Peldszus, SvenSvenPeldszusBürger, JensJensBürgerJürjens, JanJanJürjens2024-09-252024-09-252024https://publica.fraunhofer.de/handle/publica/47565310.1109/TSE.2023.33263662-s2.0-85176318728Today's software systems tend to be long-living and often process security-critical data, so keeping up with ever-changing security measures, attacks, and mitigations is critical to maintaining their security. While it has become common practice to consider security aspects during the design of a system, OWASP still identifies insecure design as one of the top 10 threats to security. Furthermore, even if the planned design is secure, verifying that the planned security assumptions hold at run-time and investigating any violations that may have occurred is cumbersome. In particular, the configuration of run-time monitors such as the Java Security Manager, which could enforce design-time security assumptions, is non-trivial and therefore used in practice rarely. To address these challenges, we present UMLsecRT for automatically supporting model-based security engineering with run-time monitoring of design-time security specifications and round-trip engineering for propagating run-time observations to the design level. Following the established security-by-design approach UMLsec, security experts annotate system models with security properties that UMLsecRT automatically synchronizes with corresponding source code annotations for the automatic configuration of UMLsecRT's run-time monitor. To this end, UMLecRT monitors these security properties at run-time without additional effort to specify monitoring policies. Developers can define mitigations for attacks detected at run-time in advance by adjusting the automatically synchronized annotations at implementation time. Triggered by a security violation, UMLsecRT can adapt the design-time models based on run-time findings to facilitate the investigation of security violations. We evaluated UMLsecRT concerning its effectiveness and applicability to security violations extracted from real-world attacks and the DaCapo benchmark, conducted user studies on the usability of the adapted models and the feasibility of UMLsecRT in practice, especially concerning countermeasures, and investigated the scalability of UMLsecRT. To study the applicability of the whole development process, we applied UMLsecRT in two case studies to the Eclipse Secure Storage and the electronic health record system iTrust.enJavamodel-based developmentround-trip engineeringruntime monitoringSecuritysecurity by designsecurity mitigationsecurity monitoringUMLUMLsecjournal article