Volume 17, Issue 2 (9-2020)
JSDP 2020, 17(2): 46-33 |
Back to browse issues page
Download citation:
BibTeX | RIS | EndNote | Medlars | ProCite | Reference Manager | RefWorks
Send citation to:
BibTeX | RIS | EndNote | Medlars | ProCite | Reference Manager | RefWorks
Send citation to:
RahimiZadeh K, Torkamani M, Dehghani A. Mapping of McGraw Cycle to RUP Methodology for Secure Software Developing. JSDP 2020; 17 (2) :46-33
URL: http://jsdp.rcisp.ac.ir/article-1-917-en.html
URL: http://jsdp.rcisp.ac.ir/article-1-917-en.html
Yasouj University
Abstract: (2957 Views)
Designing a secure software is one of the major phases in developing a robust software. The McGraw life cycle, as one of the well-known software security development approaches, implements different touch points as a collection of software security practices. Each touch point includes explicit instructions for applying security in terms of design, coding, measurement, and maintenance of software. Developers are able to provide secure and robust software by applying such touch points. In this paper, we introduce a secure and robust approach to map McGraw cycle to RUP methodology, named RUPST. The traditional form of RUP methodology is revised based on the proposed activities for software security. RUPST adds activities like security requirements analysis, abuse case diagrams, risk-based security testes, code review, penetration testing, and security operations to the RUP disciplines. In this regard, based on RUP disciplines, new touch points of software security are presented as a table. Also, RUPST adds new roles such as security architect and requirement analyzer, security requirement designer, code reviewer and penetration tester which are presented in the form of a table along with responsibilities of each role.
This approach introduces new RUP artifacts for disciplines and defines new roles in the process of secure software design. The offered artifacts by RUPST include security requirement management plan, security risk analysis model, secure software architecture document, UMLSec model, secure software deployment model, code review report, security test plan, security testes procedures, security test model, security test data, penetration report, security risks management document, secure installation and configuration document and security audit report.
We evaluate the performance of the RUPST in real software design process in comparison to other secure software development approaches for different security aspects. The results demonstrate the efficiency of the proposed methodology in developing of a secure and robust software.
This approach introduces new RUP artifacts for disciplines and defines new roles in the process of secure software design. The offered artifacts by RUPST include security requirement management plan, security risk analysis model, secure software architecture document, UMLSec model, secure software deployment model, code review report, security test plan, security testes procedures, security test model, security test data, penetration report, security risks management document, secure installation and configuration document and security audit report.
We evaluate the performance of the RUPST in real software design process in comparison to other secure software development approaches for different security aspects. The results demonstrate the efficiency of the proposed methodology in developing of a secure and robust software.
Keywords: Secure software engineering, software development lifecycle, software design, RUP, artifact
Type of Study: Research |
Subject:
Paper
Received: 2018/10/22 | Accepted: 2019/09/2 | Published: 2020/09/14 | ePublished: 2020/09/14
Received: 2018/10/22 | Accepted: 2019/09/2 | Published: 2020/09/14 | ePublished: 2020/09/14
References
1. [1] J. H. Allen, Software security engineering: a guide for project managers. Addison-Wesley, 2008.
2. [2] M. Eftekhari, M.M. Momenabadi, M. Khamar, "Proposing an evolutionary-fuzzy method for software defects detection", JSDP. Vol. 15, NO. 4, pp.3-16, 2009. [DOI:10.29252/jsdp.15.4.3]
3. [3] G. McGraw, "Software Security: Building Security in," in 2006 17th International Symposium on Software Reliability Engineer-ing, 2006, pp. 6-16. [DOI:10.1109/ISSRE.2006.43]
4. [4] M. Howard and S. Lipner, "The security development lifecycle : SDL, a process for developing demonstrably more secure soft-ware", Microsoft Press, 2006.
5. [5] "Microsoft SDL Process Guidance updates, version 5.2 - Microsoft Security." [Online]. Available: https://www.microsoft.com/security/blog/2012/05/23/now-available-microsoft-sdl-process-guidance-updates-version-5-2/. [Accessed: 14-May-2019].
6. [6] J. Jürjens, "UMLsec: Extending UML for Secure Systems Development," Springer, Berlin, Heidelberg, 2002, pp. 412-425. DOI: [DOI:10.1007/3-540-45800-X_32]
7. [7] J. Jürjens, Secure Systems Development with UML. Springer-Verlag Berlin, Heidelberg, 2010.
8. [8] N. R. Mead, T. Stehney, N. R. Mead, and T. Stehney, "Security quality requirements engineering (SQUARE) methodology," in Proceedings of the 2005 workshop on Software engineering for secure systems building trustworthy applications - SESS '05, 2005, vol. 30, no. 4, pp. 1-7.
DOI: [DOI:10.1145/1082983.1083214]
9. [9] N. R Mead, V. Viswanathan, and J. Zhan, "Incorporating security requirements engineering into standard lifecycle processes," International Journal of Security and Its Applications, vol. 2, no. 4, pp. 67-79, 2008. DOI: 10.1109/COMPSAC.2008.85 [DOI:10.1109/COMPSAC.2008.85]
10. [10] H. Assal and S. Chiasson, "Security in the Software Development Lifecycle," in Four-teenth Symposium on Usable Privacy and Security, 2018, pp. 281-296.
11. [11] P. Jaferian, G. Elahi, M. R. A. Shirazi, and B. Sadeghian, "RUPSec: extending business modeling and requirements disciplines of RUP for developing secure systems," in 31st EUROMICRO Conference on Software Engineering and Advanced Applications, 2005, pp.232-239. DOI: 10.1109/EUROMICRO.2005.51 [DOI:10.1109/EUROMICRO.2005.51]
12. [12] H. Mohd and et al., "A secured e-tendering model based on rational unified process (RUP) approach: inception and elaboration phases," International Journal of Supply Chain Management. Vol. 5, no 4, pp. 114-120, 2016.
13. [13] H. Belani, Z. Car, and A. Caric, "RUP-based process model for security requirements engineering in value-added service develop-ment," in 2009 ICSE Workshop on Software Engineering for Secure Systems, 2009, pp.54-60.
DOI: 10.1109/IWSESS.2009.5068459 [DOI:10.1109/IWSESS.2009.5068459]
14. [14] "Microsoft Attack Surface Analyzer. "[Online]. Available: https://www.microsoft.com/en-us/-download/details.aspx?id=24487. [Accessed: 15-May-2019].
15. [15] "FxCop | Microsoft Docs." [Online]. Available: https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-3.0/bb429476(v=vs.80). [Accessed: 15-May-2019].
16. [16] "Microsoft Code Analysis." [Online]. Available: http://microsoft.github.io/CodeAna-lysis/. [Accessed: 15-May-2019].
17. [17] "Microsoft Anti-Cross Site Scripting Library V4.3 from Official Microsoft Download Center." [Online]. Available: https://www.mic-rosoft.com/en-us/download/details.aspx-?id=43126. [Accessed: 15-May-2019].
18. [18] "Kali Linux | Penetration Testing and Ethical Hacking Linux Distribution." [Online]. Available: https://www.kali.org/. [Accessed: 15-May-2019].
19. [19] C. E. de Barros Paes and C. M. Hirata, "RUP Extension for the Development of Secure Systems," in Fourth International Conference on Information Technology (ITNG'07), 2007, pp. 643-652. DOI: 10.1109/ITNG.2007.171 [DOI:10.1109/ITNG.2007.171]
20. [20] R. Kneuper, "Software Processes in the Software Product Life Cycle," in Software Processes and Life Cycle Models, Cham: Springer International Publishing, 2018, pp. 69-157.
DOI: [DOI:10.1007/978-3-319-98845-0_3]
21. [21] Y. Mufti, M. Niazi, M. Alshayeb, and S. Mahmood, "A Readiness Model for Security Requirements Engineering," IEEE Access, vol. 6,pp.28611-28631,2018.
DOI: 10.1109/ACCESS.2018.2840322 [DOI:10.1109/ACCESS.2018.2840322]
22. [22] C. Gonzalez and E. Liñan, "A Software Engineering Methodology for Developing Secure Obfuscated Software," Springer, Cham, 2020, pp. 1069-1078. DOI: https://doi.or-g/10.1007/978-3-030-12385-7_72 [DOI:10.1007/978-3-030-12385-7_72]
23. [23] S. K. Jha and R. K. Mishra, "Predicting and Accessing Security Features into Component-Based Software Development: A Critical Survey," Springer, Singapore, 2019, pp. 287-294. DOI: [DOI:10.1007/978-981-10-8848-3_28]
24. [24] P. Morrison, D. Moye, R. Pandita, and L. Williams, "Mapping the field of software life cycle security metrics," Information and Software Technology, vol. 102, pp. 146-159, Oct. 2018. DOI:
https://doi.org/10.1016/j.infsof.2018.05.011 [DOI:10.1016/j.in-fsof.2018.05.011]
25. [25] H. Maleki, A. Jamshidi, and M. Mohammadi, "A Framework for Effective Exception Handling in Software Requirements Phase," Springer, Singapore, 2019, pp. 397-411. DOI:
https://doi.org/10.1007/978-981-10-8672-4_30 [DOI:10.1007/978-981-10-8672-4_30.]
Send email to the article author
| Rights and permissions | |
 |
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License. |
