UML-SR: A Novel Security Requirements Specification Language

2019 IEEE 19th International Conference on Software Quality, Reliability and Security (QRS) Pub Date : 2019-07-01 DOI:10.1109/QRS.2019.00051

M. Mohsin, Muhammad Umair Ahmed Khan

{"title":"UML-SR: A Novel Security Requirements Specification Language","authors":"M. Mohsin, Muhammad Umair Ahmed Khan","doi":"10.1109/QRS.2019.00051","DOIUrl":null,"url":null,"abstract":"Existing security specification languages are not fully equipped to express low-level security requirements and design decisions such as input validation (a security requirement for a number of highly severe vulnerabilities). This inability of current specification languages compels developers to make security-related decisions on their own. We propose, a new security specification language named UML-SR using the extension mechanism of UML. UML-SR is based upon security requirements that need to be used to avoid the some of the most severe vulnerabilities according to the Common Vulnerability Scoring System of the National Vulnerability Database. UML-SR enhances UML use case, activity, class, and sequence diagrams with security requirements such as input validation, multi-factor authentication, closing port after an interval of inactivity, checking privileges, allowing only whitelisted commands, checking parameters passed when calling a function, session expiration check on the server side, and password aging. In this paper, we use stereotypes, constraints, and tags to represent these security requirements as a case study.","PeriodicalId":122665,"journal":{"name":"2019 IEEE 19th International Conference on Software Quality, Reliability and Security (QRS)","volume":"178 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE 19th International Conference on Software Quality, Reliability and Security (QRS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/QRS.2019.00051","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

Abstract

Existing security specification languages are not fully equipped to express low-level security requirements and design decisions such as input validation (a security requirement for a number of highly severe vulnerabilities). This inability of current specification languages compels developers to make security-related decisions on their own. We propose, a new security specification language named UML-SR using the extension mechanism of UML. UML-SR is based upon security requirements that need to be used to avoid the some of the most severe vulnerabilities according to the Common Vulnerability Scoring System of the National Vulnerability Database. UML-SR enhances UML use case, activity, class, and sequence diagrams with security requirements such as input validation, multi-factor authentication, closing port after an interval of inactivity, checking privileges, allowing only whitelisted commands, checking parameters passed when calling a function, session expiration check on the server side, and password aging. In this paper, we use stereotypes, constraints, and tags to represent these security requirements as a case study.

查看原文本刊更多论文

UML-SR:一种新的安全需求规范语言

现有的安全规范语言不能完全表达低级安全需求和设计决策，例如输入验证(许多高度严重漏洞的安全需求)。当前规范语言的这种无能迫使开发人员自己做出与安全相关的决策。我们利用UML的扩展机制，提出了一种新的安全规范语言UML- sr。UML-SR基于安全需求，需要根据国家漏洞数据库的通用漏洞评分系统来避免一些最严重的漏洞。UML- sr增强了UML用例、活动、类和序列图的安全性需求，例如输入验证、多因素身份验证、在一段不活动的时间间隔后关闭端口、检查特权、只允许白名单命令、检查调用函数时传递的参数、服务器端的会话过期检查以及密码老化。在本文中，我们使用构造型、约束和标签作为案例研究来表示这些安全需求。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2019 IEEE 19th International Conference on Software Quality, Reliability and Security (QRS)

自引率

0.00%

发文量