Abstract

Security is a challenging task in software engineering. Traditionally, addressing security concerns are considered as an afterthought to the development process and security mechanisms are fitted into pre-existing software without considering the consequences on the main functionality of the software. Enforcing security policies should be taken care of during early phases of the software development life cycle; this benefits the development costs and reduces the maintenance time. In addition to cost saving, this encourages development of reliable software. Since security related concepts will be considered in each step of the design, the implications of inserting such concepts into the existing system requirements will help mitigate the defects and vulnerabilities present in the system. Although integrating security solutions into every stage of the software development cycle, results in scattering and tangling of security features across the entire design. The traditional security hardening approaches are tedious and prone to many errors as they involve manual modifications. In this context, the need for a systematic way to integrate security aspects/mechanisms into the design phase of the development cycle should be considered.
In this work, an aspect-oriented modeling approach for specifying and integrating security aspects in to Unified Modeling Language (UML) design model is presented. This approach allows the security experts to specify generic security aspects and weave them into target software base model early in the software development phase. In contrast to traditional approaches, model-to-model transformation mechanisms discussed in this approach are designed to have an efficient and a fully automatic weaving process. This work further discusses additional components that are introduced into the weaving process. These newly introduced components allow the security experts to provide more appropriate security hardening concepts. Furthermore, the additional components are designed based on object-oriented principles and allow the security experts to exercise these principles in the model-to-model transformation. The additions to the weaver application are tested using the Session Initiation Protocol (SIP) communicator as a base model. The description of the additional components and the results of testing of the weaving process are discussed further in this thesis.