01-06-2012, 05:43 PM
An Extension on RUP for Developing
Secure Systems - Requirements Discipline
An Extension on RUP.pdf (Size: 317.54 KB / Downloads: 48)
Abstract
The world is moving rapidly toward the deployment
of information and communication systems. Nowadays, computing
systems with their fast growth are found everywhere and one of the
main challenges for these systems is increasing attacks and security
threats against them. Thus, capturing, analyzing and verifying
security requirements becomes a very important activity in
development process of computing systems, specially in developing
systems such as banking, military and e-business systems. For
developing every system, a process model which includes a process,
methods and tools is chosen. The Rational Unified Process (RUP) is
one of the most popular and complete process models which is used
by developers in recent years. This process model should be
extended to be used in developing secure software systems. In this
paper, the Requirement Discipline of RUP is extended to improve
RUP for developing secure software systems.
INTRODUCTION
Security is an attribute of system that prevents the system
from revealing, changing and denying of resource services
and system information in an illegal way. Generally three
aspects of security are: confidentiality, integrity and
availability of service of resources and information. To
achieve these aspects and develop a secure system, security
services and mechanisms should be considered [1].
One of main activities in developing any computing system
is requirements engineering. Requirements engineering is
capturing, analyzing, documenting and validating of
requirements. In requirements engineering security is
considered as a nonfunctional requirement [2, 3, 4, 5].
Although in some references security is classified as a
functional requirement [6, 7]. In most cases, security
requirements are naturally difficult to identify, evaluate, apply
and achieve [2].
SECURITY REQUIREMENTS IN RUP
In RUP FURPS+ model is used for categorizing
requirements [6]. In this model, security requirements are
categorized in Functionality requirement category. In RUP
just some steps and an approach (Software Requirements
Specification guideline, section 6) is given to establish and
classify the security requirements. According to this guideline,
captured security requirements are documented in Software
Requirement Specification document, but it is not mentioned
how these requirements should be modeled, analyzed and
used in the remaining phases of development process. In the
following sections, we describe how this problem is solved by
the extensions that we have proposed for RUP.
MOTIVATION CASE STUDY
One of the possible ways to evaluate software development
process models or methodologies is to choose some exemplar
systems as case studies and employ the process model or
methodology in developing case study systems. Then, the
weaknesses of the process model in developing the system are
analyzed, the process model is improved and the system
development is repeated according to the improved version of
the process model. In this paper, a Sales and Purchase system
of a dealer organization has been chosen as a case study. This
organization offers some services to the sellers to demonstrate
and sell the stocks. Customers can select and purchase the
stocks from the sellers. In this paper, the examples are based
on this case study system.
CONCLUSION AND SUGGESTIONS FOR FURTHER WORKS
In this paper some extensions on Requirement discipline of
RUP were reported as a part of research work on defining a
process model for developing secure systems, RUPSec. These
extensions include adding activities, artifacts, and roles to
RUP or improving them. In current stage, these extensions do
not cover all RUP disciplines and in further steps of research
we will work on other RUP disciplines.