1. Model-based security analysis of feature-oriented software product lines
- Author
-
StrüberDaniel, PeldszusSven, and JürjensJan
- Subjects
Security analysis ,Computer science ,business.industry ,020207 software engineering ,02 engineering and technology ,Computer Graphics and Computer-Aided Design ,Software ,Unified Modeling Language ,Feature (computer vision) ,020204 information systems ,Product (mathematics) ,0202 electrical engineering, electronic engineering, information engineering ,UMLsec ,Software system ,Software engineering ,business ,computer ,computer.programming_language - Abstract
Today's software systems are too complex to ensure security after the fact – security has to be built into systems by design. To this end, model-based techniques such as UMLsec support the design-time specification and analysis of security requirements by providing custom model annotations and checks. Yet, a particularly challenging type of complexity arises from the variability of software product lines. Analyzing the security of all products separately is generally infeasible. In this work, we propose SecPL, a methodology for ensuring security in a software product line. SecPL allows developers to annotate the system design model with product-line variability and security requirements. To keep the exponentially large configuration space tractable during security checks, SecPL provides a family-based security analysis. In our experiments, this analysis outperforms the naive strategy of checking all products individually. Finally, we present the results of a user study that indicates the usability of our overall methodology.
- Published
- 2020