Integrating Security Design Into The Software

Development Process For E-Commerce Systems

By: M.T. Chan, L.F. Kwok(City University of Hong Kong)

IntroductionWWW has evolved from static info dispatcher to full blown distributed computing environment E-commerce:

Business to Customer TransactionsBusiness to Business Transactions

E-commerce systems are built on top of the WWW and internet, which are well known for their exposure to security threats of various kinds

Security Design and Software Development Process

SSE-CMM (Systems Security Engineering Capability Maturity Model)

Security Engineering:Risk Process:

• identifies and prioritizes dangers inherent to the developed product or system

Engineering Process:• Works with the other engineering disciplines to determine and

implement solutions to the problems presented by the dangers

Assurance Process:• Establishes confidence in the security solutions and conveys

this confidence to users or customers

SSE-CMMprovides a concrete framework in the design and development of a secured system.designed to be generic

applied to different domains.

defines “what” but not “how”.SSE-CMM is going to be used as a framework to specify SDPSS by further defining details of how to design and develop secured e-commerce systems for different application domains.

SDPSS Risk Process

SSE-CMM requires assessment of 4 entities:

Impact

Security risk

Threats

Vulnerabilities

Risk Data Repository Information Security Model (RDR)

Focuses on risk documentation and captures risk information about the entities and their linkagesEntities are grouped under 3 domains:

Environment domain:• entities that host or support the operation of the information

processing system

Platform domain:• Covers the description of the information processing system

and its related threats and countermeasures

Asset domain:• Represents information assets that are of certain value.

RDR concept used…but adapted

select entities that are relevant in software development and represent them as an object oriented design pattern

entities are modeled as classes and the links between entities are represented as associations between classes in an object oriented design

Security Design Pattern Entities are represented as classes which contain attributes describing the properties and methods defining operations that can be performed on the classes.

Vulnerabilities, Threats, Risks, and Impacts Asset – represents a unit of the e-commerce system being designed that has a value and loss of it may have an impact, financially or otherwise. Deployment – a combination of hardware/software on which the asset operates.  

Vulnerabilities are then classified into 2 main categories: asset vulnerabilities and deployment vulnerabilities.

ExampleA function in an e-commerce system, which is responsible to send out purchase orders in the form of e-mail. This function is an asset and the e-mail purchase order being intercepted is the vulnerability. The cost of damage to the company if the purchase orders are tempered is the impact.The potential of being intercepted is represented as the risk attribute in the link class threat and one of the countermeasures is to perform encryption before the purchase order is sent.

Software Development Process as the Engineering Process

The software process used to reengineer three-tier client/server systems to Web-based systems is adopted and extended with security design considerations.

It is based on unified modeling language (UML).

UML and SDPSS

To facilitate communication between designers, five types of diagrams are selected to support SDPSS:

Use caseClassCollaborationComponentDeployment diagrams

4 steps

The proposed SDPSS has 4 major steps: Object and collaboration modeling

Tier Identification

Component Identification

Deployment Specification

SDPSS is designed to…Model e-commerce applications in a well-defined mannerProvide a generic model

Security design will be meaningful and applicable across different application domains

Document the architecture of e-commerce application with clear and precise definition of security perimetersGive flexibility to designers to perform trade-off in security design on top of functional design according to defined design goals

Object and Collaboration Modeling Object modeling

Capture the functional requirements of the system using use case diagrams Establish the general layout of the system design in terms of class diagrams.

Collaboration Modeling Analyze how objects or classes interact with each other. Goal: to ensure all functional requirements are met by step-wise refinement and going through all identified use cases.

Specifying Security Needs Through Tier Identification

Objects are first grouped into tiers according to functional requirements and deployment considerations.

Tiers are examined according to vulnerabilities, risks and impacts to identify assets.

Regrouping may be necessary

corresponding countermeasures, risks and impact could be specified and documented

The mapping of tiers to assets therefore brings together the risk process and the engineering process.

Component Identification Component – identifies sets of objects that are coherent in terms of functional requirements and are reused. Criteria to identify components:

A component serves as the basic unit of security perimeterComponents are derived from objects coming from the same tierComponents are derived from objects coming from the same physical deployment, i.e. same technological platform.

Deployment Specification and Platform Security

Possible to deploy different parts of the system on more than one platform.In UML notation deployment diagrams describe physical machines used to run components.

Too restrictive for e-commerce applications

Semantics of node in UML extended to include deployment technology specification. Identify a set of known vulnerabilities for that platform. The risk of deploying a tier of components can be evaluated and suitable countermeasures can be built into the design.

Deployment (continued)

A link between a deployment and an asset representing the software components of that asset would be run in the deployment platform.

Before the coding phase of a project starts:designers can model different deployment scenarios

balance the pros and cons

make a trade-off to arrive at an optimal solution.

ExampleAn internet server provides web services to external clients and the intranet server provides database access and internal inventory control operations. Security design considerations for the 2 servers are quite different. The intranet server should have very stringent security needs and should be protected behind a firewall Internet server has to be opened to the Internet and other countermeasures should be employed.

The Assurance Process With the assistance of CASE (computer aided software engineering) tools

All security related design information would be accessible as a central repository Possible to perform various assurance exercises with the model

Whether security needs are met and can be checked by verifying that assets are actually linked to the correct vulnerabilities, tiers and components are correctly aggregated into assets and linked to deployment properly.

Example

It is the company policy to require that any order information sent to a supplier must be encrypted.

To verify this, a cross-reference report could be generated from CASE tools and see if the vulnerability association of the place order component actually points to the repudiation vulnerability.

ConclusionAll vulnerabilities, impacts, threats and risks could be continuously monitored and updated.Countermeasures could be improved and verified through feedback from actual deployment or security alerts issued by vendors. By separating the risk and the engineering process, any updated countermeasures can be easily implemented without intensive modification of the application system. Dedicated teams with clear responsibilities can be separately assigned to the risk, engineering and assurance process sharing the centralized model built from the SDPSS.

Chan, M.T. and L.F. Kwok, "Integrating Security Design Into the Software Development Process for E-Commerce Systems", Information Management & Computer Security, Volume 9, No. 3. 2001. Pages 112-122.