Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Integrating Security in Software Engineering Process: The CSEP Methodology
KTH, School of Information and Communication Technology (ICT), Software and Computer systems, SCS.
2012 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

In today’s organizations, a vast amount of existing software systems is insecure, which results in compromised valuable assets and has negative consequences on the organizations. Throughout the years, many attempts have been made to build secure software systems, but the solutions proposed were limited to a few add-on fixes made after implementation and installation of the system.The contribution of the research in this thesis is a software security engineering methodology, called Controlled Security Engineering Process, which provides support to developers when developing more secure software systems by integrating software lifecycle and security lifecycle, and enhancing the control in the engineering process. The proposed methodology implements security in every phase of general software system engineering, i.e., requirement, design, implementation, and testing, as well as operation and maintenance to certify that software systems are built with security in mind.The Controlled Security Engineering Process methodology addresses security problems in the development lifecycle. Construction of a secure software system involves specific steps and activities, which include security requirements specifications of system behavior, secure software design, an analysis of the design, implementation, with secure coding and integration, and operating and maintenance procedures.The methodology incorporates software security patterns and control of the engineering process. The software security patterns can be used as security controls and information sources to demonstrate how a specific security task should be performed or a specific security problem solved. Many patterns can be implemented in an automated way, which can facilitate the work of software engineers.The control of the engineering process provides visibility over the development process. The control assures that authorised developers access legitimate and necessary information and projects’ documents by using authentication, and authorization.To support implementation of automated patterns and provide control over the engineering process, a design of a multi-agent system is provided. The multi-agent system supports implementation of patterns and extracting security information, and provides traceability in the engineering process. The security information is requirements, threats and security mechanisms that are provided by matching project documents, and traceability is achieved by monitoring and logging services.The Controlled Security Engineering Process methodology has been evaluated through interviews with developers, security professionals, and decision makers in different types of organizations but also through a case study which was carried out in an organization.

Place, publisher, year, edition, pages
Stockholm: KTH Royal Institute of Technology, 2012. , v, 79 p.
Series
TRITA-ICT-ECS AVH, ISSN 1653-6363 ; 12:03
National Category
Information Systems
Identifiers
URN: urn:nbn:se:kth:diva-95393OAI: oai:DiVA.org:kth-95393DiVA: diva2:528069
Public defence
2012-06-05, Sal D KTH-ICT, Forum, Isafjordsgatan 39, Kista, 13:00 (English)
Opponent
Supervisors
Note

QC 20120514

Available from: 2012-05-24 Created: 2012-05-23 Last updated: 2014-01-24Bibliographically approved
List of papers
1. Possible attacks on XML Web Services
Open this publication in new window or tab >>Possible attacks on XML Web Services
2006 (English)In: International Journal of Computer Science and Network Security, ISSN 1738-7906, Vol. 6, no 1B, 154-170 p.Article in journal (Refereed) Published
Abstract [en]

Web Services make it easy for organisations to participate in real time communication. The inevitable challenge facing organisations today is to implement adequate Web Services security. The attacks on Web Services might cause halt of the entire network communication or expose confidential information in an organisation. In this paper, we present, Web Services security and security concerns together with analysis of possible attacks on SOAP implementation of XML Web Services over HTTP . We will discuss some important questions about Web Services vulnerabilities emphasized by a study based on investigation of security problems in XML Web Services, and interviews with security experts. The result of this study is presented as possible attacks on XML Web Services.

National Category
Information Systems
Identifiers
urn:nbn:se:kth:diva-44447 (URN)
Note
QC 20120524Available from: 2011-10-20 Created: 2011-10-20 Last updated: 2017-12-08Bibliographically approved
2. Secure transmission and processing of information in organisations systems
Open this publication in new window or tab >>Secure transmission and processing of information in organisations systems
2009 (English)In: International Journal of Intelligent Defence Support Systems, ISSN 1755-1595, Vol. 2, no 1/2009, 58-71 p.Article in journal (Refereed) Published
Abstract [en]

Businesses interchange information internally and manage electronic transactions with trading partners over internet. The success factor is integration of e-business processes with the existing internal infrastructure and applications, as well as with business partner's systems. It is essential to provide correct and relevant information to the right receiver. In this paper, we present an approach of transmission and processing of information in the organisations systems by intelligent agents to improve information flow, provide availability and protect confidential information from being disclosed, modified and lost. To monitor and control information flow in e-business processes, we propose using Multi-Agent Systems (MASs).

Place, publisher, year, edition, pages
InderScience Publishers, 2009
National Category
Information Systems
Identifiers
urn:nbn:se:kth:diva-95353 (URN)10.1504/IJIDSS.2009.027551 (DOI)
Note
QC 20120524Available from: 2012-05-23 Created: 2012-05-23 Last updated: 2012-05-24Bibliographically approved
3. System Engineering Security
Open this publication in new window or tab >>System Engineering Security
2009 (English)Conference paper, Published paper (Refereed)
Abstract [en]

Organizations’ integrate different systems and software applications in order to provide a complete set of services to their customers. However, different types of organisations are facing a common problem today, namely problems with security in their systems. The reason is that focus is on functionality rather than security. Besides that, security, if considered, comes too late in the system and software engineering processes; often during design or implementation phase. Moreover, majority of system engineers do not have knowledge in security. However, security experts are rarely involved in development process. Thus, systems are not developed with security in mind, which usually lead to problems and security breaches. We propose an approach of integration security throughout engineering process. To assure that necessary actions concerning security have been taken during development process, we propose semi-automated preventive controls.

Place, publisher, year, edition, pages
Springer Berlin/Heidelberg, 2009
National Category
Information Systems
Identifiers
urn:nbn:se:kth:diva-95354 (URN)10.1007/978-3-642-04592-9_102 (DOI)
Conference
The 13th InternationalConference on Knowledge-Based and Intelligent Information & Engineering Systems
Available from: 2012-05-23 Created: 2012-05-23 Last updated: 2012-05-24Bibliographically approved
4. Multi-Agent System Supporting Security Requirements Engineering
Open this publication in new window or tab >>Multi-Agent System Supporting Security Requirements Engineering
2010 (English)In: Proceedings of the 2010 International Conference on Software Engineering Research & Practice, SERP 2010 / [ed] Hamid R. Arabnia, Hassan Reza, Leonidas Deligiannidis, Juan Jose Cuadrado-Gallego, Vincent Schmidt, Ashu M. G. Solo, Las Vegas, Nevada, USA: CSREA Press, 2010, 459-465 p.Conference paper, Published paper (Refereed)
Place, publisher, year, edition, pages
Las Vegas, Nevada, USA: CSREA Press, 2010
National Category
Engineering and Technology
Identifiers
urn:nbn:se:kth:diva-89833 (URN)1-60132-167-8 (ISBN)
Conference
2010 International Conference on Software Engineering Research & Practice, SERP 2010, Las Vegas, Nevada, USA, July 12-15, 2010
Note

QC 20120417

Available from: 2012-02-16 Created: 2012-02-16 Last updated: 2017-03-29Bibliographically approved
5. Controlling Security of Software Development with Multi-agent System
Open this publication in new window or tab >>Controlling Security of Software Development with Multi-agent System
2010 (English)In: KNOWLEDGE-BASED AND INTELLIGENT INFORMATION AND ENGINEERING SYSTEMS / [ed] Setchi R; Jordanov I; Howlett RJ; Jain LC, 2010, Vol. 6279, 98-107 p.Conference paper, Published paper (Refereed)
Abstract [en]

Software systems become distributed and complex. Distributed systems are crucial for organizations since they provide possibility to share data and information, resources and services. Nowadays, many software systems are not developed from scratch: system development involves reuse of already developed components. However, with the intrusion in the computer systems, it has become important that systems must fulfill security goals and requirements. Moreover, interdependencies of components create problems during integration phase. Therefore, security properties of components should be considered and evaluated earlier in the lifecycle. In this paper, we propose an agent-oriented process that supports verification of fulfillment of security goals and validation of security requirements during different phases of development lifecycle. Moreover, the system needs to support mapping of security requirements to threat list to determine if any of the attacks in the list is applicable to the system to be developed. This is performed by the meta-agents. These meta-agents automatically create a security checklist, as well as, provide control of actions taken by human agent.

Series
Lecture Notes in Artificial Intelligence, ISSN 0302-9743 ; 6279
Keyword
Multi-agent system, security engineering, risk management, security checklist, control system
National Category
Computer and Information Science
Identifiers
urn:nbn:se:kth:diva-33476 (URN)000289445700011 ()2-s2.0-78649296403 (Scopus ID)978-3-642-15383-9 (ISBN)
Conference
14th Interntional Conference on Knowledge-Based and Intelligent Information and Engineering Systems
Note
QC 20110516Available from: 2011-05-16 Created: 2011-05-09 Last updated: 2012-05-24Bibliographically approved
6. Software Security Engineering Monitoring and Control
Open this publication in new window or tab >>Software Security Engineering Monitoring and Control
2011 (English)Conference paper, Published paper (Refereed)
Abstract [en]

Poorly constructed software can induce security weaknesses and defects, which can be exploited by attackers. Despite many security standards and mechanisms, a vast amount of software systems have security vulnerabilities. The security problems induce the necessity of monitoring and controlling software development and maintenance. In this paper, we propose a multi-agent system that supports security in development of new systems and modification of existing systems. Thus, the multi-agent system verifies and validates the goals and requirements during different phases of development lifecycle. For the verification and validation, searching for information and mapping are needed. Searching for information about the project and security documents such as, risks, list of threats and vulnerabilities is performed by software agents. Comparisons and analyzes of requirements and use cases as well as mapping of those to attack patterns is performed by meta-agents. The proposed multi-agent system supports confidentiality, integrity, availability, accountability, and non-repudiation.

National Category
Information Systems
Identifiers
urn:nbn:se:kth:diva-95355 (URN)
Conference
The 2010 International Conference on Software Engineering Research and Practice
Note
QC 20120524Available from: 2012-05-23 Created: 2012-05-23 Last updated: 2012-05-24Bibliographically approved
7. Ontology Based Patterns for Software Security Engineering
Open this publication in new window or tab >>Ontology Based Patterns for Software Security Engineering
2012 (English)In: Advances in Knowledge-Based and Intelligent Information and Engineering Systems, Springer Berlin/Heidelberg, 2012, 406-419 p.Conference paper, Published paper (Refereed)
Abstract [en]

Software security engineering requires an understanding of the security issues and knowledge about how to solve these issues. Unfortunately, the engineers often lack knowledge in security field, which induces security risks in software systems. To minimize the risks and support engineers during system development, structured and reusable information in security area is required. To this objective, security process and security patterns for software development are proposed. Moreover, the design of the security patterns is based on ontology techniques, which can provide structured information that can be reused and combined. For searching and mapping of patterns, we use agents in multi-agent system. The presented approach can enhance understanding of security issues and support implementation of security in software engineering process.

Place, publisher, year, edition, pages
Springer Berlin/Heidelberg, 2012
Series
Frontiers in Artificial Intelligence and Applications, ISSN 0922-6389 ; 243
Keyword
Agent System, Security Ontology, Security Patterns, Software Engineering, Software Security
National Category
Information Systems
Identifiers
urn:nbn:se:kth:diva-95365 (URN)10.3233/978-1-61499-105-2-406 (DOI)000332936700042 ()2-s2.0-84879109974 (Scopus ID)
Conference
16th International Conference on Knowledge-Based and Intelligent Information & Engineering Systems, 10-12 September 2012, San Sebastian, Spain
Funder
ICT - The Next Generation
Note

QC 20120524

Available from: 2012-05-23 Created: 2012-05-23 Last updated: 2014-10-08Bibliographically approved
8. Ontology design and mapping for building secure e-commerce software
Open this publication in new window or tab >>Ontology design and mapping for building secure e-commerce software
2012 (English)In: WEBIST 2012 - Proceedings of the 8th International Conference on Web Information Systems and Technologies, 2012, 167-173 p.Conference paper, Published paper (Refereed)
Abstract [en]

Developers are struggling with the challenging task of producing secure e-commerce software. Nonetheless, software insecurity remains an issue for e-commerce organisations. Software engineers are expected to possess knowledge in the software engineering area, as well as, security. In addition, they are required to understand and correctly identify the relationships between the security concepts. However, developers commonly lack this knowledge and consequently, security is often omitted during the engineering process. To support developers to face the challenge, we use ontology based techniques for structuring and representation of security knowledge. Categorization according to the security properties of confidentiality, integrity, and availability is needed to provide a holistic view over the security requirements, assets, security threats, and security controls. Moreover, we propose mapping of different security ontologies to provide traceabil-ity. For this purpose, we use meta-agents and software agents in multi-agent system. We present a development scenario of electronic invoice presentment system, where we demonstrate how usage of ontologies in combination with multi-agent system can improve security of e-commerce software systems.

Keyword
Agent system, E-commerce security, Mapping, Security ontology, Software security
National Category
Information Systems
Identifiers
urn:nbn:se:kth:diva-95358 (URN)2-s2.0-84864882777 (Scopus ID)978-989856508-2 (ISBN)
Conference
8th International Conference on Web Information Systems and Technologies, WEBIST 2012; Porto;18 April 2012 through 21 April 2012
Funder
ICT - The Next Generation
Note

QC 20120524

Available from: 2012-05-23 Created: 2012-05-23 Last updated: 2014-01-27Bibliographically approved

Open Access in DiVA

fulltext(1273 kB)643 downloads
File information
File name FULLTEXT01.pdfFile size 1273 kBChecksum SHA-512
0ce1bda419acf7fa584b9d6d20e878e9c4079f822e2ccf4c7f234c094d80bcabb430ccca8c670c3f27dbe385ac14b0873e880c0a4fd3ab88bb5f479192895b10
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Moradian, Esmiralda
By organisation
Software and Computer systems, SCS
Information Systems

Search outside of DiVA

GoogleGoogle Scholar
Total: 643 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 704 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf