Tuesday, 21 December 2010

Annotated Bib.: Towards a Comprehensive Framework for Secure Systems Development



[1] H. Mouratidis, J. Ju ̈rjens, and J. Fox. Towards a comprehensive framework for secure systems develop- ment. In E. Dubois and K. Pohl, editors, CAiSE, volume 4001 of Lecture Notes in Computer Science, pages 48–62. Springer, 2006.

This paper is present a new framework that can be used to get a security-aware process. The paper is based on the idea that security involves technical and social parts. the paper state that all work done in the field is either focusing on the technical or on the social part, and that they all work to a cretin level. The authors claims that this approach consider both parts (technical and social), and it consider all stages in the process, starting form the early stage of data collection till the implementation stage.

The framework is integration between two security-aware methodologies; Secure Tropos and UMLsec; since secure Tropos focuses more on the social challenges, and on early stages of a process, where UMLsec focuses more on technical challenges and the late stages. so the new frame work will focus on both type of challenges and all stages.

The aim of the framework is to present an approach for modelling secure information systems; which is done through 4 stages:
1-Early Requirements Analysis; which uses Secure Tropos to analyse the security needs and goals of stakeholders.
2-Late Requirements Analysis; which also uses Secure Tropos to determine the security requirements of the system.
3-Architectural Design; in which the mapping of Secure Tropos to the UMLsec is performed. Secure Tropos is used to determine the general architecture and the components of the system. Then UMLsec is used to model the security protocols and properties.
4-Detailed design; which uses UMLsec to specify in details the components of the system and model the secure interaction of the system components.

The real challenge in this paper and probably the biggest contribution is providing an integration and mapping from Secure Tropos to UMLsec, the paper provided guide lines to do so:
1- Map the secure Tropos analysis module to UMLsec class diagram; which contains 5 steps.
2- Map the secure Tropos analysis module to UMLsec Deployment diagram; which contains 3 steps.
Finally, to show the effectiveness of the new framework, it was applied on an ecommerce case study, which showed that the framework actually discovered a new security requirement that was ignored initially.

The paper conclude that it is important today to consider security in process and system design the new framework, consider all security challenges and all process stages, and it is easy to understand since it is using popular methodologies.

Relation to research on hand, this paper is a big contribution to the literature review and on showing what have been done yet on the field on integrating security in to BPM. This paper presented a new framework that can be used to consider security recruitments from the beginning all the way till implementation. Although the framework in hand is aimed to system buildings but it can be used to generate a new framework that would be used in integrating security into BPM.

No comments:

Post a Comment