SecureUML: A UML-Based Modeling Language for Model-Driven Security

Lodderstedt, Torsten; Basin, David; Döser, Jürgen

doi:10.1007/3-540-45800-x_33

Cited by 520 publications

(355 citation statements)

References 5 publications

Supporting

Mentioning

327

Contrasting

Unclassified

Order By: Relevance

“…Secure TROPOS [44] as extension of the i* modeling language is one example of such methods. Furthermore, two extensions of UML, namely UMLSec [45] and Secure UML [46] were introduced as a possible way to improve the integration of security-specific information into UML. 7 Some of the analysis-oriented methods utilized for SRE can also be applied for security architecture reviews, since the goal to reveal threats, weaknesses, and vulnerabilities remains the same for both.…”

Section: Sre Methodsmentioning

confidence: 99%

Getting Grip on Security Requirements Elicitation by Structuring and Reusing Security Requirements Sources

Schmitt

Liggesmeyer

2015

CSIMQ

View full text Add to dashboard Cite

Abstract. This paper presents a model for structuring and reusing security requirements sources. The model serves as blueprint for the development of an organization-specific repository, which provides relevant security requirements sources, such as security information and knowledge sources and relevant compliance obligations, in a structured and reusable form. The resulting repository is intended to be used by development teams during the elicitation and analysis of security requirements with the goal to understand the security problem space, incorporate all relevant requirements sources, and to avoid unnecessary effort for identifying, understanding, and correlating applicable security requirements sources on a project-wise basis. We start with an overview and categorization of important security requirements sources, followed by the description of the generic model. To demonstrate the applicability and benefits of the model, the instantiation approach and details of the resulting repository of security requirements sources are presented.

show abstract

Section: Sre Methodsmentioning

confidence: 99%

Getting Grip on Security Requirements Elicitation by Structuring and Reusing Security Requirements Sources

Schmitt

Liggesmeyer

2015

CSIMQ

View full text Add to dashboard Cite

show abstract

“…There is a plethora of works in the context of security modeling with UML such as [18,19,29]. As indicated above, the USE system is a general-purpose validation tool and can hence be employed for other UML/OCL encodings of RBAC policies than that given in Section 4.…”

Section: Related Workmentioning

confidence: 99%

“…As indicated above, the USE system is a general-purpose validation tool and can hence be employed for other UML/OCL encodings of RBAC policies than that given in Section 4. In particular, Lodderstedt et al present the modeling language SecureUML for integrating the specification of access control into application models and automatic generation of access control infrastructures for applications [18]. They also deal with authorization constraints, but do not concentrate on SoD constraints.…”

Section: Related Workmentioning

confidence: 99%

Enforcing Role-Based Access Control Policies in Web Services with UML and OCL

Sohr

Mustafa

Bao

et al. 2008

2008 Annual Computer Security Applications Conference (ACSAC)

View full text Add to dashboard Cite

Role-based access control (RBAC) is a powerful means for laying out and developing higher-level organizational policies such as separation of duty, and for simplifying the security management process. One of the important aspects of RBAC is authorization constraints that express such organizational policies. While RBAC has generated a great interest in the security community, organizations still seek a flexible and effective approach to impose role-based authorization constraints in their security-critical applications. In this paper, we present a Web Services-based authorization framework that can be employed to enforce organization-wide authorization constraints. We describe a generic authorization engine, which supports organization-wide authorization constraints and acts as a central policy decision point within the authorization framework. This authorization engine is implemented by means of the USE system, a validation tool for UML models and OCL constraints. Using this system, we also demonstrate how the authorization constraints can be specified in OCL and then be implemented by USE.

show abstract

“…He proposes a concept for specifying requirements on confidentiality and integrity in analysis models based on UML. Lodderstedt et al [42] present a UML-based modelling language (SecureUML). Their approach is focused on modelling access control policies and integrating them into a model-driven software development process.…”

Section: Security Requirements Engineering: a Surveymentioning

confidence: 99%

Security and Trust Requirements Engineering

Giorgini

Massacci

Zannone

2005

Foundations of Security Analysis and Design III

View full text Add to dashboard Cite

Abstract. Integrating security concerns throughout the whole software development process is one of today's challenges in software and requirements engineering research. A challenge that so far has proved difficult to meet. The major difficulty is that providing security does not only require to solve technical problems but also to reason on the organization as a whole. This makes the usage of traditional software engineering methologies difficult or unsatisfactory: most proposals focus on protection aspects of security and explicitly deal with low level protection mechanisms and only an handful of them show the ability of capturing the high-level organizational security requirements, without getting suddenly bogged down into security protocols or cryptography algorithms. In this paper we critically review the state of the art in security requirements engineering and discuss the motivations that led us to propose the Secure Tropos methodology, a formal framework for modelling and analyzing security, that enhances the agent-oriented software development methodology i*/Tropos. We illustrate the Secure Tropos approach, a comprehensive case study, and discuss some later refinements of the Secure Tropos methodology to address some of its shortcomings. Finally, we introduce the ST-Tool, a CASE tool that supports our methodology.

show abstract

SecureUML: A UML-Based Modeling Language for Model-Driven Security

Cited by 520 publications

References 5 publications

Getting Grip on Security Requirements Elicitation by Structuring and Reusing Security Requirements Sources

Getting Grip on Security Requirements Elicitation by Structuring and Reusing Security Requirements Sources

Enforcing Role-Based Access Control Policies in Web Services with UML and OCL

Security and Trust Requirements Engineering

Contact Info

Product

Resources

About