From misuse cases to mal-activity diagrams: bridging the gap between functional security analysis and design

El-Attar, Mohamed
February 2014
Software & Systems Modeling;Feb2014, Vol. 13 Issue 1, p173
Academic Journal
Secure software engineering is concerned with developing software systems that will continue delivering its intended functionality despite a multitude of harmful software technologies that can attack these systems from anywhere and at anytime. Misuse cases and mal-activity diagrams are two techniques to model functional security requirements address security concerns early in the development life cycle. This allows system designers to equip their systems with security mechanisms built within system design rather than relying on external defensive mechanisms. In a model-driven engineering process, misuse cases are expected to drive the construction of mal-activity diagrams. However, a systematic approach to transform misuse cases into mal-activity diagrams is missing. Therefore, this process remains dependent on human skill and judgment, which raises the risk of developing mal-activity diagrams that are inconsistent with the security requirements described in misuse cases, leading to the development of an insecure system. This paper presents an authoring structure for misuse cases and a transformation technique to systematically perform this desired model transformation. A study was conducted to evaluate the proposed technique using 46 attack stories outlined in a book by a former well-known hacker (Mitnick and Simon in The art of deception: controlling the human element of security, Wiley, Indianapolis, ). The results indicate that applying the proposed technique produces correct mal-activity diagrams from misuse cases.


Related Articles

  • UML specification of access control policies and their formal verification. Koch, Manuel; Parisi-Presicce, Francesco // Software & Systems Modeling;Dec2006, Vol. 5 Issue 4, p429 

    Security requirements have become an integral part of most modern software systems. In order to produce secure systems, it is necessary to provide software engineers with the appropriate systematic support. We propose a methodology to integrate the specification of access control policies into...

  • IT PLANNER 5 STEPS TO SECURE DEVELOPMENT. Taft, Darryl K. // eWeek;3/17/2008, Vol. 25 Issue 9, p37 

    The article discusses the steps in securing application software during and after development process. Defining the process to be used and measuring the security of application software are said to be the first considered. This process includes thinking about coding standards for developers and...

  • App Developers Cite Time Constraints and Poor Testing as Two Biggest Project Challenges.  // Software World;Sep2010, Vol. 41 Issue 5, p15 

    The article offers information on the result of the new Application Developer Trends survey conducted by Embarcadero Technologies Inc. in May 2010. It mentions that the two biggest project challenges experienced by software developers are the lack of time in accomplishing work tasks, and poor...

  • Micro Focus Sets Plans for Developer Forum.  // Database Trends & Applications;Nov2004, Vol. 18 Issue 11, p7 

    This article presents an interview with Barry Rosetti, senior director of development at Micro Focus, a provider of legacy application development and deployment software for contemporary platforms. Micro Focus will hold Developer Forums in Atlanta, Georgia and in Amsterdam, the Netherlands....

  • A survey of traceability in requirements engineering and model-driven development. Winkler, Stefan; Pilgrim, Jens // Software & Systems Modeling;Sep2010, Vol. 9 Issue 4, p529 

    Traceability—the ability to follow the life of software artifacts—is a topic of great interest to software developers in general, and to requirements engineers and model-driven developers in particular. This article aims to bring those stakeholders together by providing an overview...

  • A Critique of Positive Responsibility in Computing. Stieb, James A. // Science & Engineering Ethics;Jun2008, Vol. 14 Issue 2, p219 

    It has been claimed that (1) computer professionals should be held responsible for an undisclosed list of “undesirable events” associated with their work and (2) most if not all computer disasters can be avoided by truly understanding responsibility. Programmers, software developers,...

  • Integrating Security Concerns into Software Development. Al-Fedaghi, Sabah; Al-Kanderi, Fajer // International Journal of Security & Its Applications;May2013, Vol. 7 Issue 3, p235 

    It has become clear in software development that functionality and security must go hand in hand in cases where security concerns are to be incorporated early in stages of design. An essential aspect of such a process is threat modeling that integrates security with functional specification....

  • An Empirical Study on Improving Shared Understanding of Requirements in GSD. Mamoona Humayun; Cui Gang // International Journal of Software Engineering & Its Applications;Jan2013, Vol. 7 Issue 1, p79 

    Purpose - To investigate the role of clear organizational structure with communicating responsibilities, a practice of Knowledge Management, in developing shared understanding of requirements in GSD-an area that is very important but has, to date, not been addressed adequately....

  • SIMULATION-BASED APPLICATION SOFTWARE DEVELOPMENT IN TIME-TRIGGERED COMMUNICATION SYSTEMS. Hanzlik, Alexander // International Journal of Software Engineering & Applications;Mar2013, Vol. 4 Issue 2, p75 

    This paper introduces a simulation-based approach for design and test of application software for timetriggered communication systems. The approach is based on the SIDERA simulation system that supports the time-triggered real-time protocols TTP and FlexRay. We present a software development...


Read the Article


Sorry, but this item is not currently available from your library.

Try another library?
Sign out of this library

Other Topics