Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

Systematic development of UMLsec design models based on security requirements

: Hatebur, D.; Heisel, M.; Jürjens, J.; Schmidt, H.


Giannakopoulou, D.:
Fundamental approaches to software engineering. Proceedings : 14th international conference, FASE 2011, held as part of the Joint European Conference on Theory and Practice of Software, ETAPS 2011, Saarbrücken, Germany, March 26-April 3, 2011
Heidelberg: Springer, 2011 (Lecture Notes in Computer Science 6603)
ISBN: 3-642-19810-4
ISBN: 978-3-642-19810-6
ISBN: 978-3-642-19811-3
ISSN: 0302-9743
International Conference on Fundamental Approaches to Software Engineering (FASE) <14, 2011, Saarbrücken>
Joint European Conferences on Theory and Practice of Software (ETAPS) <14, 2011, Saarbrücken>
Conference Paper
Fraunhofer ISST ()

Developing security-critical systems in a way that makes sure that the developed systems actually enforce the desired security requirements is difficult, as can be seen by many security vulnerabilities arising in practice on a regular basis. Part of the difficulty is the transition from the security requirements analysis to the design, which is highly non-trivial and error-prone, leaving the risk of introducing vulnerabilities. Unfortunately, existing approaches bridging this gap largely only provide informal guidelines for the transition from security requirements to secure design. We present a method to systematically develop structural and behavioral UMLsec design models based on security requirements. Each step of our method is supported by model generation rules expressed as pre- and postconditions using the formal specification language OCL. Moreover, we present a concept for a CASE tool based on the model generation rules. Thus, applying our method to generate UM Lsec design models supported by this tool and based on previously captured and analyzed security requirements becomes systematic, less error-prone, and a more routine engineering activity. We illustrate our method by the example of a patient monitoring system.