integrating security design into the software development process for e-commerce systems
DESCRIPTION
Integrating Security Design Into The Software Development Process For E-Commerce Systems. By: M.T. Chan, L.F. Kwok (City University of Hong Kong). Introduction. WWW has evolved from static info dispatcher to full blown distributed computing environment E-commerce: - PowerPoint PPT PresentationTRANSCRIPT
Integrating Security Design Into The Software
Development Process For E-Commerce Systems
By: M.T. Chan, L.F. Kwok(City University of Hong Kong)
IntroductionWWW has evolved from static info dispatcher to full blown distributed computing environment E-commerce:
Business to Customer TransactionsBusiness to Business Transactions
E-commerce systems are built on top of the WWW and internet, which are well known for their exposure to security threats of various kinds
Security Design and Software Development Process
SSE-CMM (Systems Security Engineering Capability Maturity Model)
Security Engineering:Risk Process:
• identifies and prioritizes dangers inherent to the developed product or system
Engineering Process:• Works with the other engineering disciplines to determine and
implement solutions to the problems presented by the dangers
Assurance Process:• Establishes confidence in the security solutions and conveys
this confidence to users or customers
SSE-CMMprovides a concrete framework in the design and development of a secured system.designed to be generic
applied to different domains.
defines “what” but not “how”.SSE-CMM is going to be used as a framework to specify SDPSS by further defining details of how to design and develop secured e-commerce systems for different application domains.
SDPSS Risk Process
SSE-CMM requires assessment of 4 entities:
Impact
Security risk
Threats
Vulnerabilities
Risk Data Repository Information Security Model (RDR)
Focuses on risk documentation and captures risk information about the entities and their linkagesEntities are grouped under 3 domains:
Environment domain:• entities that host or support the operation of the information
processing system
Platform domain:• Covers the description of the information processing system
and its related threats and countermeasures
Asset domain:• Represents information assets that are of certain value.
RDR concept used…but adapted
select entities that are relevant in software development and represent them as an object oriented design pattern
entities are modeled as classes and the links between entities are represented as associations between classes in an object oriented design
Security Design Pattern Entities are represented as classes which contain attributes describing the properties and methods defining operations that can be performed on the classes.
Vulnerabilities, Threats, Risks, and Impacts Asset – represents a unit of the e-commerce system being designed that has a value and loss of it may have an impact, financially or otherwise. Deployment – a combination of hardware/software on which the asset operates.
Vulnerabilities are then classified into 2 main categories: asset vulnerabilities and deployment vulnerabilities.
ExampleA function in an e-commerce system, which is responsible to send out purchase orders in the form of e-mail. This function is an asset and the e-mail purchase order being intercepted is the vulnerability. The cost of damage to the company if the purchase orders are tempered is the impact.The potential of being intercepted is represented as the risk attribute in the link class threat and one of the countermeasures is to perform encryption before the purchase order is sent.
Software Development Process as the Engineering Process
The software process used to reengineer three-tier client/server systems to Web-based systems is adopted and extended with security design considerations.
It is based on unified modeling language (UML).
UML and SDPSS
To facilitate communication between designers, five types of diagrams are selected to support SDPSS:
Use caseClassCollaborationComponentDeployment diagrams
4 steps
The proposed SDPSS has 4 major steps: Object and collaboration modeling
Tier Identification
Component Identification
Deployment Specification
SDPSS is designed to…Model e-commerce applications in a well-defined mannerProvide a generic model
Security design will be meaningful and applicable across different application domains
Document the architecture of e-commerce application with clear and precise definition of security perimetersGive flexibility to designers to perform trade-off in security design on top of functional design according to defined design goals
Object and Collaboration Modeling Object modeling
Capture the functional requirements of the system using use case diagrams Establish the general layout of the system design in terms of class diagrams.
Collaboration Modeling Analyze how objects or classes interact with each other. Goal: to ensure all functional requirements are met by step-wise refinement and going through all identified use cases.
Specifying Security Needs Through Tier Identification
Objects are first grouped into tiers according to functional requirements and deployment considerations.
Tiers are examined according to vulnerabilities, risks and impacts to identify assets.
Regrouping may be necessary
corresponding countermeasures, risks and impact could be specified and documented
The mapping of tiers to assets therefore brings together the risk process and the engineering process.
Component Identification Component – identifies sets of objects that are coherent in terms of functional requirements and are reused. Criteria to identify components:
A component serves as the basic unit of security perimeterComponents are derived from objects coming from the same tierComponents are derived from objects coming from the same physical deployment, i.e. same technological platform.
Deployment Specification and Platform Security
Possible to deploy different parts of the system on more than one platform.In UML notation deployment diagrams describe physical machines used to run components.
Too restrictive for e-commerce applications
Semantics of node in UML extended to include deployment technology specification. Identify a set of known vulnerabilities for that platform. The risk of deploying a tier of components can be evaluated and suitable countermeasures can be built into the design.
Deployment (continued)
A link between a deployment and an asset representing the software components of that asset would be run in the deployment platform.
Before the coding phase of a project starts:designers can model different deployment scenarios
balance the pros and cons
make a trade-off to arrive at an optimal solution.
ExampleAn internet server provides web services to external clients and the intranet server provides database access and internal inventory control operations. Security design considerations for the 2 servers are quite different. The intranet server should have very stringent security needs and should be protected behind a firewall Internet server has to be opened to the Internet and other countermeasures should be employed.
The Assurance Process With the assistance of CASE (computer aided software engineering) tools
All security related design information would be accessible as a central repository Possible to perform various assurance exercises with the model
Whether security needs are met and can be checked by verifying that assets are actually linked to the correct vulnerabilities, tiers and components are correctly aggregated into assets and linked to deployment properly.
Example
It is the company policy to require that any order information sent to a supplier must be encrypted.
To verify this, a cross-reference report could be generated from CASE tools and see if the vulnerability association of the place order component actually points to the repudiation vulnerability.
ConclusionAll vulnerabilities, impacts, threats and risks could be continuously monitored and updated.Countermeasures could be improved and verified through feedback from actual deployment or security alerts issued by vendors. By separating the risk and the engineering process, any updated countermeasures can be easily implemented without intensive modification of the application system. Dedicated teams with clear responsibilities can be separately assigned to the risk, engineering and assurance process sharing the centralized model built from the SDPSS.
Chan, M.T. and L.F. Kwok, "Integrating Security Design Into the Software Development Process for E-Commerce Systems", Information Management & Computer Security, Volume 9, No. 3. 2001. Pages 112-122.