Model-based Secure Software Engineering using UMLsec applied to Assisted Living and Home Care
With the emergence of Internet of Things (IoT), there is growing number of interconnected devices being developed with concerning security vulnerabilities. Consequently we are experiencing attacks and breaches that are capable of doing significant damage. And because security can often be difficult to properly enforce, consume time and result in higher development costs, we shall propose and examine the UMLsec approach. The approach is aimed at improving the development of secure systems. Meanwhile, new technologies and methods and approaches for developing systems like the ThingML are surfacing, that are aimed at being cost-effective, less time-consuming and increase the productivity. Therefore during the course of this thesis we shall attempt to bridge these two approaches and address the security challenges we face today.
We introduce the concept of Model-Driven Secure Software Engineering (MDSSE) for specifying and enforcing security requirements at UML design in order to enforce established rules of prudent security engineering early in the software development process. We define a process of defining and constructing a UML profile, using the provided extension mechanisms to extend the UML metalanguage with security concepts and well-formedness rules and UMLsec. To demonstrate and validate the approach, we define and propose the ThingMLsec profile which extends the security concepts and threat model of UMLsec for the domain of IoT systems. This approach and demonstration is supported by the Eclipse-based UML2 modeling tool Papyrus and related extensions.
In order to demonstrate and validate our ThingMLsec profile, we use the use case and scenario of Assisted Living and Community Care provided by the project Secure COnnected Trustable Things (SCOTT). We show that this highly expressive, effective and applicable approach, combined with a wide variety of proficient tools can help system engineers, developers and designers to specify and automatically verify security requirements in developing for the Internet of Things or any other domain.