Analysis and Evaluating Security of ComponentBased Software Development: A Security Metrics Framework

Full Text (PDF, 567KB), PP.21-31

Views: 0 Downloads: 0

Author(s)

Irshad Ahmad Mir 1,* S.M.K Quadri 1

1. Post Graduate Department of Computer Science, University of Kashmir, India

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2012.11.03

Received: 1 Mar. 2012 / Revised: 17 May 2012 / Accepted: 20 Jul. 2012 / Published: 8 Oct. 2012

Index Terms

Security Evaluation, Software Architecture, Security metrics, Component-dependencies

Abstract

Evaluating the security of software systems is a complex problem for the research communities due to the multifaceted and complex operational environment of the system involved. Many efforts towards the secure system development methodologies like secSDLC by Microsoft have been made but the measurement scale on which the security can be measured got least success. As with a shift in the nature of software development from standalone applications to distributed environment where there are a number of potential adversaries and threats present, security has been outlined and incorporated at the architectural level of the system and so is the need to evaluate and measure the level of security achieved . In this paper we present a framework for security evaluation at the design and architectural phase of the system development. We have outlined the security objectives based on the security requirements of the system and analyzed the behavior of various software architectures styles. As the component-based development (CBD) is an important and widely used model to develop new large scale software due to various benefits like increased reuse, reduce time to market and cost. Our emphasis is on CBD and we have proposed a framework for the security evaluation of Component based software design and derived the security metrics for the main three pillars of security, confidentiality, integrity and availability based on the component composition, dependency and inter component data/information flow. The proposed framework and derived metrics are flexible enough, in way that the system developer can modify the metrics according to the situation and are applicable both at the development phases and as well as after development.

Cite This Paper

Irshad Ahmad Mir, S.M.K Quadri, "Analysis and Evaluating Security of Component-Based Software Development: A Security Metrics Framework", International Journal of Computer Network and Information Security(IJCNIS), vol.4, no.11, pp.21-31, 2012. DOI:10.5815/ijcnis.2012.11.03

Reference

[1]D. P. Gilliam, T. L. Wolfe, J. S. Sherif, and M. Bishop. "Software security checklist for the software life cycle." In Proceedings of the Twelfth IEEE International Workshop on Enabling Technologies: Infrastructure for Colaborative Enterprises (WETICE'03), 2003.
[2]W. Jansen, "Directions in security metrics research", U.S. National Institute of Standards and Technology, NISTIR 7564, Apr. 2009
[3]M. Howard and S. Lipner. The Security Development Lifecycle. Microsoft Press, 2006.
[4]Oman, P., Risley, A., Roberts, J., and Schweitzer III, E.O. "Attack and Defend Tools for Remotely Accessible Control and Protection Equipment in Electric Power Systems," 55th Annual Conference for Protective Relay Enginers, Texas A&M University, April 9–11, 2002, College Station, TX. <http://www.selinc.com/techpprs/6132.pdf> (4 Mar. 2003)
[5]Bayuk J.L. "Alternate security metrics" Eight International conference on Information Technology: New Generation IEEE, 2011.
[6]S. B. Lipner. The Trustworthy Computing security development Life Cycle. In Proceedings of 20th Annual Computer Security Applications Conference. IEEE Computer Society, December 2004, pp. 2-13.
[7]D. Firesmith "Specifying reuse able security requirements" Journal of object technology vol.3, No. 1, Jan 2004. Pp. 61-75.
[8]R. Savola, "Requirement Centric Security Evaluation of Software Intensive Systems," DepCOSRELCOMEX '07, Szklarska Poreba, Poland, jun., 14-16,2007, pp.135-142
[9]B Thuraisingham "Challenges and Future Directions of Software Technology: Secure Software Development" 34th Annual IEEE Conference on Computer Software and Application, 2010.
[10]Hong Mei, Jichuan Chang, Fuqing Yang, "Composing Software Components at Architectural Level", IFIP WCC2000, Beijing, 2000.8
[11]Perry, D.E, Wolf, A.L, Foundations for the study of software architecture, ACM SIGSOFT Software engineering notes,1992, 17(4), 40-52
[12]IEEE 1471:2000—Recommended practice for architectural description of software intensive systems. Los Alamitos, CA: IEEE. 2000.
[13]Bohem, B and W.L. Scherlis, "Megaprogramming." In Proceedings of the DARPA Software Technology Conference 1992, Los Angeles, CA, April 28-30, (Meridien Corp., Arlington, VA) 1992. pp. 63-82.
[14]B. Boehm and V. Basili, "Software defect reduction top 10 list," Foundations of empirical software engineering: the legacy of Victor R. Basili bach, and M. V. Zelkowitz, Eds. Heidelberg, Germany: Springer, 2005, pp. 426-431.
[15]M.Shaw, D.Garlan Software Architecture, Prentice Hall, Englewood Cliffy, NJ, USA, 1996.
[16]C. Szyperski. Component Software: Beyond Object-Oriented Programming. Addison-Wesley, 1998.
[17]G. Pour, "Component-Based Software Development Approach: New Opportunities and Challenges," Proceedings Technology of Object-Oriented Languages, 1998. TOOLS 26., pp. 375-383.
[18]A.W. Brown, S. Johnston, and K. Kelly. Large-scale, using service-oriented architecture and component-based development to build web service applications. Rational Software White Paper TP032, 2002
[19]Kung-Kiu Lau and Zheng Wang. Software component models. IEEE Transactions on Software Engineering, 33(10), October 2007, pp. 709-724.
[20]B. Christiansson, L. Jakobsson, and I. Crnkovic, "CBD Process," Building Reliable Component-Based Software Systems, I. Crnkovic and M. Larsson, eds., pp. 89-113, Artech House, 2002.
[21]Kung-Kiu Lau and Zheng Wang "Software Component Models" , IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 33, NO. 10, OCTOBER 2007.
[22]P. Clements, "A Survey of Architecture Description Languages," Proc. Eighth Int'l Workshop Software Specification and Design (IWSSD'96), pp. 16-25, 1996.
[23]N. Medvidovic and R.N. Taylor, "A Classification and Comparison Framework for Software Architecture Description Languages, "IEEE Trans. Software Eng., vol. 26, no. 1, pp. 70-93, Jan.2000.
[24]A. Wigley, M. Sutton, R. MacLeod, R. Burbidge, and S. Wheelwright, Microsoft .NET Compact Framework (Core Reference). Microsoft Press, Jan. 2003.
[25]G. Alonso, F. Casati, H. Kuno, and V. Machiraju, Web Services: Concepts, Architectures and Applications. Springer-Verlag, 2004.
[26]L. DeMichiel and M. Keith, Enterprise JavaBeans, Version 3.0. SunMicrosystems, 2006.
[27]R. van Ommering, F. van der Linden, J. Kramer, and J. Magee, "The Koala Component Model for Consumer Electronics Software," Computer, vol. 33, no. 3, pp. 78-85, Mar. 2000.
[28]R. van Ommering, "The Koala Component Model," Building Reliable Component-Based Software Systems, I. Crnkovic and M. Larsson, eds., pp. 223-236, Artech House, 2002.
[29]F. Pla´_sil, D. Balek, and R. Janecek, "SOFA/DCUP: Architecture for Component Trading and Dynamic Updating," Proc. Fourth Int'l Conf. Configurable Distributed Systems (ICCDS '98), pp. 43-52, 1998.
[30]C. Atkinson, J. Bayer, C. Bunse, E. Kamsties, O. Laitenberger, R. Laqua, D. Muthig, B. Paech, J. Wu¨ st, and J. Zettel, Component-Based Product Line Engineering with UML. Addison-Wesley, 2001.
[31]R. van Ommering, "The Koala Component Model," Building Reliable Component-Based Software Systems, I. Crnkovic and M. Larsson, eds., pp. 223-236, Artech House, 2002.
[32]J. Cheesman and J. Daniels, UML Components: A Simple Process for Specifying Component-Based Software. Addison-Wesley, 2000.
[33]Binbin Qu, Zuwen Chen, Yansheng Lu "An approach of test sequence generation for component-based software" 2nd International Conference on Future Computer and communication (ICFCC) vol.2. pp. 370-373, May 2010.
[34]B. Li, "Managing Dependencies in Component-Based Systems Based on Matrix Model" Proc. of Net.ObjectDays Conf., pp.22-25, 2003.
[35]Rosen, Kenneth H., Discrete Mathematics and its Applications, Third Edition, McGraw-Hill, Inc, 1994.
[36]M. Abdellatief, "Component-Based Software System Depencey Metrics based on Component Information Flow Measurement", The Sixth International Conference on Software Engineering Advances, ISBN: 978-1-61208-165-6 ICSEA 2011.1
[37]W. Jansen, "Directions in security metrics research", U.S. National Institute of Standards and Technology, NISTIR 7564, Apr. 2009, 21
[38]M. Howard and S. Lipner. The Security Development Lifecycle. Microsoft Press, 2006.