Based on the results of Serenity project (Framework Programme, from EU), these slides present a security-aware software engineering process. It presents how security must be taken into account in the different phases of software development, including agile development approaches.
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Serenity Project: Security in Software Enginering
1.
2. Part 3: Security in Software Engineering
Security-aware Software Engineering Processes
Creation of Secure Applications
Francisco Sánchez Cid
Project Manager
Instituto Tecnologico de Informatica
Valencia (Spain)
3. We all agree:
• Indirectly, SE has a big impact on our ability to deliver and maintain
applications
… but can a methodology be a direct revenue generator?
E.g. System for Olives classification in Spain
“..If we can certify that we have a secure software
development life-cycle we stand to increase our
overall revenue with clients from 10-20%.”
Our Chief Software Architect
• Actually utilizing our methodology as a competitive advantage! WOW!
• Unit, integration, and acceptance tests and their automation mean you
can actually certify that you’re software is reasonably secure at least
for what you’re testing for
4. All right. This approach seems to work fine for 90% of
applications we develop, but… what about the other 10%?
• For this 10% applications we do not only have security
requirements but also:
o These requirements evolve as times goes by
o Operational context is unpredictable or uncertain
o We don’t want this app to be tightly coupled to an specific solution
o E.g. Digital Signature Applet
• Just one way out:
o Identify and develop generic solutions
o Use a model to represent the solutions
o Link generic solutions to specific implementations
o Once a solution is selected, monitor its validity on time
…KindofModelDrivenEngineering?
let’shave a look at it
6. Security Aware Software Engineering Process
Current technology challenges
• Model Driven Engineering comes to help
– Models
– Model Driven Architecture
– MDA and Security
• Model transformations
– What is a transformation
– Example
• Conclusions
7. Current technology challenges
• Current applications are tightly coupled to underlying
technologies
– Investment done on their development is at risk due to this
dependence
• Many different platforms and technologies
– Distributed objects, components, web services…
– Not interoperable
– Not reuse (at least if they are not correctly designed)
• Very fast evolution
– New technologies appear every day
– Old technologies disappear
– How to protect the investment in business logic?
8. Security Aware Software Engineering Process
• Current technology challenges
Model Driven Engineering comes to help
– Models
– Model Driven Architecture
– MDA and Security
• Model transformations
– What is a transformation
– Example
• Conclusions
9. MDE as opposite to OO
Object Oriented Design Everything is a object
Model Driven EngineeringEverything is a model
cd MDE v s OO
SuperClass Meta-Model
inheritsFrom conformsTo
Relations
in these
approaches
clearly differ Class Model
instanceOf representedBy
Instance System
10. Model Driven Engineering (MDE)
• Approach to software development based in models and in
model transformations
– Current approaches are based in objects, programs and compilers
• MDE implies the (semi) automated generation of implementations
from models
• Modelling languages are key to MDE
– Model transformation languages are also modelling languages
– Models conform to meta-models
• MDA is the OMG’s proposal for MDE, using OMG standards
– MOF, UML, OCL, XMI, QVT
– MOF and UML allow the definition of new families of languages
11. What is a model ?
• A description of (part of) a system written in a well-defined
language (Equivalent to specification) [Kleppe, 2003]
• A description or specification of the system and its
environment for some certain purpose. A model is often
presented as a combination of drawings and text [MDA Guide,
2003]
12. Models in software
• “...Bubbles and arrows, as opposed to programs, never crash.” [B.
Meyer, 1997]
• The problem is to maintain the link between models and source code
sd Activ ate Pattern
Application S&D Manager Event Manager S&D Query Runtime S&D Context Manager
Library
1: Request Class()
publicclass
2: Get Context() ActiveMonitoringManager
extends Observable{
3: Send Context()
cd Metamodelo
privatestatic
4: Get Available Patterns()
MonitoringServiceIF
ExecutableComponent 5: Build Query()
monitoringAccess;
cd SampleApplicationIM
RefersTo
private
6: Query For Patterns()
Pertenece-A Implementa
EmailDB CommunicacionSystem Hashtable<String,MonitorInfo
S&DClass
* *
S&DPattern
*
S&DImplementation 7: Return Patterns()
> activeMonitors;
8: Return Patterns()
privatestatic
EmailSystem GUI ActiveMonitoringManager
Proporciona Representa
9: Choose Pattern() mManager = getInstance();
*
S&DProperty S&DArtefact S&DSolution
*
10: Update Context()
Requiere Securiza
13: Send Implementation Handler AccessControl
Tiene
* «Securizes»
S&DRequirement Application
«S&DPattern»
smartCardAuthentication.UMA.es
13. Limitations of models (in SE)
• Models are used only as documentation (if the system is documented at all)
• “Gap” between the model and the implementation of the system
– Semantic gap between the respective languages
– Changes in the model do not reflect in the code
– Changes in the code do not reflect in the model (the model is thrown away after
the first implementation, and never updated or used again)
• No “merge” of models (though some tools actually help)
– Unrelated views of a system (horizontal)
– Unrelated towers of models (vertical)
• No model “transformations”
– Few defined transformation languages
– No tools
• We are still far behind more mature engineering industries, such as
aerospace, automotive and electrical engineering....
• ...Even hardware design is ahead of software design!
14. Kinds of SE models
• Depending on:
– The phase of the project
• Analysis models, design models, ...
– The level of detail
• High level models, Low level models (implementations)
– The view of the system
• Business models, Software Architecture models, Deployment models,...
– The aspect they focus on
• Structural models, behavioural models, QoS models, ...
– The level of technology independence
• Computation Independent Models, Platform Independent
Models, Platform Specific Models
– The particular target platform
• J2EE, .NET, CORBA, EDOC, ....
15. MDA: OMG’s Four-layer metamodel architecture
• M3, MOF (Meta Object Facility) used to describe meta-models
• M2, Meta-models used to describe modelling languages
• M1, models used to describe applications
• M0, instances of applications
18. MDA Models (M1)
• Computation Independent Model (CIM)
– A view from a system from the Computational Independent Viewpoint
– A CIM Focuses on the system and its environment; the details of the structure of the system are hidden
or as yet undetermined
– A CIM is sometimes called a domain model or a business model, and is specified using a vocabulary
that is familiar to the practitioners of the domain in question
– It may hide much or all information about the use of automated data processing systems
• Platform Independent Model (PIM)
– A platform independent model is a view of a system from the platform independent viewpoint
– A PIM exhibits platform independence and is suitable for use with a number of different platforms of
similar type
• Platform Specific Model (PSM)
– A platform specific model is a view of a system from the platform specific viewpoint
– A PSM combines the specifications in the PIM with the details that specify how that system uses a
particular type of platform
• Platform Model (PM)
– A platform model provides a set of technical concepts, representing the different kinds of parts that
make up a platform and the services provided by that platform
– It also provides, for use in a platform specific model, concepts representing the different kinds of
elements to be used in specifying the use of the platform by an application
19. Examples of MDA models
• CIM
– Use case models capturing the system requirements
• PIM
– The software architecture of the system, that describes how the functionality of
the system is decomposed into (architectural) components and connectors
• PSM
– A model of the J2EE implementation of the system, expressed using the EJB
Profile that describes how the (architectural) components need to be
implemented by EJBs
• Platform Model (Code)
– The EJBs themselves, their configuration files, etc., ready to be deployed
20. Security Aware Software Engineering Process
• Current technology challenges
Model Driven Engineering comes to help
– Models
– Model Driven Architecture
– MDA and Security
• Model transformations
– What is a transformation
– Example
• Conclusions
21. Model Driven Security (D. Basin)
• It is an extension of MDA
SystemModel
A SystemModel+
SecurityModel
A B <<secumlPermission>>
<<secumlRole>>
Customer
B
ModelTransformation+
extensions
TargetSyste
m +
SecurityInfrastructure
(RBAC, assertions,
etc.)
22. Model Driven Security
• Three UML extensions
– ComponentUML, a class based language for data modelling
– ControllerUMLfor modelling system behaviour evolution
– SecureUML for modelling secure systems based on RBAC
• Confidentiality and Integrity are modeledusing RBAC
• They are composed in Security Languages for
modelling design and security
• Only for class, sequence and state charts diagrams
23. Model Driven Security
Resources
• Three UML extensions
– ComponentUML, a class based language for data modelling
– ControllerUMLfor modelling system behaviour evolution
– SecureUML for modelling secure systems based on RBAC
• Confidentiality and Integrity are model using RBAC
• They are composed in Security Languages for
modelling design and security
• Only for class, sequence and state charts diagrams
24. Model Driven Security
• Three UML extensions
– ComponentUML, a class based language for data modelling
– ControllerUMLfor modelling system behaviour evolution
– SecureUML for modelling secure systems based on RBAC
• Confidentiality and Integrity are model using RBAC
SecurityRequire
• They are composed inments
Security Languages for
modelling design and security
• Only for class, sequence and state charts diagrams
25. Model Driven Security
• A Security Design Language glues the two languages together
• Each language is equipped with an abstract and concrete
syntax, semantics, and a technology dependent translation
function
• Dialect bridges design language with security language by
identifying which design elements are protected resources
Security Design Language
Security Modelling Language
(SecureUML)
Dialect
System Design Modelling
Language
(ComponentUML, ControllerUML)
26. Model Driven Security
• Example
There is an
implementation of this in
top of the ArcStyle MDA
tool
27. Security Aware Software Engineering Process
• Current technology challenges
Model Driven Engineering comes to help
– Models
– Model Driven Architecture
– MDA and Security
• Model transformations
– What is a transformation
– Example
• Conclusions
28. Model transformation
• Model transformation is the process of converting one
model to another model of the same system
• The MDA pattern includes (at least): a PIM, a Platform
Model, a Transformation, and a PSM
• Useful to
– Mark models
– Transform meta-models
– Merging models
– Include information
in models
29. Examples of MDA transformations
Transformations are everywhere…
30. Examples of MDA transformations: GMF
Although not specific for security, a representative technology…
31. GMF: first, the model
E.g. Design of workflowsfor public administration
Diagram
1
1
Association
* *
Graphical Element Link
1 0..*
target
1 0..*
source Sequence
Start End Activity
...
1
0..*
FormItem
Form
1
34. Security Aware Software Engineering Process
• Current technology challenges
Model Driven Engineering comes to help
– Models
– Model Driven Architecture
– MDA and Security
• Model transformations
– What is a transformation
– Example
• Conclusions
35. Conclusions to MDA
• MDA seems to be the right way to go
– Conceptually clean and well defined
– Protect investment and IP by separating the business model from the supporting technologies
• But there is still a long way ahead
• There are more or less mature approaches to the development of security systems
using MDA
– Based on security policies and RBAC
• Research is required
• MDD (and MDA) looks very promising
• MDA isnotthe panacea
“No manual coding” isnot 100% achievable in general
Itisimportanttoidentifythedomains in which MDA can be effectivelyused,
By the time beingtools are notmature
Honestly, do you really think that
only drawing three boxes and
a couple of lines you will get all
your application code?
36. Part 3: Security in Software Engineering
Security-aware Software Engineering Processes
Creation of Secure Applications
Francisco Sánchez Cid
Project Manager
Instituto Tecnologico de Informatica
Valencia (Spain)
38. Creation of Secure Applications
Differences between current secure software
development and the SERENITY approach
SERENITY applications life cycle
Developing SERENITY applications
Using Java to develop SERENITY applications
Run-time support
Advantages of the SERENITY approach
39. Creation of Secure Applications
When Developing applications…
• Most of current approaches for software development are
based on an iterative and incremental process
40. Creation of Secure Applications
How does it fit in Agile Development…
Not really agile
Security Planning a specific
Requirements Design security
Development engineering
activity in
every sprint?
41. Creation of Secure Applications
How does it fit in Agile Development…
Identify the Decide the Check against
properties/threats controls threat model
Security Planning Security Risk
Requirements Design Management
Development
Supposed to have a
residual risk
42. Creation of Secure Applications
How does it fit in Agile Development… in fact
Detailed threat
Sprint Review: analysis
Approve
residual risk
Decide on the controls:
Sprint Planning: -Address the threat
Threat analysis (new sprint backlog)
for largest risks - Postpone the work
(new product backlog)
• For this to work:
• The Scrum team does need to be somehow aware of security
engineering and software security issues.
• Security specialists should be on call.
43. Creation of Secure Applications
Security aspects of applications
• Usaually, security requirements are treated as the rest of requirements
– Security is not a functional requirement
• It is difficult to implement
• It is difficult to trace during the project
• Security is always orthogonal. We may talk of perspectives for the
software
• Given a good model, you have one thousand ways of making it
unsecure
– A parameter not correctly parsed
– A buffer not correctly managed
– …
44. Creation of Secure Applications
Differences between current secure software
development and the SERENITY approach
SERENITY applications life cycle
Developing SERENITY applications
Using Java to develop SERENITY applications
Run-time support
Advantages of the SERENITY approach
45. Creation of Secure Applications
Serenity Proposal for Secure Software Development
• Just a reminder:
– For this to work, the team does need to be somehow aware of security
engineering and software security issues.
• Now that we are aware:
– We propose not to be aware of security engineering, but security
properties the system have to comply with
– Security requirements are fulfilled by means of S&D patterns
– S&D patterns are represented at different levels of abstraction by means
of different artefacts
cd PatternDetail EA
RefersTo Implements BelongsTo
* *
*
ExecutableComponent S&DImplementation S&DPattern S&DClass
46. Creation of Secure Applications
Serenity Proposal for Secure Software Development
Represents the Represents a set of
Implementation of a Represents a S&D S&D solutions
pattern solution Defines a general
Implements a and defines an interface
pattern interface and a set of
functionallities
cd PatternDetail EA
RefersTo Implements BelongsTo
* *
*
ExecutableComponent S&DImplementation S&DPattern S&DClass
Software Architects know these artefacts, Security Experts deeeply
know these artecfacts and Developers know and use all these
S&D artefacts and their interfaces
47. Creation of Secure Applications
Serenity Proposal for Secure Software Development
• Developers include references to S&D patterns in
applications by means of references to S&D artefacts
• Developers are supported by S&D patterns libraries
where they can find artefacts (called S&D Libraries)
• SERENITY includes tools supporting developers for
managing on-line S&D libraries (e.g. plugin for Eclipse)
48. Creation of Secure Applications
S&D Pattern Development
S&D pattern Addition to S&D
development S&D library library
Security Community
49. Creation of Secure Applications
S&D Pattern Development
S&D pattern Addition to S&D
development S&D library library
Security Community
Application Development
Inclusion of S&D pattern
Application
references in search and
deployment
Development Team application selection
50. Creation of Secure Applications
S&D Pattern Development
S&D pattern Addition to S&D
development S&D library library
Security Community
Application Development
Inclusion of S&D pattern
Application
references in search and
deployment
Development Team application selection
Runtime Support
Runtime Application execution
S&D pattern
assembling Runtime monitoring
Running app
51. Creation of Secure Applications
S&D Pattern Development
S&D pattern Addition to S&D
Serenity Development
development S&D library library
Security Community
Framework Application Development
Application
Inclusion of
references in
S&D pattern
search and
deployment
Development Team application selection
Runtime Support
Runtime Application execution
S&D pattern
assembling Runtime monitoring
Running app
52. Creation of Secure Applications
S&D Pattern Development
S&D pattern Addition to S&D
development S&D library library
Security Community
Application Development
Inclusion of S&D pattern
Application
references in search and
deployment
Development Team application selection
Runtime Support
Serenity Runtime Framework
Runtime
S&D pattern
assembling
Application execution
Runtime monitoring
Running app
53. Creation of Secure Applications
• One of SERENITY main features is the run-time
support:
– Dynamic substitution of S&D Patterns at run-time
– The more abstract level of the artefact selected at
development-time is, the more flexible selecting the
S&D Pattern the SRF is
– At run-time S&D Patterns are monitored
54. Creation of Secure Applications
• SERENITY approach can be integrated in most
of current development processes
• Let us see how does it fit…
SERENITY
SERENITY development
runtime time
framework framework
56. Creation of Secure Applications
How does it fit in Agile Development…
Sprint Review:
Approve Detailed threat Decide on the controls:
Sprint Planning: residual risk analysis -Address the threat
Threat analysis (new sprint backlog)
based on - Postpone the work
properties for (new product backlog)
largest risks
57. Creation of Secure Applications
How does it fit in Agile Development…
Sprint Review:
Approve Detailed threat Decide on the controls:
residual risk analysis -Address the threat
Sprint Planning: (new sprint backlog)
Threat analysis - Postpone the work
for largest risks (new product backlog)
SERENITY
SERENITY
development
runtime
time
framework
framework
58. Creation of Secure Applications
• The integration of
SERENITY is achieved by
means of new paths in
security engineering
techniques: S&D
properties, formal
proofs, and a library.
• Application developers profit
of expertise of security
experts by using SERENITY
patterns
59. Creation of Secure Applications
Differences between current secure software
development and the SERENITY approach
SERENITY applications life cycle
Developing SERENITY applications
Using Java to develop SERENITY applications
Run-time support
Advantages of the SERENITY approach
60. Creation of Secure Applications
Developing applications in Serenity
• Application Developer: Our client needs a secure and
reliable online application…
1) Identify S&D Requirements
• Properties vs. threats
• Usually expressed as S&DProperties
• Looking for the appropriate S&DProperties in
S&DProperties repositories
2) Develop applications
• Search into development time S&DLibrary for the
appropriate S&D solutions
• Developing the code including references to the S&D
Solutions functionalities
61. Creation of Secure Applications
The whole process Information
from context
S&D Pattern Runtime
reference selection
Serenity-aware
Application
SRF
Run-time
Support
Access to
S&D Pattern
functionallities
Monitoring
Activation
rules
Executable
Monitoring
Component
Service
implementing
an S&D Pattern Monitorization
and events
63. Creation of Secure Applications
From developer’s perspective
1. I launch my favourite programming IDE
2. I start coding my application
3. I import the SERENITY API
4. I launch the SERENITY search tool
5. I look for the pattern I want to use in my application
6. I add calls to the pattern using
a. the semantic information retrieved from the pattern description
b. and, the SERENITY API
64. Creation of Secure Applications
From developer’s perspective
1. I launch my favourite programming IDE
2. I start coding my application
3. I import the SERENITY API
4. I launch the SERENITY search tool
5. I look for the pattern I want to use in my application
6. I add calls to the pattern using
a. the semantic information retrieved from the pattern description
b. and, the SERENITY API
I just need a
I do not need reference
to include the to the pattern
pattern itself
65. Creation of Secure Applications
From developer’s perspective
1. I launch my favourite programming IDE
2. I start coding my application
3. I import the SERENITY API
4. I launch the SERENITY search tool
5. I look for the pattern I want to use in my application
6. I add calls to the pattern using
a. the semantic information retrieved from the pattern description
b. and, the SERENITY API
7. I finish and compile my application
8. I deploy my application in a SERENITY enabled device
That’s all, now my app is ready to run!
66. Creation of Secure Applications
SERENITY Tools
• Currently SERENITY provides an Eclipse plugin to navigate through a library of artefacts
67. Creation of Secure Applications
SERENITY Tools
• You can connect to remote S&D artefacts repositories
68. Creation of Secure Applications
SERENITY Tools
• You can navigate through solutions for specific S&D properties
69. Creation of Secure Applications
SERENITY Tools
• And you can search for specific S&D patterns, classes…
70. Creation of Secure Applications
SERENITY Tools
• And security experts can edit S&D artefacts
71. Creation of Secure Applications
The whole process. Revisited
Serenity-aware
Application
SRF
¿?
Executable
Component Monitoring
implementing Service
an S&D Pattern
72. Creation of Secure Applications
The whole process. Revisited
Serenity-aware
Application
SRF
SERENITY
API
for
application
developers
Executable
Component Monitoring
implementing Service
Currently
an S&D Pattern
developed
for JAVA
73. Creation of Secure Applications
Differences between current secure software
development and the SERENITY approach
SERENITY applications life cycle
Developing SERENITY applications
Using Java to develop SERENITY applications
Run-time support
Advantages of the SERENITY approach
74. Creation of Secure Applications
An simplified example
• This test application just requests a S&D pattern for authentication and uses it
My Serenity myEC confidentiality.uma.es
Application sendConf()
mySRF SRF
mySRF = SRF_AP_AccessPoint(localhost);
myEC = New SerenityExecutableComponent_AP(
mySRF,
“P:confidentiality.uma.es”,
parameters
);
75. Creation of Secure Applications
An simplified example
• This test application just requests a S&D pattern for authentication and uses it
My Serenity myEC confidentiality.uma.es
Application sendConf()
mySRF SRF
mySRF = SRF_AP_AccessPoint(localhost);
myEC = New SerenityExecutableComponent_AP(
mySRF,
“P:confidentiality.uma.es”,
parameters
);
myEC.callOperation(“sendConf”, parameters);
76. Creation of Secure Applications
Java package for applications
id SERENITY-application Support Library
SERENITY-application Support Library
SRF
SRF_AP_AccessPoint
+ requestSolution() : EcHandler SRFRequests S&DManager
Create
EcHandler
Application A
«use»
«Use» PointsTo
SerenityExecutableComponent_AP Executable
ECaccessPoint
Component A
+ callOperation(oper, inParam, outParam) : void process
77. Creation of Secure Applications
An example: the code
package SERENITY-application;
importserenity.app.*;
public class mySERENITYapplication{
// I connect to a SRF hosted on localhost
SRF_AP_AccessPointmySRF = newSRF_AP_AccessPoint(localhost);
// I am going to use an executableComponent
SerenityExecutableComponent_APconfidentialitySolution;
// Param for the SDRequest
SerenitySolutionParametersListsParametersList = new SerenitySolutionParametersList();
// Param for the pattern functionallity
SerenityOperationParametersListoperationParameters= new SerenityOperationParametersList();
// C: for a S&DClass
// P: for a S&DPattern
// I: for a S&DImplementation
String solutionName = “P:confidentiality.uma.es”
public static void main() {
...
// I am going to create the executableComponent access point object
sParametertsList.addParam(“target_IP”,”127.0.0.1”);
confidentialitySolution = newSerenityExecutableComponent_AP(mySRF, solutionName, sParametersList);
...
// I am going to access one of the S&DClass interface operations
operationParameters.addParam(“Message”,”Hello world”);
confidentialitySolution.callOperation(“sendConfidential”, operationParameters);
...
}
}
78. Creation of Secure Applications
Considerations
• The API encapsulates the use of ECHandlers
– The ECHandler is used by the executableComponent_AP
– It is possible to use directly ECHandlers
• How do developers know the S&Dpatterns interface?
– This information is part of the pattern definition retrieved from the development
time library
– Using a Serenity enabled IDE, it will help to develop the application presenting
the list of appropriate calls (kind of auto completion) given the fact that S&D
artefacts are machine readable.
Tools and documentation available at:
http://www.serenity-project.org/
79. Creation of Secure Applications
Differences between current secure software
development and the SERENITY approach
SERENITY applications life cycle
Developing SERENITY applications
Using Java to develop SERENITY applications
Run-time support
Advantages of the SERENITY approach
80. Creation of Secure Applications
Advantages of the SERENITY approach
• Applications become independent of the implementation of
the security solutions they need
• Applications become responsive to the changes of the
context
• The library of solutions is ever growing and continuously
reviewed, without the need of revising the application
• It is possible to verify that applications comply with security
policies applicable
• It enhances the process of security engineering, by promoting
the separation of duties between security specialists and
application developers
• It helps managing threats, since the focus is in the
properties, not in the threats themselves
• Property + Context => Threats (it allows non security experts to
identify new threats)