Michael VanHilst

Using role components in implement collaboration-based designs

In this paper we present a method of code implementation that works in conjunction with collaboration and responsibility based analysis modeling techniques to achieve better code reuse and resilience to change. Our approach maintains a closer mapping from responsibilities in the analysis model to entities in the implementation. In so doing, it leverages the features of flexible design and design reuse found in collaboration-based design models to provide similar adaptability and reuse in the implementation. Our approach requires no special development tools and uses only standard features available in the C++ language. In an earlier paper we described the basic mechanisms used by our approach and discussed its advantages in comparison to the framework approach. In this paper we show how our approach combines code and design reuse, describing specific techniques that can be used in the development of larger applications.

Eliciting Security Requirements through Misuse Activities

In previous work we introduced an approach for finding security requirements based on misuse activities (actions). This method starts from the activity diagram of a use case (or a sequence of use cases). Each activity is analyzed to see how it could be subverted to produce a misuse of information. This analysis results in a set of threats. We then consider which policies can stop or mitigate these threats. We now extend that approach to consider in the analysis the type of misuse (confidentiality, integrity ...) that can happen in each activity, the role of the attacker, and the context for the threat. This extended analysis results in a finer and more systematic way to find threats and we can identify now more threats. We also improve the way to find the policies to control these threats and we consider how to map the corresponding policies to security patterns. The information in each pattern helps in the selection of an optimal (or good) set of policies. Our extended approach can be conveniently incorporated in a methodology to build secure systems.

A Multi-dimensional Classification for Users of Security Patterns

This paper presents a classification for security patterns that addresses the needs of users. The approach uses a matrix defined by dividing the problem space along multiple dimensions, and allows patterns to occupy regions, defined by multiple cells in the matrix. It supports filtering for narrow or wide pattern selection, allows navigation along related axes of concern, and identifies gaps in the problem space that lack pattern coverage. Results are preliminary but highlight differences with existing classifications.

Defining Security Requirements Through Misuse Actions

An important aspect of security requirements is the understanding and listing of the possible threats to the system. Only then can we decide what specific defense mechanisms to use. We show here an approach to list all threats by considering each action in each use case and analyzing how it can be subverted by an internal or external attacker. From this list we can deduce what policies are necessary to prevent or mitigate the threats. These policies can then be used as guidelines for design. The proposed method can include formal design notations for validation and verification.

The Secure Three-Tier Architecture Pattern

The three-tier architecture pattern and its variants have been around for a while and there are several discussions of their properties as well as several patterns. None of these discussions considers security. However, several real systems implement this approach including security. We revisit this pattern to explicitly separate and analyze its security aspects.

Repository mining and Six Sigma for process improvement

In this paper, we propose to apply artifact mining in a global development environment to support measurement based process management and improvement, such as SEI/CMMIs GQ(I)M and Six Sigmas DMAIC. CMM has its origins in managing large software projects for the government and emphasizes achieving expected outcomes. In GQM, organizational goals are identified. The appropriate questions with corresponding measurements are defined and collected. Six Sigma has its origins in manufacturing and emphasizes reducing cost and defects. In DMAIC, a major component of a Six Sigma approach, sources of waste are identified. Then changes are made in the process to reduce effort and increase the quality of the product produced. GQM and Six Sigma are complementary. Both approaches rely heavily on the measurement of input and output metrics. Mining development artifacts can provide usable metrics for the application of DMAIC and GQM in the software domain.

Measuring the Level of Security Introduced by Security Patterns

It is possible to reasonably measure the security quality of individual security patterns. However, more interesting is to ask: Can we show that a system built using security patterns is secure in some sense? We discuss here some issues about evaluating the security of a system built using security patterns. We consider the use of threats and misuse patterns to perform this evaluation.

An Approach to Model-based Development of Secure and Reliable Systems

A good way to obtain secure systems is to build applications in a systematic way where security is an integral part of the lifecycle. The same applies to reliability. If we want a system which is secure and reliable, both security and reliability must be built together. If we build not only applications but also middleware and operating systems in the same way, we can build systems that not only are inherently secure but also can withstand attacks from malicious applications and resist errors. In addition, all security and reliability constraints should be defined in the application level, where their semantics is understood and propagated to the lower levels. The lower levels provide the assurance that the constraints are being followed. In this approach all security constraints are defined at the conceptual or application level. The lower levels just enforce that there are no ways to bypass these constraints. By mapping to a highly secure platform, e.g., one using capabilities, we can produce a very secure system. Our approach is based on security patterns that are mapped through the architectural levels of the system. We make a case for this approach and we present here three aspects to further develop it. These aspects include a metamodel for security requirements, a mapping of models across architectural levels, and considerations about the degree of security of the system.

Process Analysis of a Waterfall Project Using Repository Data

Abstract The study of repository data has yielded insight into the behaviour of developers and qualities of software artifacts. In this article, we use repository data to investigate the nature and quality of the development process itself. Specifically, we use repository data to identify sources of potential inefficiency and waste in process design and execution. Our analysis approach is motivated by principles of Lean product development and fills a gap in the literature for empirical process metrics. To illustrate the approach, we analyse data from a large industry project involving CMM level 3 and 4 teams in a waterfall process. Both basic and focused analyses are presented, with eight different views of progress, efficiency, and cost.

A pattern for a sensor node

Sensors are widely used in everyday life in household appliances, fire alarms, traffic control systems, battlefields, banks, and museums. Sensors are used either as standalone devices or in networks. Understanding the basic structure of a sensor node is essential to be able to use the sensors in different types of devices and different kinds of environments. Many applications require different types of sensor nodes that communicate with each other to perform a specific function. We present a pattern that describes an abstract view of the architecture of a sensor node. This description would help the application designer to choose from different types of sensor nodes for his application and to integrate it with other functional units. Moreover, this model also helps the designer to reuse, combine, or modify the architecture of a node to suit more complex needs.