• PDF / 491,089 Bytes
• 13 Pages / 439.363 x 666.131 pts Page_size
• 9 Downloads / 187 Views

DOWNLOAD

REPORT

SBA-Research, Austria {chochreiner,pkieseberg,eweippl}@sba-research.org 2 St. Poelten University of Applied Sciences, Austria [email protected] 3 Austrian Institute of Technology [email protected]

Abstract. With the rise of Model Driven Engineering (MDE) as a software development methodology, which increases productivity and, supported by powerful code generation tools, allows a less error-prone implementation process, the idea of modeling security aspects during the design phase of the software development process was first suggested by the research community almost a decade ago. While various approaches for Model Driven Security (MDS) have been proposed during the years, it is still unclear, how these concepts compare to each other and whether they can improve the security of software projects. In this paper, we provide an evaluation of current MDS approaches based on a simple web application scenario and discuss the strengths and limitations of the various techniques, as well as the practicability of MDS for web application security in general.

1

Introduction and Related Work

Model Driven Engineering (MDE) has gained a lot of attention during the past few years. The rise of modeling languages, especially UML, drove the development of MDE techniques as well as more and more sophisticated tool support for the automated generation of code. One of the most important motivations for applying MDE techniques is software correctness. Generally, software defects can result from two sources during the software development process: First, problems can originate from bad design decisions in the planning phase of the software development process. This type of defects, often referred as flaws, is fatal as elimination of the fundamental design misconceptions in later phases of the development process may require a general overhaul of the entire architecture. Modeling techniques can support development in this early design phase. The second type of defect is based on implementation errors (bugs). Even if the software was designed to work correctly, the actual implementation can introduce errors which led to the development of tools for automated code generation. In this case, the availability of automated tools that allow the translation of Linawati et al. (Eds.): ICT-EurAsia 2014, LNCS 8407, pp. 419–431, 2014. c IFIP International Federation for Information Processing 2014 

420

C. Hochreiner et al.

the abstract model into code that can be compiled or directly interpreted by a machine is of crucial importance. Furthermore, techniques such as model validation, checking and model-based testing can be used to support the reliability of a program in reference to its model. With the success of MDE approaches the idea of bringing these concepts to the security domain was raised by the scientific community almost a decade ago [3,6]. The basic idea is similar to MDE: The process of modeling security aspects of a software project should enhance its quality - in this case related to security. The theoretical c

Recommend Documents

Detection of XSS Vulnerabilities of Web Application Using Security Testing Approaches

143 11 25MB

Model-Driven Chatbot Development

164 94 47MB

Model Driven Development

180 64 239KB

Two Web Application Approaches: Rails and Sinatra

175 76 6MB

Incremental Quality Improvement in Web Applications Using Web Model Refactoring

198 104 365KB

Deploying Your Model as a Web Application

194 6 15MB

From requirements to implementations: a model-driven approach for web development

170 69 2MB

Model Driven Engineering and Ontology Development

188 10 15MB

Model Driven Architecture and Ontology Development

187 13 6MB

Model-Driven Development of Advanced User Interfaces

190 9 10MB

Security in Amazon Web Services

154 35 7MB

Data-Driven Security

155 54 49MB