Information Technology Reference
In-Depth Information
We also evaluated our approach with respect to ISO/IEC 15408:2005 aka
Common Criteria (CC) certifications. The usage of the architectural artifacts
generated following our approach for a CC certification is possible based on
the TOE (Target Of Evaluation) Design Specification (TDS) of the class ADV
Development. For instance, EAL (Evaluation Assurance Level) 5 requires a semi-
formal modular design, i.e., a representation of the TOE's structure in terms of
subsystems and a description of the parts the subsystem consists of in terms of
modules. In addition to the TDS requirements for EAL 4, it is necessary to also
describe those modules that represent SFR (Security Functional Requirement)-
supporting modules in detail, i.e., by describing its SFR-related interfaces, return
values from those interfaces, and called interfaces to other modules. These TDS
requirements are met by the artifacts that describe the realizations of GSC and
GNC instances. Moreover, a semiformal notation for the SFR-enforcing mod-
ules should be used. Since our approach makes use of UML2.3 diagrams, this
requirement is fulfilled right away. The tool suite developed for the original
version of UMLsec and checking the OCL constraints of the UMLsec4UML2-
profile supports creating TDS documents. For instance, the stereotype
secure
dependency
allows to track the occurence of assets in the complex TDS doc-
uments. Using an UML editing tool such as Papyrus UML the OCL constraints
representing this stereotype can be verified to ensure that we covered all relevant
occurences of an asset.
5 Related Work
Recently, an approach [10] to connect the security requirements analysis method
Secure Tropos
by Mouratidis et al. [3] and UMLsec [8] is published. Bryl et al.
[1] extended the Secure Tropos variant by Massacci et al. [9] by an approach
to automatically select design alternatives based on results from security re-
quirements analysis. Compared to our work, these approaches are not based on
patterns, and they rather focus on the transition to finer-grained secure design.
Choppy et al. [2] present architectural patterns for Jackson's basic problem
frames [7]. The patterns constitute layered architectures described by UML com-
posite structure diagrams. Similar to other approaches considering the connec-
tion between problem frames and software architectures such as [13, 4], the work
by Choppy et al. does not consider security requirements, behavioral interface
descriptions, and operation semantics. Furthermore, only a vague general proce-
dure to derive components for a specific frame diagram is given in [2].
The vast body of patterns for secure software engineering (see [5] for an
overview) can be used during the phase that follows the phase presented in
this paper, i.e., these patterns are applied in fine-grained design of secure soft-
ware. Hence, the existing security design patterns and our approach complement
each other to such an extent that the existing patterns can be expressed in a
unifying way based on SPFs, CSPFs, and GSAs.
