A Model Driven Approach for Generating Code from Security Requirements
Óscar Sánchez, Fernando Molina, Jesús García Molina, Ambrosio Toval
2009
Abstract
Nowadays, Information Systems are present in numerous areas and they usually contain data with special security requirements. However, these requirements do not often receive the attention that they deserve and, on many occasions, they are not considered or are only considered when the system development has finished. On the other hand, the use of model driven approaches has recently demonstrated to offer numerous benefits. This paper tries to align the use of a model driven development paradigm with the consideration of security requirements from early stages of software development (such as requirements elicitation). With this aim, a security requirements metamodel that formalizes the definition of this kind of requirements is proposed. Based on this metamodel, a Domain Specific Language (DSL) has been built which allows both the construction of requirements models with security features and the automatic generation of other software artefacts from them. An application example that illustrates the approach is also shown.
References
- Villarroel, R., Fernández-Medina, E., Piattini, M.: Secure information systems development - a survey and comparison. Computers & Security 24 (2005) 308-321
- Selic, B.: Mda manifestations. The European Journal for the Informatics Professional IX (2008)
- Kelly, S., Tolvanen, J.: Domain-Specific Modeling: Enabling Full Code Generation. WileyIEEE Computer Society Press (2008)
- ORACLE: Oracle label security. http://www.oracle.com/technology/deploy/security/data base-security/label-security/index.html (2008)
- OASIS: extensible access control markup language. ”http://www.oasis-open.org/” (2008)
- Goknil, A., Kurtev, I., van den Berg, K.: A metamodeling approach for reasoning about requirements. In: ECMDA-FA. (2008) 310-325
- Vicente-Chicote, C., Moros, B., Toval, A.: Remm-studio: an integrated model-driven environment for requirements specification, validation and formatting. Journal of Object Technology, Special Issue TOOLS EUROPE 2007,6 (2007) 437-454
- Berre, A. J.: Comet (component and model based development methodology). http:// modelbased.net/comet/ (2006)
- MAGERIT: Methodology for information systems risk analysis and management. Spanish Ministry for Public Administration. http://www.csae.map.es/csi/pg5m20.htm (2006)
- I.S.O.: Iso/iec 15408 (common criteria v3.0): Information technology security techniquesevaluation criteria for it security. (2005)
- Rodríguez, A., Fernández-Medina, E., Piattini, M.: A bpmn extension for the modeling of security requirements in business processes. IEICE Transactions 90-D (2007) 745-752
- Standard:ECMA-271: Extended commercially oriented functionality class for security evaluation. (1999)
- Mellado, D., Fernández-Medina, E., Piattini, M.: A common criteria based security requirements engineering process for the development of secure information systems. Comput. Stand. Interfaces 29 (2007) 244-253
- Samarati, P., Capitani, S. D.: Access control: Policies, models, and mechanisms. In: FOSAD. (2000) 137-196
- Eclipse: Eclipse graphical modeling framework. http://www.eclipse.org/gmf/ (2008)
- Eclipse: Generative Modeling Technologies (GMT): MOFScript. http://www.eclipse.org/ gmt/ (2008)
- Fernández-Medina, E., Piattini, M.: Designing secure databases. Information & Software Technology 47 (2005) 463-477
Paper Citation
in Harvard Style
Sánchez Ó., Molina F., Molina J. and Toval A. (2009). A Model Driven Approach for Generating Code from Security Requirements . In Proceedings of the 7th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2009) ISBN 978-989-8111-91-3, pages 119-126. DOI: 10.5220/0002199601190126
in Bibtex Style
@conference{wosis09,
author={Óscar Sánchez and Fernando Molina and Jesús García Molina and Ambrosio Toval},
title={A Model Driven Approach for Generating Code from Security Requirements},
booktitle={Proceedings of the 7th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2009)},
year={2009},
pages={119-126},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002199601190126},
isbn={978-989-8111-91-3},
}
in EndNote Style
TY  - CONF 
JO  - Proceedings of the 7th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2009)
TI  - A Model Driven Approach for Generating Code from Security Requirements
SN  - 978-989-8111-91-3
AU  - Sánchez Ó. 
AU  - Molina F. 
AU  - Molina J. 
AU  - Toval A. 
PY  - 2009
SP  - 119
EP  - 126
DO  - 10.5220/0002199601190126