Formalization of web security patterns

INFOCOMP Journal of Computer Science Pub Date : 2015-06-01 DOI:10.18760/IC.14120152

A. Dwivedi, S. K. Rath

{"title":"Formalization of web security patterns","authors":"A. Dwivedi, S. K. Rath","doi":"10.18760/IC.14120152","DOIUrl":null,"url":null,"abstract":"Security issues in software industries become more and more challenging due to malicious attacks and as a result, it leads to exploration of various security holes in software system. In order to secure the information assets associated with any software system, organizations plan to design the system based on a number of security patterns, useful to build and test new security mechanisms. These patterns are nothing but certain design guidelines. But they have certain limitations in terms of consistency and usability. Hence, these security patterns may sometimes act as insecure. In this study, an attempt has been made to compose security patterns for the web-based application. Subsequently, a formal modeling approach for the composition of security patterns is presented. In order to maximize comprehensibility, Unified Modeling Language (UML) notations are used to represent structural and behavioral aspects of a web-based system. A formal modeling language i.e., Alloy has been taken into consideration for analyzing web-based security pattens. For the demonstration of this approach, a case study i.e., an online banking system is considered. A qualitative evaluation is performed for the identified security patterns against the critical security properties. In this study a model-driven framework is presented, which helps to automate the process of analyzing web security patterns.","PeriodicalId":320111,"journal":{"name":"INFOCOMP Journal of Computer Science","volume":"460 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"14","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"INFOCOMP Journal of Computer Science","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.18760/IC.14120152","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 14

Abstract

Security issues in software industries become more and more challenging due to malicious attacks and as a result, it leads to exploration of various security holes in software system. In order to secure the information assets associated with any software system, organizations plan to design the system based on a number of security patterns, useful to build and test new security mechanisms. These patterns are nothing but certain design guidelines. But they have certain limitations in terms of consistency and usability. Hence, these security patterns may sometimes act as insecure. In this study, an attempt has been made to compose security patterns for the web-based application. Subsequently, a formal modeling approach for the composition of security patterns is presented. In order to maximize comprehensibility, Unified Modeling Language (UML) notations are used to represent structural and behavioral aspects of a web-based system. A formal modeling language i.e., Alloy has been taken into consideration for analyzing web-based security pattens. For the demonstration of this approach, a case study i.e., an online banking system is considered. A qualitative evaluation is performed for the identified security patterns against the critical security properties. In this study a model-driven framework is presented, which helps to automate the process of analyzing web security patterns.

查看原文本刊更多论文

web安全模式的形式化

由于恶意攻击的不断发生，软件行业的安全问题变得越来越具有挑战性，从而导致人们对软件系统中各种安全漏洞的探索。为了保护与任何软件系统相关的信息资产，组织计划基于许多安全模式来设计系统，这些模式对构建和测试新的安全机制很有用。这些模式只不过是特定的设计准则。但它们在一致性和可用性方面有一定的局限性。因此，这些安全模式有时可能表现得不安全。在本研究中，尝试为基于web的应用程序编写安全模式。在此基础上，提出了安全模式组合的形式化建模方法。为了最大限度地提高可理解性，使用统一建模语言(UML)符号来表示基于web的系统的结构和行为方面。在分析基于web的安全模式时，考虑了一种正式的建模语言，例如Alloy。为了演示这种方法，我们考虑了一个案例研究，即一个在线银行系统。针对关键安全属性，对已识别的安全模式执行定性评估。本研究提出了一个模型驱动的框架，该框架有助于web安全模式分析过程的自动化。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

INFOCOMP Journal of Computer Science

自引率

0.00%

发文量