secure software.

Keywords

References

  1. J. Viega and G. McGraw, Building Secure Software. Addison -Wesley, 2002.
  2. M. Howard, "Building more secure software with improved development process," IEEE Security & Privacy, Vol.2, No.6, pp.63-65, 2004. https://doi.org/10.1109/MSP.2004.95
  3. N. Davis, W. Humphrey, S. R. Jr., G. Zibulski, and G. McGraw, "Processes for producing secure software," IEEE Security & Privacy, Vol.2, No.3, pp.18-25, 2004. https://doi.org/10.1109/MSP.2004.21
  4. J. K. R and A. Mathur, "Software engineering for secure software - state of the art: A survey," tech. rep., Purdue University, 2005.
  5. A. Alkussayer and W. H. Allen, "Towards secure software development: Integrating security patterns into a secure SDLC," in The 47th ACM Southeast Conference, 2009.
  6. A. Alkussayer and W. Allen, "The ISDF framework: Integrating security patterns and best practices," in The 3rd International Conference on Information Security and Assurance (ISA'09), 2009. https://doi.org/10.1007/978-3-642-02633-1_3
  7. M. Howard and S. Lipner, The Security Development Lifecycle SDL: A Process for Developing Demonstrably More Secure Software. Microsoft Press, 2006.
  8. G. McGraw, Software Security: Building Security In. Addison-Wesley, 2006.
  9. M. Howard and S. Lipner, "Inside the windows security push," IEEE Security & Privacy, Vol.1, No.1, pp.57-61, 2003. https://doi.org/10.1109/MSECP.2003.1176996
  10. OWASP, "Comprehensive, lightweight application security process," http://www.owasp.org, 2009.
  11. G. McGraw, "Software security," IEEE Security & Privacy, Vol.2, No.2, pp.80-83, 2004. https://doi.org/10.1109/MSECP.2004.1281254
  12. S. Simpson, "Fundamental practices for secure software development: A guide to the most effective secure development practices in use today." http://www.safecode.org, 2008
  13. M. Schumacher, E. Frenandez-Buglioni, D. Hybertson, F. Buschmann, and P. Sommerlad, Security Patterns: Integrating Security and Systems Engineering. John Wiley & Sons, 2006.
  14. C. Alexander, S. Ishikawa, M. Jacobson, I. Fiksdahl-King, and S. Angel, A Pattern Language: Towns- Buildings- Construction. Oxford University Press, 1977.
  15. E. Gamma, R. Helm, R. Johnson, and J. Vlissides, Design Patterns: Elements of Reusable Object- Oriented Software. Addison- Wesley Professional, 1995.
  16. J. Yoder and J. Barcalow, "Architecural patterns for enabling application security," in PLoP97 Conference, 1997.
  17. T. Heyman, K. Yskout, R. Scandariato, and W. Joosen, "An analysis of the security patterns landscape," in 3rd International workshop on Software Engineering for Secure Systems, 2007. https://doi.org/10.1109/SESS.2007.4
  18. G. H. G. McGraw, Exploiting Software: How to Break Code. Addison-Wesley, 2004.
  19. T. G. D. Graham, Software Inspection. Addison-Wesley,1993.
  20. M. Howard and D. LeBlance, Writing Secure Code. Microsoft Press, 2003.
  21. B. Potter and G. McGraw, "Software security testing," Software Development, Vol.2, No.5, pp.81-85, 2005. https://doi.org/10.1109/MSP.2004.84
  22. B. Chess and G. McGraw, "Static analysis for security," Software Development, Vol.2, No.6, pp.76-79, 2004. https://doi.org/10.1109/MSP.2004.111
  23. J. Gregoire, K. Buyens, B. Win, R. Scandariato, and W. Joosen, "On the secure software development process: CLASP and SDL compared," in Third International Workshop on Software Engineering for Secure Systems(SESS'07), 2007. https://doi.org/10.1109/SESS.2007.7
  24. C. Steel, R. Nagappan, and R. Lai, Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management. Prentice Hall Ptr, 2005.
  25. E. B. Fernandez and R. Pan,"A pattern language for security models," in PLoP 2001 Conference, 2001.
  26. D. Hatebur, M. Heisel, and H. Schmidt, "Security engineering using problem frames," in International Conference on Emerging Trends in Information and Communication Security (ETRICS), 2006. https://doi.org/10.1007/11766155_17
  27. M. A. Jackson, Problem Frames: Analysing and Structuring Software Development Problems. Addison-Wesley, 2001.
  28. V. Horvath and T. Dorges, "From security patterns to implementation using petri nets," in International Conference on Software Engineering, 2008. https://doi.org/10.1145/1370905.1370908
  29. K. Supaporn, N. Prompoon, and T. Rojkangsadan, "An approach: Constructing the grammar from security patterns," in the 4th International Joint Conference on Computer Science and Software Engineering (JCSSE2007), 2007.
  30. K. Yskout, T. Heyman, R. Scandariato, and W. Joosen, "An inventory of security patterns," tech. rep., Katholieke University Leuven, Department of Computer Science, 2006.
  31. M. Ha_z, P. Adamczyk, and R. Johnson, "Organizing security patterns," IEEE Software, Vol.24, No.4, pp.52-60, 2007. https://doi.org/10.1109/MS.2007.114
  32. B. Blakley, C. Heath, and M. of the Open Group Security Forum, "Security design patterns," tech. rep., Open Group, 2004.
  33. N. Yoshioka, H. Washizaki, and K. Maruyama, "A survey on security patterns," Progress In Informatics, No.5, pp.35-47, 2008. https://doi.org/10.2201/NiiPi.2008.5.5
  34. M. Andrews and J. A. Whittaker, How to Break Web Software. Addison-Wesley, 2006.
  35. A. Aprville and M. Pourzandi, "Secure software development by example," IEEE Security & Privacy, Vol.3, No.4, pp.10-17, 2005. https://doi.org/10.1109/MSP.2005.103
  36. J. Jurjens, Secure System Development with UML. Springer, 2004.
  37. I. Valenzuela, "Integration ISO17799 into your software development lifecycle," (In)Secure, Vol.11, pp.29-36, 2007.
  38. E. B. Fernandez, "A methodology for secure software design," in International Conference on Software Engineering Research and Practice, 2004.
  39. E. B. Fernandez, N. Yoshioka, H. Washizaki, and J. Jurjens, "Using security patterns to build secure systems," in 1st International Workshop on Software Patterns and Quality (SPAQu'07), 2007.
  40. C. Haley, J. Mo_ett, R. Laney, and B. Nuseibeh, "A framework for security requirements engineering," in SESS'06, 2006. https://doi.org/10.1145/1137627.1137634
  41. G. Sindre and A. Opdahl, "Eliciting security requirements with misuse cases," Requirements Engineering, Vol.10, No.1, pp.34-44, 2005. https://doi.org/10.1007/s00766-004-0194-4
  42. C. Haley, R. Laney, J. Mo_ett, and B. Nuseibeh, "The effect of trust assumptions on the elaboration of security requirements," in Proceedings of the Requirements Engineering Conference, 12th IEEE International, 2004. https://doi.org/10.1109/ICRE.2004.1335668
  43. N. Mead, E. Hough, and T. Stehney, "Security quality requirements engineering (SQUARE) methodology," tech. rep., CMU/SEI-2005-TR-009, 2005.
  44. C. Haley, R. Laney, J. Mo_ett, and B. Nuseibeh, "Security requirements engineering: A framework for representation and analysis," IEEE Transactions on Software Engineering, Vol.34, No.1, pp.133-153, 2008. https://doi.org/10.1109/TSE.2007.70754

Cited by

  1. Securing distributed systems using patterns: A survey vol.31, pp.5, 2012, https://doi.org/10.1016/j.cose.2012.04.005
  2. Secure software development: a prescriptive framework vol.2011, pp.8, 2011, https://doi.org/10.1016/S1361-3723(11)70083-5
  3. Building Secure Software Using XP vol.2, pp.3, 2011, https://doi.org/10.4018/jsse.2011070104
  4. Meta-Modeling Based Secure Software Development Processes vol.5, pp.3, 2014, https://doi.org/10.4018/ijsse.2014070104