![4
Secure by Design
2. Must employ the same concepts and nota-
tionsduringthewholedevelopmentprocess
in order to provide a common analysis
foundation;
3. Must support the explicit definition of the
applicability of the security process within
its stages;
4. Must be clear and well guided;
5. Must define together security and func-
tional requirements but also provide a clear
distinction;
6. Must allow developers to identify possible
conflicts between security and other func-
tionalandnon-functionalrequirements,early
in the process;
7. Must allow developers to analyse security
requirements and base design solutions on
such an analysis. In other words, it should
allow developers to explore different archi-
tectural designs according to the identified
security requirements;
8. Must allow developers to validate the de-
veloped security solution at design stage.
It is worth noting that the above set of require-
ments is not meant to be an extensive or static
list but rather a set of minimum sets that each
methodology should demonstrate.
3. PROJECT BACKGROUND
The project is an active collaboration between
the School of Computing, IT and Engineering at
the University of East London and Powerchex
Ltd. It is funded under the Knowledge Transfer
Partnership(KTP)programme,whichisEurope’s
leadingprogrammehelpingbusinessestoimprove
theircompetitivenessandproductivitythroughthe
betteruseofknowledge,technologyandskillsthat
residewithintheUKknowledgebase(http://www.
ktponline.org.uk) [i.e., academic institutions].
Powerchex specialises in pre-employment
screening services for the UK financial services
sector.Thecompany’sUniqueSellingPoint(USP)
is based on a novel, labour-intensive, distributed
screening-processreducingturnaroundtimeofthe
pre-employment screening service from 20 busi-
ness days, provided by competitors, to 5 business
days.Powerchexclients,whoincludesomeofthe
largest financial institutions in the UK and world-
wide,senddetailsofjobapplicantstoPowerchex,
who then performs a number of pre-employment
screenings, ranging from full background checks
toindividualcheckssuchascreditsearch,criminal
record search, address verification and academic
and professional qualification verification.
A number of professionals from Powerchex
wereinvolvedintheprojectrangingfromthecom-
pany’s Managing Director (MD), the Operations
Manager (OM), the Financial Manager (FM), the
Quality Manager (QM), a number of Screeners
andtheTechnicalDevelopmentManager(TDM).
Therewasalsoinvolvementfromvarioussoftware
engineersemployedeitherbyPowerchex’sservice
providers (e.g., IT infrastructure, online and in
house servers) or by Powerchex’s clients IT de-
partments.Ourinitialanalysisandthediscussions
with these stakeholders indicated that the current
system demonstrates a number of problems:
• Labour intensive and prone to errors, cost-
ly and not readily scaleable and therefore
lacking the capacity to deal with the vol-
ume of work required for the expansion of
Powerchex;
• Not secure enough; the financial sector
deals with large amounts of sensitive and
private data and therefore security is the
number one concern for major banks;
• Cannot readily incorporate any additional
services for clients (current or future);
• Not conducive to staff retention (i.e., re-
petitive tasks with little reward).](https://image.slidesharecdn.com/2316809-250516093701-69b2bfdc/85/Developing-And-Evaluating-Securityaware-Software-Systems-1st-Edition-Khaled-M-Khan-35-320.jpg)
![8
Secure by Design
Searches. However, Online Services Providers
are imposed with security constraints such as
AllowAccessOnlytoRegistered[totheirservice]
Users.
Once the environment of the system has been
analysed and modeled, that information is fed to
the System Security Requirements Model.
• System Security Requirements Model:
This model allows the capturing and analy-
sis of the technical dimension of security
and how this translates to security require-
ments for the system. It allows a deeper
understanding of how the system under de-
velopment can support goals to be fulfilled,
security constraints to be operationalised,
secure plans to be performed and avail-
ability of security related resources. In the
Systems Security Requirements Model the
system is introduced, as another actor, and
its security constraints are furthered ana-
lysed until a set of security requirements
based on these security constraints are de-
rived. In particular, the system is allocated
all the relevant goals and dependencies
identified in the previous model along with
the relevant security constraints. By us-
ing standard software engineering analysis
techniques, such as means-end and decom-
position, along with automated tool sup-
port the information captured in this model
is the definition of the system’s security re-
quirements enhanced with a set of security
constraints, along with the system’s secu-
rity goals and entities that allow the satis-
faction of the security requirements of the
system.
With respect to the Powerchex System, the
information captured by the Security Analysis
Model provides a number of security constraints
that Powerchex and its relevant actors need to
satisfy. For example, see Figure 2, the main goal
oftheSystemistosupporttheAutomatedApplica-
tion Process. In doing so, a number of goals are
identified that support the achievement of that
root goal. Two of these goals are: Manage Client
Information and Requests and Supports Checks
Registration and Monitoring.
Through such analysis a number of security
constraints are identified and imposed to the
systemsuchasKeepApplicantInformationSecure,
SecureInformationAccess,KeepSearchesSecure
and Produce Proof of Relevant Searches Further
analysis of these security constraints results in
the identification of a number of security require-
Figure 1. Security analysis model](https://image.slidesharecdn.com/2316809-250516093701-69b2bfdc/85/Developing-And-Evaluating-Securityaware-Software-Systems-1st-Edition-Khaled-M-Khan-39-320.jpg)
![This accounts for the sad desolation, more pitiful since soi-disant
archaeologists got their hands in, shone upon at the chandi Sewu as
at the chandis Plahosan, Sari, Kalasan, Panataran, to restrict myself
to one name from East Java,—shone upon by the sun, the egg of
the world, whose yolk holds the germ of creation, Surya, the solar
orb personified, is a companion wonderfully, grandly suggestive
among the “thousand temples” of life accomplished, decaying into
new birth, whether he scorches the earth and withers the drooping
flowers, or climbs a dim, hazy sky to attract the vapours that
descend again in precious showers when the clouds collect and
cover the stars, charming from darkness the lovely dawn and
budding day. The meditations he disposes the mind to are mostly
directed to the future, dreams of coming happiness, and even the
contemplative Buddhist images under the Banaspatis seem agitated
by their knowledge of a promise excelling the hope of Nirvana,
which cannot satisfy the aspirations of the children of this island, full
of the joy of existence. What will the future bring to them, the
people cradled in tempest, who were taught forbearance by a creed
profoundly imbued with the inner nature of things, and submission
when misery of war and pestilence came as the harbingers of
bondage to an alien race? Too trustful, they sacrificed their birthright
for a mess of pottage and after the encroachments of the Company,
past ages crowding on their memory, the felicity of the jaman buda
assumes to their imagination a tangible shape in the ancient
monuments founded by the rulers of their own flesh and blood,
edifices so widely different from the meretricious Government
opium-dens and Government pawn-shops in which the predatory
instinct of the present masters manifests itself—layin dahulu, layin
sekarang.[123] Resigned to fate, which wills the mutability of earthly
relations, the Javanese philosopher—and all Javanese are
philosophers in their way—takes the practical view of the Vedantins,
considering that calamities mean purification to the victor in moral
contest, and looking for a serene morning after a night of distress.
He has more beliefs than one to draw upon when seeking refuge in
his cherished maxim, his phlegmatic apa boleh buwat,[124] and](https://image.slidesharecdn.com/2316809-250516093701-69b2bfdc/85/Developing-And-Evaluating-Securityaware-Software-Systems-1st-Edition-Khaled-M-Khan-58-320.jpg)
![CHAPTER VIII
THE APPROACH TO THE BORO BUDOOR
The goodly works, and stones of rich assay,
Cast into sundry shapes by wondrous skill,
That like on earth no where I reckon may;
Edmund Spenser, Faerie Queene, Canto X.
Among the ancient monuments of Insulinde[125] the chandi Boro
Budoor stands facile princeps. Situated in the Kadu, it is easily
reached from Jogjakarta, about twenty-five miles, or from Magelang,
about eighteen miles distant, by carriage or, still more easily, by
taking the steam-tram which connects those two provincial capitals
and leaving the cars at Moontilan where an enterprising Chinaman
provides vehicles, at short notice, for the rest of the journey via the
chandi Mendoot on the left bank of the Ello, just above its
confluence with the Progo. No better approach to the most
consummate achievement of Buddhist architecture in the island or in
the whole world, can be imagined than this one, which leads past
the smaller but scarcely less nobly conceived and conscientiously
executed temple, a commensurate introduction to the wonderful,
crowning edifice across the waters, portal to the holiest in gradation](https://image.slidesharecdn.com/2316809-250516093701-69b2bfdc/85/Developing-And-Evaluating-Securityaware-Software-Systems-1st-Edition-Khaled-M-Khan-60-320.jpg)
![of majestic beauty. The Kadu has been well styled the garden of
Java, as Java the pleasance of the East, full of natural charms which
captivate the senses, abounding in amenities soothing to body and
soul; but if it had nothing more to offer than the Boro Budoor and
the Mendoot, it would reward the visitor to those central shrines of
Buddhism far beyond expectation.
Behind the horses, a mental recapitulation of the characteristics of
Hindu and Buddhist architecture in the golden age of Javanese art
will not come amiss, and there may be some wonder that with so
much veneration for the Bhagavat in friendly competition with the
Jagad Guru, nowhere in the negri Jawa an imprint is shown of the
blessed foot of promise, with the deliverer’s thirty-first sign, the
wheel of the law on the sole. If, in explanation, it should be adduced
that he never travelled to those distant shores, what does that
matter? Has he been in Ceylon? And how then about the sripada,
the record left there as in so many other countries, with the sixty-
five hints at good luck? While we revolve such questions, our
carriage rolls on; the coachman cracks his whip, evidently proud of
his skill in turning sharp corners without reining in; the runners jump
with amazing agility off and on the foot-board and crack their whips,
rush to the front to encourage the leaders of the team up steep
inclines, fall again to the rear when it goes down hill in full gallop.
The exhilarating motion makes the blood tingle in the veins. How
lovely the landscape, the valley shining in the brilliant light reflected
from the mountain slopes, ...
Another turn and we dash like a whirlwind past the kachang-oil[126]
and boongkil[127] mill of Mendoot; still another turn and, with a
magnificent display of his dexterity in pulling up, our Jehu brings us
to a sudden standstill before the temple. Opposite is a mission-
school conducted for many years, with marked success, by Father P.
J. Hoevenaars, in his leisure hours an ardent student of Java’s
history and antiquities, ever ready to apply the vast amount of
learning accumulated in his comprehensive reading on a solid
classical basis, to the clearing up of disputed points, though his](https://image.slidesharecdn.com/2316809-250516093701-69b2bfdc/85/Developing-And-Evaluating-Securityaware-Software-Systems-1st-Edition-Khaled-M-Khan-61-320.jpg)
![modesty suffered the honours of discovery to go to the noisy players
of the archaeological big drum. His large stock of information was
and is always at the disposal of whoever may choose to avail himself
of it and, writing of the chandis Mendoot and Boro Budoor, I
acknowledge gratefully the benefit derived from my intercourse with
this accomplished scholar, lately transferred to Cheribon.
The exact date of the birth of the chandi Mendoot is unknown but
there are reasons for believing that it was built shortly after the
chandi Boro Budoor, at some time between 700 and 850 Saka (778
and 928 of the Christian era), in the glorious period of Javanese
architecture to which we owe also the Prambanan group, the
chandis Kalasan, Sewu and whatever is of the best in the island.
There are additional reasons for believing that the splendour loving
prince who ordered the Boro Budoor to be raised and under whose
reign the work on that stupendous monument was begun, founded
the Mendoot too as a mausoleum to perpetuate his memory, and
that his ashes were deposited in the royal tomb of his own designing
before its completion. If so, he was one of the most prolific and
liberal builders we have cognisance of; but his memory is nameless
and all we know of him personally, besides the imposing evidence to
his Augustan disposition contained in the superb structures he left,
rests upon two pieces of sculpture at the entrance to the inner
chamber of the mortuary chapel, if such it be, which represent a
royal couple with a round dozen of children, just as we find in some
old western churches the carved or painted images of their founders’
families.[128] We are perhaps indebted for the preservation of these
suggestive reliefs to the circumstance of the chandi Mendoot having
been covered, hidden from view during centuries and to a certain
extent protected against sacrilegious hands by volcanic sand, earth
and vegetation. Almost forgotten, its slumbers were, however, not
wholly undisturbed for, when Resident Hartman, his curiosity being
excited by wild tales, began to clear it in 1836, he found that
treasure-seekers, out for plunder, had pierced the wall above the
porch and that by way of consolation or out of vexation at missing
the untold wealth reported to be buried inside, they had carried off](https://image.slidesharecdn.com/2316809-250516093701-69b2bfdc/85/Developing-And-Evaluating-Securityaware-Software-Systems-1st-Edition-Khaled-M-Khan-62-320.jpg)
![And how? It is an unpleasant tale to tell: after two decades of
consideration and reconsideration, in the fourth year of the
preliminary labours of restoration, the local representative of the
Department of Public Works, put in charge of the job as a side issue
of his already sufficiently exacting normal duties, aroused suspicions
concerning his competency in the archaeological line. An altercation
with Dr. Brandes, followed by more controversy de viva voce, in
writing and in print, led to compliance with his request that it might
please his superiors to relieve him from his additional and
subordinate task as reconstructor of ancient monuments. From that
moment, January 2, 1901, until May 1, 1908, absolutely nothing was
done and the scaffoldings erected all round the building were
suffered to rot away, symbolic of the extravagant impecuniosity of a
Government which never cares how money is wasted but always
postpones needful and urgent improvements till the Greek Kalends
on the plea of its chronic state of kurang wang.[129] When most of
the fl. 8600, fl. 7235, fl. 25142 and fl. 4274, successively wrung from
Parliament for excavations and restoration, had been squandered on
what Dr. Brandes considered to be bungling patchwork, the
expensive, useless scaffoldings, becoming dangerous to the passers-
by in their neglected state, necessitated the disbursement, in 1906,
of fl. 350 for their removal. On the continuation of the work, in 1908,
by other hands, of course a new one, also of teak-wood, had to be
erected. And, the restoration once more being under way on the
strength of fl. 6800 grudgingly allotted, Parliament decided finally
that no sufficient cause had been shown to burden the colonial
budget with the sum which, according to an estimate of 1910, was
required to bring it to an end! The profligately penurious mandarins
of an exchequer exhausted by almost limitless liberality in the matter
of high bounties, subsidies, allowances, grants for experiments
which never lead to anything of practical value; in the matter of
schemes which cost millions and millions only to prove their utter
worthlessness,—the penny-wise, pound-foolish heads refused, after
an expenditure of fl. 52401 to little purpose, to disburse fl. 21700 or
even fl. 7000 more for the completion of the work commenced, this](https://image.slidesharecdn.com/2316809-250516093701-69b2bfdc/85/Developing-And-Evaluating-Securityaware-Software-Systems-1st-Edition-Khaled-M-Khan-65-320.jpg)
![German form recorded by Jakob and Wilhelm Grimm. Of its many
variants in the Malay Archipelago we may mention the wager
between a snail and a tiger as to which could most easily jump a
river; the snail, attaching herself to one of her big competitor’s
paws, wins, of course, and convinces the terror of the woods by
means of his hairs adhering to her body, that she is accustomed to
feed on his kind, two or three per diem, freshly killed, whereupon
the tiger leaves off blustering and sneaks away.[130] The prose
version of the Tantri which, somewhat different from the two
metrical readings known to us, contains the vulture and turtle
incident, dates probably from the last half of the Mojopahit period
and is therefore at least four centuries younger than the chandi
Mendoot, so that its author and the sculptors of the scenes from
popular beast-stories on the temple’s walls, must have had access to
a common stock of ancient fables. All turned it to best advantage
and the decorators of this splendid edifice seized their opportunity to
let the men and animals they carved in illustration of their national
literature, express what they had to say in their passionate overflow
of the creative instinct. They gave their narrative a frame in
ornament of dazzling beauty, sweetly harmonious with the moral of
the lessons they taught, stirring to deepest emotion; they cased
thoughts of happiest purport in shrines embossed and laced with
fretwork more suggestive of ivory than of stone. They adorned the
Mendoot as a bride, to be displayed before her husband, the Boro
Budoor, revelling in the fanciful idea which makes the saktis of the
Dhyani Buddhas carry budding flowers to honour incarnate love. The
wealth of statuary, while orthodox Buddhism did not admit the
worship of images either of a saintly founder of temples or of his
saintly followers; the deities with the attributes of Doorga, Siva and
Brahma, who diversify the ornament of the exterior walls, from
which right distribution of lines and surfaces may be learnt in
rhythmical relation to contour and dimension, are further indications
of the syncretism signalising the tolerance, the fraternal mingling of
different creeds in the distant age of Mataram’s vigour and artistic
energy.](https://image.slidesharecdn.com/2316809-250516093701-69b2bfdc/85/Developing-And-Evaluating-Securityaware-Software-Systems-1st-Edition-Khaled-M-Khan-70-320.jpg)
![The religious principles underlying that empire’s greatness and
providing a basis for a firm sense of duty to guide a temperament of
fire, are nobly embodied in the three gigantic statues placed in the
inner chamber of the Mendoot or, to be quite exact, round which
that chandi was reared, for the entrance is too small to let them
through, especially the largest of them which, miraculously
undamaged save one missing finger-tip, has slid down from its
pedestal and consequently occupies a lower station between the
subordinate figures than originally intended. All three are seated and
the first in rank, of one piece with his unembellished throne,
measures fourteen feet; the two to his right and left, of less grave
aspect, wearing richly wrought necklaces, armlets, wristbands,
anklets and tiaras, measure eight feet each. If the oorna[131] more
excellent than a crown, identifies the master among them, the
position of whose fingers reminds of Vajrochana, the first Dhyani
Buddha, the others have been taken respectively for a Bodhisatva
and for a devotee who attained by his meritorious life a high degree
of saintliness but whose Brahmanic adornment flatly contradicts the
Buddhist character of such perfection. This explanation is therefore
considered unsatisfactory and unacceptable by many, as, for
instance, his Majesty Somdetch Phra Paramindr Chulalongkorn, the
late King of Siam, who, by the way, when visiting the chandis
Mendoot and Boro Budoor in 1896, claimed those masterpieces of
mahayanistic art for his own, the southern church, to use the
incorrect but convenient distinction. According to this royal
interpreter, the idea was to represent the Buddha in the act of
blessing the Buddhist prince who ordered the Boro Budoor to be
built, here placed at his right with an image of the deliverer in his
makuta and carrying no upawita but a monk’s robe under the
insignia of his dignity; the third statue, directly opposite, at the
Buddha’s left, without Buddhist accessories but with an upawita
hanging down from its left shoulder, might impersonate him again in
his state before conversion, or his unconverted father on whom,
after death, he wished to bestow a share in the deliverer’s
benediction. However this may be, there is no doubt of the](https://image.slidesharecdn.com/2316809-250516093701-69b2bfdc/85/Developing-And-Evaluating-Securityaware-Software-Systems-1st-Edition-Khaled-M-Khan-71-320.jpg)
![Enlightened One’s identity in one of his many personifications and,
leaving the eighty secondary marks unexplored (three for the nails,
three for the fingers, three for the palms of the hands, three for the
forty evenly set teeth, one for the nose, six for the piercing eyes,
five for the eyebrows, three for the cheeks, nine for the hair, ten for
the lower members in general,—without our entering into further
detail!), the thirty-two primary signs are all present: the
protuberance on the top of the skull; the crisped hair (of a glossy
black which the sculptor could not reproduce) curling towards the
right;[132] the ample forehead; the oorna, which sheds a white light
(also unsculpturable) as the sheen of polished silver or snow smiled
upon by the sun; etc. Though the colossal statue of the welcome
redeemer, like those of the worshipping kings, does not recommend
itself by faultless modelling, it breathes the spirit which sustains the
arahat, him who becomes worthy; it radiates the tranquil felicity of
annihilation of existence, sin, sorrow and pain; it promises the final
blowing out of life’s candle, the Nirvana, when the understanding will
be reached of the Adi-Buddha, the primitive, primordial,
immeasurable. And the lowest of the four degrees of the Nirvana, it
seems to say, is already attainable on earth by emancipation from
the bondage of fleshly desire and vice, by avoidance of that which
taints and corrupts.... The noonday glare, subdued by the heavy
shadow of the porch, fills the sanctuary with a golden haze and
upon its dimly gleaming wings a faint music descends, a song of
deliverance. The psalmist’s visions of the covering of iniquity
compass us about and invite to recognition of a common source of
divine inspiration in mankind of whatever creed. The scent of the
melati and champaka flowers, strewn at the feet and in the lap of
the deity—the image of him who taught that there is none such, and
revered by professed believers in the Book which consigns idolaters
to hell-fire!—mingles with the pungent odour of the droppings of the
bats, fluttering and screeching things in the dark recesses of the
roof, disturbed in their sleep. Truly there ought to be a limit to
syncretism and this last mentioned mixture of heterogeneous](https://image.slidesharecdn.com/2316809-250516093701-69b2bfdc/85/Developing-And-Evaluating-Securityaware-Software-Systems-1st-Edition-Khaled-M-Khan-72-320.jpg)
![drift down the slopes of the Merapi, by the overflowing runnels
discharging their load of mud into the Ello and the Progo, the
magnitude of volcanic devastation can be gauged from the
difference in level between the base of the chandi and the site of the
kampong higher up, under which the platform extends whereon its
subsidiary buildings stood. Excavations in the detritus have already
resulted in the discovery of portions of a brick parapet once
enclosing the temple grounds; of vestiges of smaller shrines in the
east corner of the terrace and of a cruciform brick substructure to
the northeast with fragments of bell-shaped chaityas;[133] of a
Banaspati, probably from the balustrade of the staircase, and
detached stones with and without sculptured ornament, which
revealed the former existence of several miniature temples
surrounding the central one. At the time of my last visit (which came
near terminating my career in my present earthly frame, through the
rotten scaffolding giving way under my feet when ascending to the
roof), more than half of the space conjecturally encompassed by the
parapet, still awaited exploration, and since then restoration, within
the limits of the scanty sums allowed, seems to have superseded
excavation. In connection with both, the names should be
mentioned of P. H. van der Ham, who did wonders with the little
means at his disposal, and C. den Hamer, who showed that the
decoration of the Mendoot too was not completed before the great
catastrophe which devastated Central Java and stopped architectural
pursuits.[134]
Reviewing the history of the ancient monuments of the island, not
one can pass without a repetition of the sad tale of spoliation.
However unpleasant it be to record in every single instance the
culpable negligence of a Government stiffening general indifference
and almost encouraging downright robbery, the rapid deterioration
of those splendid edifices allows no alternative in the matter of
explanation. When officials and private individuals of the ruling race
set the example, the natives saw no harm in quarrying building
material on their own account for their own houses, and they had no
time to lose in the rapid process of the razing of their chandis for the](https://image.slidesharecdn.com/2316809-250516093701-69b2bfdc/85/Developing-And-Evaluating-Securityaware-Software-Systems-1st-Edition-Khaled-M-Khan-74-320.jpg)
![adornment of residency and assistant-residency gardens, the
construction of dams, sugar-mills and indigo factories. Temple stones
have been found in many villages round the Mendoot and
particularly in Ngrajeg, about two miles distant on the main road,
there is no native dwelling in the substructure of which they have
not been used.[135] Though the wealth of the dessa Ngrajeg in this
respect may be explained by its once having boasted its own chandi,
of which nothing remains but the foundations, there is abundant
proof that the chief quarry of the neighbourhood on this side of the
river was the Mendoot as the Boro Budoor on the other. From a
juridical standpoint, the natives in possession of such spoil, acquired
by their fathers or grandfathers, have a prescriptive right on it not
disputable in law, averred the administration at Batavia, and so
whatever the architects in charge of the restoration needed, had to
be bought back and diminished still further the disposable funds.
Leaving the doubtful points of this legal question and the
enforcement in practice of the theoretical decision for what they are
worth to Kromo or Wongso, ordered to part with his doorstep or
coinings, there is no doubt that it is illegal and highly censurable to
demolish temples, and temples like the Mendoot at that, to secure
building material for Government dams and bridges. What happened
in Mojokerto with the bricks of Mojopahit and has been complained
of elsewhere, I saw happen in 1885 with Mendoot stones, freely
used for abutments, piers, spandrel fillings, etc., when near by the
spanning of the Progo was in progress. That bridge has since
succumbed like the railway bridge then in course of construction
farther down the Progo, a warning which, if heeded, might have
prevented, for instance, the chronic misfortunes of the railway
bridge in the Anei gorge, West Coast of Sumatra.
With Government bridges lacking the strength to resist the
impetuosity of more than ordinarily boisterous freshets, there may
always be a surprise in store for the pilgrim to the Boro Budoor who
has arrived at the first station, the Mendoot: will he or will he not
find the means to cross? For, in time of banjir, i.e. when the river is
in spate, the primitive ferry which maintains the communication in](https://image.slidesharecdn.com/2316809-250516093701-69b2bfdc/85/Developing-And-Evaluating-Securityaware-Software-Systems-1st-Edition-Khaled-M-Khan-75-320.jpg)
Developing And Evaluating Securityaware Software Systems 1st Edition Khaled M Khan
- 1. Developing And Evaluating Securityaware Software Systems 1st Edition Khaled M Khan download https://ebookbell.com/product/developing-and-evaluating- securityaware-software-systems-1st-edition-khaled-m-khan-4633618 Explore and download more ebooks at ebookbell.com
- 2. Here are some recommended products that we believe you will be interested in. You can click the link to download. Developing And Evaluating Quality Bilingual Practices In Higher Education Fernando D Rubioalcal Editor Do Coyle Editor https://ebookbell.com/product/developing-and-evaluating-quality- bilingual-practices-in-higher-education-fernando-d-rubioalcal-editor- do-coyle-editor-51814050 Developing And Evaluating Educational Programs For Students With Autism 1st Edition Caroline I Magyar Auth https://ebookbell.com/product/developing-and-evaluating-educational- programs-for-students-with-autism-1st-edition-caroline-i-magyar- auth-4391620 Developing And Evaluating A Cloud Service Relationship Theory 1st Edition Jan Huntgeburth Auth https://ebookbell.com/product/developing-and-evaluating-a-cloud- service-relationship-theory-1st-edition-jan-huntgeburth-auth-4932502 District Leader Internship Developing Monitoring And Evaluating Your Leadership Experience Gary E Martin https://ebookbell.com/product/district-leader-internship-developing- monitoring-and-evaluating-your-leadership-experience-gary-e- martin-48756508
- 3. School Leader Internship Developing Monitoring And Evaluating Your Leadership Experience Paperback Gary F Martin Arnold B Danzig William F Wright Richard A Flanary Margaret Terry Orr https://ebookbell.com/product/school-leader-internship-developing- monitoring-and-evaluating-your-leadership-experience-paperback-gary-f- martin-arnold-b-danzig-william-f-wright-richard-a-flanary-margaret- terry-orr-10133376 Managing Coaching At Work Developing Evaluating And Sustaining Coaching In Organizations Jackie Keddy Clive Johnson https://ebookbell.com/product/managing-coaching-at-work-developing- evaluating-and-sustaining-coaching-in-organizations-jackie-keddy- clive-johnson-48839866 Evaluating Environmental And Social Impact Assessment In Developing Countries Salim Momtaz And S M Zobaidul Kabir Auth https://ebookbell.com/product/evaluating-environmental-and-social- impact-assessment-in-developing-countries-salim-momtaz-and-s-m- zobaidul-kabir-auth-4409938 Developing Monitoring And Evaluation Frameworks 1st Edition Anne Markiewicz https://ebookbell.com/product/developing-monitoring-and-evaluation- frameworks-1st-edition-anne-markiewicz-11359860 Developing Crosscultural Measurement In Social Work Research And Evaluation 2nd Edition Keith T Chan https://ebookbell.com/product/developing-crosscultural-measurement-in- social-work-research-and-evaluation-2nd-edition-keith-t-chan-10787888
- 6. Khaled M. Khan Qatar University, Qatar Developing and Evaluating Security-Aware Software Systems
- 7. Developing and evaluating security-aware software systems / Khaled M. Khan, editor. pages cm Summary: “This book provides innovative ideas and methods on the development, operation, and maintenance of secure software systems and highlights the construction of a functional software system and a secure system simultaneously”-- Pro- vided by publisher. Includes bibliographical references and index. ISBN 978-1-4666-2482-5 (hardcover) -- ISBN 978-1-4666-2483-2 (ebook) (print) -- ISBN 978-1-4666-2484-9 (print & perpetual access) (print) 1. Computer networks--Security measures. 2. Computer software--Development. 3. Computer security. I. Khan, Khaled M., 1959- editor of compilation. TK5105.59.D48 2013 005.8--dc23 2012023337 British Cataloguing in Publication Data A Cataloguing in Publication record for this book is available from the British Library. The views expressed in this book are those of the authors, but not necessarily of the publisher. Managing Director: Lindsay Johnston Editorial Director: Joel Gamon Book Production Manager: Jennifer Romanchak Publishing Systems Analyst: Adrienne Freeland Assistant Acquisitions Editor: Kayla Wolfe Typesetter: Henry Ulrich Cover Design: Nick Newcomer Published in the United States of America by Information Science Reference (an imprint of IGI Global) 701 E. Chocolate Avenue Hershey PA 17033 Tel: 717-533-8845 Fax: 717-533-8661 E-mail: cust@igi-global.com Web site: http://www.igi-global.com Copyright © 2013 by IGI Global. All rights reserved. No part of this publication may be reproduced, stored or distributed in any form or by any means, electronic or mechanical, including photocopying, without written permission from the publisher. Product or company names used in this set are for identification purposes only. Inclusion of the names of the products or companies does not indicate a claim of ownership by IGI Global of the trademark or registered trademark. Library of Congress Cataloging-in-Publication Data
- 8. Associate Editors Yun Bai, University of Western Sydney, Australia Konstantin Beznosov, University of British Columbia, Canada Kendra Cooper, University of Texas at Dallas, USA Frédéric Cuppens, ENST-Bretagne, France Jun Han, Swinburne University of Technology, Australia Jan Jürjens, Open University, UK Florian Kerschbaum, The University of Alabama, USA Fabio Martinelli, National Research Council, Italy Raimundas Matulevicius, University of Tartu, Estonia Per Håkon Meland, SINTEF, Norway Frank Piessens, Katholieke Universiteit Leuven, Belgium Riccardo Scandariato, Katholieke Universiteit Leuven, Belgium Panagiotis Trimintzios, European Network and Information Security Agency, Greece George Yee, National Research Council Canada, Canada Yan Zhang, University of Western Sydney, Australia List of Reviewers Rafael Accorsi, University of Freiburg, Germany Joseph Barjis, Delft University of Technology, The Netherlands Ana Cavalli, TELECOM & Management SudParis, France Jean-Noël Colin, University of Namur, Belgium Herve Debar, France Telecom R & D, France Narendra Gangavarapu, RailCorp, Australia Munawar Hafiz, University of Illinois at Urbana-Champaign, USA Vitus Lam, University of Hong Kong, China Denivaldo Lopes, Federal University of Maranhão, Brazil Qutaibah Malluhi, Qatar University, Qatar Amel Mammar, TELECOM & Management SudParis,France Gregorio Martinez, University of Murcia, Spain Wes (Wassim) Masri, American University of Beirut, Lebanon Sjouke Mauw, University of Luxembourg, Luxembourg
- 9. Nancy Mead, Carnegie Mellon University, USA Bashar Nuseibeh, Open University, UK Jong Hyuk Park, Kyungnam University, Korea Muthu Ramachandran, Leeds Metropolitan University, UK Mohammed Rashid, Massey University, New Zealand Samuel Redwine Jr., James Madison University, USA Lillian Røstad, Norwegian University of Science and Technology, Norway Nahid Shahmehri, Linkoping University, Sweden Dongwan Shin, New Mexico Tech, USA Torbjorn Skramstad, Norwegian University of Science and Technology, Norway Randy Smith, The University of Alabama, USA Edgar R. Weippl, Vienna University of Technology, Austria Lei Wu, University of Houston, USA Ty Mey Yap, Simon Fraser University, Canada Mohammad Zulkernine, Queens University, Canada
- 10. Table of Contents Preface. .................................................................................................................................................xiv Section 1 Software Development Process Chapter 1 Secure by Design: Developing Secure Software Systems from the Ground Up..................................... 1 Haralambos Mouratidis, University of East London, UK Miao Kang, Powerchex Ltd., UK Chapter 2 Security Evaluation of Service-Oriented Systems Using the SiSOA Method....................................... 20 Christian Jung, Fraunhofer Institute for Experimental Software Engineering, Germany Manuel Rudolph, Fraunhofer Institute for Experimental Software Engineering, Germany Reinhard Schwarz, Fraunhofer Institute for Experimental Software Engineering, Germany Chapter 3 Eliciting Policy Requirements for Critical National Infrastructure Using the IRIS Framework. .......... 36 Shamal Faily, University of Oxford, UK Ivan Fléchais, University of Oxford, UK Chapter 4 Organizational Patterns for Security and Dependability: From Design to Application. ........................ 56 Yudis Asnar, University of Trento, Italy Fabio Massacci, University of Trento, Italy Ayda Saidane, University of Trento, Italy Carlo Riccucci, Engineering Ingegneria Informatica S.p.A, Italy Massimo Felici, Deep Blue, Italy Alessandra Tedeschi, Deep Blue, Italy Paul El-Khoury, SAP Research, France Keqin Li, SAP Research, France Magali Séguran, SAP Research, France Nicola Zannone, Eindhoven University of Technology, The Netherlands
- 11. Chapter 5 Not Ready for Prime Time: A Survey on Security in Model Driven Development.............................. 77 Jostein Jensen, Norwegian University of Science and Technology, Norway Martin Gilje Jaatun, SINTEF, Norway Chapter 6 Security Gaps in Databases: A Comparison of Alternative Software Products for Web Applications Support................................................................................................................ 91 Afonso Araújo Neto, University of Coimbra, Portugal Marco Vieira, University of Coimbra, Portugal Section 2 Formal Techniques and Tools Chapter 7 Using Executable Slicing to Improve Rogue Software Detection Algorithms ................................... 113 Jan Durand, Louisiana Tech University, USA Juan Flores, Louisiana Tech University, USA Nicholas Kraft, University of Alabama, USA Randy Smith, University of Alabama, USA Travis Atkison, Louisiana Tech University, USA Chapter 8 Ell Secure Information System Using Modal Logic Technique ......................................................... 125 Yun Bai, University of Western Sydney, Australia Khaled M. Khan, Qatar University, Qatar Chapter 9 A Formal Language for XML Authorisations Based on Answer Set Programming and Temporal Interval Logic Constraints. ................................................................................................................... 138 Sean Policarpio, University of Western Sydney, Australia Yan Zhang, University of Western Sydney, Australia Chapter 10 Building Secure Software Using XP . .................................................................................................. 161 Walid Al-Ahmad, King Saud University, Saudi Arabia
- 12. Section 3 Standard Security Functions Chapter 11 Analysis of ANSI RBAC Support in EJB ........................................................................................... 177 Wesam Darwish, The University of British Columbia, Canada Konstantin Beznosov, The University of British Columbia, Canada Chapter 12 Performance Evaluation of Secure Key Deployment and Exchange Protocol for MANETs ............. 205 Alastair Nisbet, Massey University, New Zealand M. A. Rashid, Massey University, New Zealand Chapter 13 JavaSPI: A Framework for Security Protocol Implementation............................................................ 225 Matteo Avalle, Politecnico di Torino, Italy Alfredo Pironti, INRIA, France Davide Pozza, Teoresi Group, Italy Riccardo Sisto, Politecnico di Torino, Italy Chapter 14 A Systematic Empirical Analysis of Forging Fingerprints to Fool Biometric Systems...................... 240 Christian Schwarzl, Vienna University of Technology and SBA Research, Austria Edgar Weippl, Vienna University of Technology and SBA Research, Austria Chapter 15 Integrating Patient Consent in e-Health Access Control . .................................................................... 285 Kim Wuyts, Katholieke Universiteit Leuven, Belgium Riccardo Scandariato, Katholieke Universiteit Leuven, Belgium Griet Verhenneman, Katholieke Universiteit Leuven, Belgium Wouter Joosen, Katholieke Universiteit Leuven, Belgium Compilation of References................................................................................................................ 309 About the Contributors..................................................................................................................... 330 Index.................................................................................................................................................... 339
- 13. Preface. .................................................................................................................................................xiv Section 1 Software Development Process Chapter 1 Secure by Design: Developing Secure Software Systems from the Ground Up..................................... 1 Haralambos Mouratidis, University of East London, UK Miao Kang, Powerchex Ltd., UK This paper describes results and reflects on the experience of engineering a secure web based system for the pre-employment screening domain. In particular, the paper presents results from a Knowledge Transfer Partnership (KTP) project between the School of Computing, IT and Engineering at the Uni- versity of East London and the London-based award winning pre-employment company Powerchex Ltd. The Secure Tropos methodology, which is based on the principle of secure by design, has been applied to the project to guide the development of a web based system to support employment reference and background checking specifically for the financial services industry. Findings indicate the potential of the methodology for the development of secure web based systems, and support the argument of incorporat- ing security considerations from the early stages of the software development process, i.e., the idea of secure by design. The developed system was tested by a third, independent to the project, party using a well known method of security testing, i.e., penetration testing, and the results provided did not indicate the presence of any major security problems. The experience and lessons learned by the application of the methodology to an industrial setting are also discussed in the paper. Chapter 2 Security Evaluation of Service-Oriented Systems Using the SiSOA Method....................................... 20 Christian Jung, Fraunhofer Institute for Experimental Software Engineering, Germany Manuel Rudolph, Fraunhofer Institute for Experimental Software Engineering, Germany Reinhard Schwarz, Fraunhofer Institute for Experimental Software Engineering, Germany The Service-Oriented Architecture paradigm (SOA) is commonly applied for the implementation of complex, distributed business processes. The service-oriented approach promises higher flexibility, in- teroperability and reusability of the IT infrastructure. However, evaluating the quality attribute security of such complex SOA configurations is not sufficiently mastered yet. To tackle this complex problem, the authors developed a method for evaluating the security of existing service-oriented systems on the architectural level. The method is based on recovering security-relevant facts about the system by using Detailed Table of Contents
- 14. reverse engineering techniques and subsequently providing automated support for further interactive security analysis at the structural level. By using generic, system-independent indicators and a knowl- edge base, the method is not limited to a specific programming language or technology. Therefore, the method can be applied to various systems and adapt it to specific evaluation needs. The paper describes the general structure of the method, the knowledge base, and presents an instantiation aligned to the Service Component Architecture (SCA) specification. Chapter 3 Eliciting Policy Requirements for Critical National Infrastructure Using the IRIS Framework. .......... 36 Shamal Faily, University of Oxford, UK Ivan Fléchais, University of Oxford, UK Despite existing work on dealing with security and usability concerns during the early stages of design, there has been little work on synthesising the contributions of these fields into processes for specifying and designing systems. Without a better understanding of how to deal with both concerns at an early stage, the design process risks disenfranchising stakeholders, and resulting systems may not be situated in their contexts of use. This paper presents the IRIS process framework, which guides technique selec- tion when specifying usable and secure systems. The authors illustrate the framework by describing a case study where the process framework was used to derive missing requirements for an information security policy for a UK water company following reports of the Stuxnet worm. The authors conclude with three lessons informing future efforts to integrate Security, Usability, and Requirements Engineer- ing techniques for secure system design. Chapter 4 Organizational Patterns for Security and Dependability: From Design to Application. ........................ 56 Yudis Asnar, University of Trento, Italy Fabio Massacci, University of Trento, Italy Ayda Saidane, University of Trento, Italy Carlo Riccucci, Engineering Ingegneria Informatica S.p.A, Italy Massimo Felici, Deep Blue, Italy Alessandra Tedeschi, Deep Blue, Italy Paul El-Khoury, SAP Research, France Keqin Li, SAP Research, France Magali Séguran, SAP Research, France Nicola Zannone, Eindhoven University of Technology, The Netherlands Designing secure and dependable IT systems requires a deep analysis of organizational as well as so- cial aspects of the environment where the system will operate. Domain experts and analysts often face security and dependability (S&D) issues they have already encountered before. These concerns require the design of S&D patterns to facilitate designers when developing IT systems. This article presents the experience in designing S&D organizational patterns, which was gained in the course of an industry lead EU project. The authors use an agent-goal-oriented modeling framework (i.e., the SI* framework) to analyze organizational settings jointly with technical functionalities. This framework can assist domain experts and analysts in designing S&D patterns from their experience, validating them by proof-of- concept implementations, and applying them to increase the security level of the system.
- 15. Chapter 5 Not Ready for Prime Time: A Survey on Security in Model Driven Development.............................. 77 Jostein Jensen, Norwegian University of Science and Technology, Norway Martin Gilje Jaatun, SINTEF, Norway Model Driven Development (MDD) is by many considered a promising approach for software devel- opment. This article reports the results of a systematic survey to identify the state-of-the-art within the topic of security in model driven development, with a special focus on finding empirical studies. The authors provide an introduction to the major secure MDD initiatives, but the survey shows that there is a lack of empirical work on the topic. The authors conclude that better standardization initiatives and more empirical research in the field is necessary before it can be considered mature. Chapter 6 Security Gaps in Databases: A Comparison of Alternative Software Products for Web Applications Support................................................................................................................ 91 Afonso Araújo Neto, University of Coimbra, Portugal Marco Vieira, University of Coimbra, Portugal When deploying database-centric web applications, administrators should pay special attention to data- base security requirements. Acknowledging this, Database Management Systems (DBMS) implement severalsecuritymechanismsthathelpDatabaseAdministrators(DBAs)makingtheirinstallationssecure. However, different software products offer different sets of mechanisms, making the task of selecting the adequate package for a given installation quite hard. This paper proposes a methodology for detect- ing database security gaps. This methodology is based on a comprehensive list of security mechanisms (derived from widely accepted security best practices), which was used to perform a gap analysis of the security features of seven software packages composed by widely used products, including four DBMS engines and two Operating Systems (OS). The goal is to understand how much each software package helps developers and administrators to actually accomplish the security tasks that are expected from them. Results show that while there is a common set of security mechanisms that is implemented by most packages, there is another set of security tasks that have no support at all in any of the packages. Section 2 Formal Techniques and Tools Chapter 7 Using Executable Slicing to Improve Rogue Software Detection Algorithms ................................... 113 Jan Durand, Louisiana Tech University, USA Juan Flores, Louisiana Tech University, USA Nicholas Kraft, University of Alabama, USA Randy Smith, University of Alabama, USA Travis Atkison, Louisiana Tech University, USA This paper describes a research effort to use executable slicing as a pre-processing aid to improve the prediction performance of rogue software detection.The prediction technique used here is an information retrieval classifier known as cosine similarity that can be used to detect previously unknown, known or variances of known rogue software by applying the feature extraction technique of randomized projec- tion. This paper provides direction in answering the question of is it possible to only use portions or subsets, known as slices, of an application to make a prediction on whether or not the software contents
- 16. are rogue. This research extracts sections or slices from potentially rogue applications and uses these slices instead of the entire application to make a prediction. Results show promise when applying ran- domized projections to cosine similarity for the predictions, with as much as a 4% increase in prediction performance and a five-fold decrease in processing time when compared to using the entire application. Chapter 8 Ell Secure Information System Using Modal Logic Technique ......................................................... 125 Yun Bai, University of Western Sydney, Australia Khaled M. Khan, Qatar University, Qatar In this paper, the authors propose a formal logic technique to protect information systems. As the widespread use of computer systems grows, the security of the information stored in such systems has become more important. As a security mechanism, authorization or access control ensures that all accesses to the system resources occur exclusively according to the access polices and rules specified by the system security agent. Authorization specification has been widely studied and a variety of ap- proaches have been investigated. The authors propose a formal language with modal logic to specify the system security policies. The authors also provide the reasoning in response to system access requests, especially in situations where the security agent’s knowledge base is incomplete. The semantics of this language is provided by translating it into epistemic logic program in which knowledge related modal operators are employed to represent agents’ knowledge in reasoning. The authors demonstrate how this approach handles the situation where the security agent’s knowledge on access decision is incomplete. Theproposedmechanismeffectivelypreventsunauthorizedandmaliciousaccesstoinformationsystems. Chapter 9 A Formal Language for XML Authorisations Based on Answer Set Programming and Temporal Interval Logic Constraints. ................................................................................................................... 138 Sean Policarpio, University of Western Sydney, Australia Yan Zhang, University of Western Sydney, Australia The Extensible Markup Language is susceptible to security breaches because it does not incorporate methods to protect the information it encodes. This work focuses on the development of a formal lan- guage that can provide role-based access control to information stored in XML formatted documents. This language has the capacity to reason whether access to an XML document should be allowed. The language, Axml(T) , allows for the specification of authorisations on XML documents and distinguishes itself from other research with the inclusion of temporal interval reasoning and the XPath query language. Chapter 10 Building Secure Software Using XP . .................................................................................................. 161 Walid Al-Ahmad, King Saud University, Saudi Arabia Security is an important and challenging aspect that needs to be considered at an early stage during software development. Traditional software development methodologies do not deal with security is- sues and so there is no structured guidance for security design and development; security is usually an afterthought activity. This paper discusses the integration of XP with security activities based on the CLASP (Comprehensive Lightweight Application Security Process) methodology. This integration will help developers using XP develop secure software by applying security measures in all phases and activities, thereby minimizing the security vulnerabilities exploited by attackers.
- 17. Section 3 Standard Security Functions Chapter 11 Analysis of ANSI RBAC Support in EJB ........................................................................................... 177 Wesam Darwish, The University of British Columbia, Canada Konstantin Beznosov, The University of British Columbia, Canada This paper analyzes access control mechanisms of the Enterprise Java Beans (EJB) architecture and defines a configuration of the EJB protection system in a more precise and less ambiguous language than the EJB 3.0 standard. Using this configuration, the authors suggest an algorithm that formally speci- fies the semantics of authorization decisions in EJB. The level of support is analyzed for the American National Standard Institute’s (ANSI) specification of Role-Based Access Control (RBAC) components and functional specification in EJB. The results indicate that the EJB specification falls short of support- ing even Core ANSI RBAC. EJB extensions dependent on the operational environment are required in order to support ANSI RBAC required components. Other vendor-specific extensions are necessary to support ANSI RBAC optional components. Fundamental limitations exist, however, due to the imprac- ticality of some aspects of theANSI RBAC standard itself. This paper sets up a framework for assessing implementations of ANSI RBAC for EJB systems. Chapter 12 Performance Evaluation of Secure Key Deployment and Exchange Protocol for MANETs ............. 205 Alastair Nisbet, Massey University, New Zealand M. A. Rashid, Massey University, New Zealand Secure Key Deployment and Exchange Protocol (SKYE) is a new encryption Key Management Scheme (KMS) based on combination of features from recent protocols combined with new features for Mobile Ad Hoc Networks (MANETs). The design focuses on a truly ad hoc networking environment where geographical size of the network, numbers of network members, and mobility of the members is all unknown before deployment. Additionally, all key management is performed online making it distinct from most other implementations. This paper attempts to describe the process of development of the protocol and to more thoroughly discuss the simulation software design used to evaluate the performance of the proposed protocol. Simulation results show that security within the network can be increased by requiring more servers to collaborate to produce a certificate for the new member, or by requiring a higher trust threshold along the certificate request chain. SKYE works well within the limitations set by entirely online network formation and key management. Chapter 13 JavaSPI: A Framework for Security Protocol Implementation............................................................ 225 Matteo Avalle, Politecnico di Torino, Italy Alfredo Pironti, INRIA, France Davide Pozza, Teoresi Group, Italy Riccardo Sisto, Politecnico di Torino, Italy This paper presents JavaSPI, a “model-driven” development framework that allows the user to reliably develop security protocol implementations in Java, starting from abstract models that can be verified formally. The main novelty of this approach stands in the use of Java as both a modeling language and the implementation language. The JavaSPI framework is validated by implementing a scenario of the SSL protocol. The JavaSPI implementation can successfully interoperate with OpenSSL, and has com- parable execution time with the standard Java JSSE library.
- 18. Chapter 14 A Systematic Empirical Analysis of Forging Fingerprints to Fool Biometric Systems...................... 240 Christian Schwarzl, Vienna University of Technology and SBA Research, Austria Edgar Weippl, Vienna University of Technology and SBA Research, Austria This paper serves to systematically describe the attempts made to forge fingerprints to fool biometric systems and to review all relevant publications on forging fingerprints to fool sensors. The research finds that many of the related works fail in this aspect and that past successes could not be repeated. First, the basics of biometrics are explained in order to define the meaning of the term security in this special context. Next, the state of the art of biometric systems is presented, followed by to the topic of security of fingerprint scanners. For this, a series of more than 30,000 experiments were conducted to fool scanners. The authors were able to reproduce and keep records of each single step in the test and to show which methods lead to the desired results. Most studies on this topic exclude a number of steps in producing a fake finger and fooling a fingerprint scanner are not explained, which means that some of the studies cannot be replicated. In addition, the authors’ own ideas and slight variations of existing experiment set-ups are presented. Chapter 15 Integrating Patient Consent in e-Health Access Control . .................................................................... 285 Kim Wuyts, Katholieke Universiteit Leuven, Belgium Riccardo Scandariato, Katholieke Universiteit Leuven, Belgium Griet Verhenneman, Katholieke Universiteit Leuven, Belgium Wouter Joosen, Katholieke Universiteit Leuven, Belgium Many initiatives exist that integrate e-health systems on a large scale. One of the main technical chal- lengesisaccesscontrol,althoughseveralframeworksandsolutions,likeXACML,arebecomingstandard practice. Data is no longer shared within one affinity domain but becomes ubiquitous, which results in a loss of control.As patients will be less willing to participate without additional control strategies, patient consents are introduced that allow the patients to determine precise access rules on their medical data. This paper explores the consequences of integrating consent in e-health access control. First, consent requirements are examined, after which an architecture is proposed which incorporates patient consent in the access control service of an e-health system. To validate the proposed concepts, a proof-of-concept implementation is built and evaluated. Compilation of References................................................................................................................ 309 About the Contributors..................................................................................................................... 330 Index.................................................................................................................................................... 339
- 19. xiv Preface INTRODUCTION The popularity of the first collection of the Advances in Engineering Secure Software series, entitled, “Issues and Challenges in Security-Aware Software Development” (Khan, 2012), has prompted us to compile this second collection of the series. Our first collection emphasizes on two objectives of security-aware software development, namely, software assurance and security assurance in the light of the development process. It also provides a detailed account on these two aspects. However, this book focuses mainly on three types of major ingredients for security-aware software development. It looks back some of the development of various processes, tools, techniques and security functions that took place last one decade since the inception of security-aware software engineering paradigm. The paradigm basically started in late 1990s with the goal of developing appropriate software engineering process and techniques, in addition to standard security functions, that could ensure constructing secure software products. The two terminologies security-aware software and secure software are often used interchangeably. The core idea of this paradigm is to integrate security concerns with all phases in the software develop- ment process from requirements to testing and deployment. Such a process not only deals with technical aspects of secure software engineering, but the management aspects of software security should also be addressed. The development of security-aware software is mainly based on software engineering principles focusing on technical as well as managerial aspects of software security along with systems functionalities. The US department of Homeland Security initiated this with the title, ‘Build Security in’ that essentially advocates this idea (Homeland security). The issue of security-aware software development was raised by researchers as well practitioners in late 1990s because security has been often treated as an afterthought, delayed to post-deployment phases of the software development process. Worst, security issues are delegated to systems administrators at the deployment as well as maintenance stages. Security-aware software development has emerged as a fundamental concern. Standard security mechanisms such as authentication, access control and encryp- tion are definitely necessary for protecting information and software, but they do not provide end-to-end assurances. Incorporating security into the entire software development process is definitely challenging. It is proposed in (Erl, 2005) that services software should be developed in three ways in order to ensure security: top-down approach, bottom-up approach, and agile approach -- one has to consider security throughout all these three approaches.
- 20. xv The process of developing security-aware software involves many issues, from security policy formulation, security requirements modeling, developing security architecture, integrating security re- quirements with functionalities, testing verification and validation, and finally assurances that the end product is secure. If we classify these into broader categories, we find that the main research thrust on security-aware software systems revolves around the following three major areas: • Software development process • Formal techniques and tool • Standard security functions The relationship among the above three is summarized in Figure 1. This figure shows that a security- aware software development process should be based on software development process, formal tech- niques, and standard security functions. Secure software can be produced by integrating security func- tions, appropriate formal techniques into various phases of the development lifecycle. Various phases in the development process are associated with different specific techniques and tools. For example, the requirements analysis phase is supported by logic based techniques, the coding is supported by almost all formal techniques. The list of the techniques outlined in the figure is just an example. Similarly, requirements analysis, design, coding and deployment phases should be integrated with the standard security functions. Again, the list of the standard security functions is not complete, it just shows some examples of security functions. More research work is needed in order to identify the appropriate tools and techniques, standard security functions, and their relationships with various phases in the software development process. We now briefly discuss each of the three ingredients in the following sections. Figure 1. Major ingredients of security-aware software development process
- 21. xvi Integration with Software Development Process The secure software development process involves the distinct tasks and procedures in the develop- ment cycle that are used to analyze, design and construct a software product. It has been argued that to achieve security-aware software, we need to address software security throughout the entire lifecycle of the software development process (Khan, 2012). A single task or procedure would unlikely produce security-aware software. Modern software systems are mainly intended to support highly complex business processes and interactions with other systems. While capturing, modeling and reflecting these complex processes in software systems is a challenging task, addressing security concerns of businesses in the software poses even greater challenges. In this context, security-aware software modeling defi- nitely requires a holistic and collaborative approach.At the process level, considerable research activities have been reported in the literature. More notably, the integration of security requirements into UML for secure software modeling and analysis has been developed by several researchers. All these works are centered around UML notations. Most of these attempt to extend UML in order to incorporate security concerns in the functionality. Probably for the first time, a Framework for Network Enterprise utilizing UML notations to describe a role-based access control (RBAC) model was proposed in (Epstein & Sandhu, 1999). It uses UML to represent RBAC. A similar work, the representation of access control such as MAC and RBAC using UML, was also proposed in (Shin &Ahn, 2000; Ray et al., 2003).An extension of UML, called UMLsec proposed in (Jurjens, 2002a; Jurjens, 2002b) focuses more on multi-level security of messages in UML interaction diagrams (namely sequence and state diagrams). Similarly, in another work called Secu- reUML (Lodderstedt et al., 2002), the authors introduce new meta-model components and authorization constraints expressed for RBAC. ThemainobjectiveofmostoftheseattemptsistoextendUMLinordertoincorporatesecurityconcerns in the functionality. Similar work on the extension of UML use cases to include security requirements is reported in (Siponen et al., 2006). Another extension of UML was proposed in (Basin et al., 2009) in order to model security properties such a way that could be evaluated against hypothetical run-time instances such as static analysis regarding users and permissions. A proposal for systematically verify- ing and validating non-temporal and authorization constraints via UML’s Object Constraint Language (OCL) is proposed in (Sohr, K. et al., 2008). The work reported in (Doan et al., 2010) also proposes an approach to integrate access control into UML for modeling and analysis of secure software systems. Another interesting area of addressing security at the process level is the business process model. The business process model could capture security functions during the modeling phase such as reported in (Baskerville, 1988; Herrmann & Pernul, 1999; Backes et al. 2003; Mana et al. 2003; D’Aubeterre et al. 2008). In most of these works, security requirements are incorporated into the business process model. Although,severalUMLbasedprocessmodelshavebeenproceed,unfortunately,wedonothavemany reports on how successful these are in practice, in real world software development. It would be much interesting to see that these are being used in the industry in order to develop security-aware software. Formal Techniques and Tools This area involves research in finding tools and techniques such as programming level constructs, formal approach, application of artificial intelligence, logic based approach, vulnerability detections and mitiga- tions, etc. The enforcement and verification of security policies at the low level software components is
- 22. xvii definitely a challenging task. There are several techniques used to ensure security of software systems. At the technique level, several research fronts are active in accommodating security issues at the low level programming units and logic of the program flows. Researchers have been exploring ways in which programming languages can be used to ensure that application software correctly enforces its security policies. This type of research work typically focuses on the enforcement of access control policies, data provenance tracking, information disclosure policies, and various forms of information flow policies in the program (Swamy et al., 2008b). Programming languages enable programmers to specify security policies and reason about that these policies are properly enforced in the program (Swamy et al., 2008a). One of the programming approaches to verify the correct enforcement of policies is to encode them as information flow policies for programs. Research on programming languages demonstrates that security concerns can be dealt with by using both program analysis and program rewriting as powerful and flexible enforcement mechanisms. The security typed programming languages can allow programmers to specify confidentiality and integrity constraints on the data used in a program, and the compiler could verify that the program satisfies the security constraints (Zdancewic, 2002). Another technique used for security-aware software is logic based approach that provides powerful expressiveness for the specification of security properties and the reason about security functions such as reported in (Fernandez, et al. 1989; Das, 1992; Fagin et al., 1995; Jajodia et al. 2001; Bertino et al. 2003).The logic based approach also provides reasonable flexibility for capturing security requirements. The predicates and rules of logic based language are used for expressing and evaluating authorization policies. A logic formalism has enough capability to specify, reason about and enforce access control polices in software systems. Answer set programming, a logic based approach, is also being used to express and verify access control polices of a system. The applicability of the knowledge representation and reasoning languages such as logic programming for the design and implementation of a distributed authorization system is becoming promising. Researchers use answer set programming to deal with many complex issues as- sociated with the distributed authorization along with the trust management approach (Wang, 2005). Formalauthorizationlanguagebasedonsemanticsofanswersetprogrammingcanexpressnon-monotonic delegation policies unambiguously. The expressive power of such languages can represent the delega- tion with depth, separation of duty, partial authorization, and positive-negative authorizations. The logic based approaches could be used in security requirements analysis and specification during the systems development process. A design decision on security associated with systems functionality could also be reasoned about using logic based programming. The application of logic based solution as well as programming features to the development of security-aware software looks promising. Standard Security Functions Standard security functions such as encryption, access control, authentication etc. are also required to ensure security-aware software systems. These functions ensure that security design and policies are adequately implemented and enforced as planned. Security functions are essential for the development of security software products. More research activities are required in order to identify ways how various security functions could be integrated or deployed at the micro level computing units in the software. It
- 23. xviii includes finding techniques on how various sophisticated security functions could be employed at data level as well as method level. It is also equally important to ensure that employing various security func- tions at the low level programming units would not degrade the usability of the system. There is a need for a balance between usability and the use of excessive visible security functions in a software system. CHALLENGES The research community has not come yet with any particular methods, tools, techniques and a process that will guarantee secure software construction. The following challenges still remain to be tackled: • Security-aware software development needs a standard process agreed by all stakeholders such as software engineers, security experts and tool developers. There is no standard process that can be used as a de facto standard. The research communities as well as professional bodies such as IEEE Computer Society, NIST, etc. have not agreed on any single process for the development of secure software. Perhaps, there is none. It is also not realistic to expect that a single silver bullet will enable us to develop security-aware software without obstacles. • We also need to catalogue various tools and techniques developed so far for security software. The catalog should clearly specify which tool or technique solves which specific problem, their performance rating, etc. An integration framework is required in order to show which tools and techniques are appropriate for which phases in the development process. A clear mapping of inte- gration between tools/techniques and development phases is desperately needed. • It is still an open question on how to measure the strength of software security in a continuous scale as opposed to a binary ‘secure’ ‘not secure’ values. How could we ascertain that system A is more secure than system B? We can envision a security metrics based approach that could forecast the relative security strength (or weakness) of a software product. A very few research work has been reported in this area so far. In other words, how do users know that a piece of software or its units are secure? • An important security requirement of service oriented software such as cloud computing is that the software learns nothing about the input data, or the computed results of clients. The software can process clients’ data without seeing them, as well as without comprehending the meaning of the output data. This goal should be achieved without employing extensive cryptographic techniques. • We also need more techniques on how to compose different security policies during the integra- tion of two software units in order to achieve a functionality. The composition of security policies in a dynamic software integration time is a challenging research task. It involves identifying con- tradictions between two participating security policies in a service composition, resolving these conflicts automatically, and so on. • Another challenging issue still remains unsolved – certification of software from security bugs. We need techniques that would enable software developers to specify achieved security in the software. The claimed security properties could be independently verified by third party certify- ing authorities. Once certified, software security properties could not be altered and the certificate cannot be tampered. • Finally, addressing the issue of trust in a software system is a big challenge. We need to find ways that could enable users to decide if software is trustworthy, if it is, how much etc.
- 24. xix ORGANIZATION OF THE BOOK The chapters of this book are grouped around the three major ingredients of secure software engineer- ing process that have already been discussed earlier. This collection presents total fifteen chapters, and they are grouped into three parts: • Section 1: Software Development Process ◦ ◦ Chapters 1-6 • Section 2: Formal Techniques and Tools ◦ ◦ Chapters 7-10 • Section 3: Standard Security Functions ◦ ◦ Chapters 11-15 CHAPTER ABSTRACTS Chapter 1 reports the results on an experience of developing a secure web based system for a financial service industry using the Secure Tropos methodology. The findings of the experiment demonstrate the effectiveness of the methodology for the construction of secure web based systems. It further supports the notion that incorporating security considerations from the early stages of the software development process promotes the idea of secure by design. The developed system was tested by an independent entity using penetration testing. The testing results indicate no presence of any major security problems. This chapter basically demonstrates how the application of a software engineering methodology could support the notion of secure by design. The chapter also shows that the proposed methodology is flex- ible enough to apply in other application domains. Chapter 2 presents a method for evaluating the security properties of service-oriented systems at the architectural level. The method attempts to recover security properties of the system by using reverse engineering techniques. It also provides automated support for further security analysis at the structural level. The proposed method is based on system-independent indicators and a knowledge base. It is in- dependent form any specific programming language or technology. The method is flexible enough for adapting in various application systems. The chapter also describes a prototype tool that implements the methods, and the associated knowledge base. It argues that the knowledge base allow flexible refine- ment and adaptation of existing evaluation rules, and addition of new security aspects to the analysis. It also supports reusability of security expertise obtained from past evaluations, and offers fine-tuning capabilities using its weighting scheme. Chapter 3 proposes a process framework, called IRIS (Integrating Requirements and Information Security), which provides guidance for the selection of technique when specifying security requirements in order to achieve secure software systems. The chapter demonstrates the applicability of the proposed framework by presenting a case study where the process framework was used to derive missing security requirements for an information security policy for a UK water company. It concludes with three les- sons informing future efforts to integrate Security, Usability, and Requirements Engineering techniques for secure system design. The chapter argues that without a better understanding of how to deal with security and usability concerns at an early stage of the systems development, the design process may not achieve the security goals of the system.
- 25. xx Chapter 4 reports an experience with a European Union project in designing security and depend- ability patterns. It uses SI* framework, an agent-goal-oriented modeling framework in order to analyze organizational settings together with technical functionalities. This chapter demonstrates how a frame- work could assist domain experts in designing security and dependability patterns, validating them by proof-of-concept implementations, and applying them to increase the security level of the system. It also shows how SI* framework has been used by industries for capturing security and dependability patterns, and how patterns can be applied to achieve a sufficient level of security in the system. The proposed patterns have been used in various application contexts such as air traffic management, e-Health smart systems, etc. Chapter 5 presents the results of a systematic survey to identify the state-of-the-art model driven development (MDD) focusing on security. The survey was carried out in order to find out how research communities deal with security in model driven development. The chapter addresses three issues: what are the major scientific initiatives describing automatic code generation from design models within the context of security in MDD, what empirical studies exist on the topic, and what are the strengths of the evidence that security aspects can be modeled as an inherent property and transformed to more secure code. It provides an introduction to the major secure model driven development initiatives and sug- gests that there is a lack of empirical work on the topic. It calls for standardization and more empirical research in this area. Chapter 6 proposes a methodology based on a comprehensive list of security mechanisms for detect- ing database security gaps. The security mechanisms are derived from widely accepted security best practices. The methodology is intended to be used for gap analysis of security features which have been extracted from seven software packages composed by widely used applications, including four DBMS engines and two Operating Systems (OS). The main objective of the study is to find how each software package actually helps developers and administrators to achieve their systems security goals.The chapter concludes with interesting results showing that while there is a common set of security mechanisms that are supported by most software packages, however, there are some important security issues that are not supported at all by any of these packages. Chapter 7 reports on a research effort that uses executable slicing as a pre-processing aid to improve the prediction performance of rogue software detection. The prediction technique used in this work is an information retrieval classifier that applies the feature extraction technique of randomized projection in ordertodetectpreviouslyunknown,knownorvariancesofknownroguesoftware.Thisapproachextracts particular sections or slices from potentially rogue software, and uses these slices to make a prediction. It demonstrates optimal results of a 4% increase in prediction performance and a five-fold decrease in processing time when compared to using the entire application for the prediction. It concludes that a better malicious software classifier can be predicted by applying an executable slicing technique as a pre-processing step to the technique of randomized projection. Chapter 8 propose a modal logic based approach to protect information system. The logic is used to specify and enforce security policies. The chapter provides the reasoning technique in response to the system access request especially in the situation where the grant access request is incomplete. The se- mantic of the language is provided by translating the language into epistemic logic program. The chapter demonstrates its applicability with a good number of realistic examples. It is expected that the proposed mechanism could be able to prevent unauthorized access to information systems more effectively. The chapter argues that the language has a strong expressive power to describe a variety of complex security requirements and policies.
- 26. xxi Chapter 9 proposes a formal language which can provide role-based access control to information stored in XML documents. The proposed language has the capacity to reason about whether access to an XML document should be allowed or not. The language constructs allows systems designers to specify authorisations on XML documents. The inclusion of temporal interval reasoning and the XPath query language in the language constructs is rich enough to support the specification of authorization features in XML formatted documents. The language basically can be used to define a security policy base ca- pable of specifying all access rights in the scope of an XML environment. The semantics of the language is provided through its translation into a logic program, namely Answer Set Programming (ASP). The chapter shows the application and expressive power of the language with a case study. Chapter10discussestheintegrationofXPwithsecurityfunctionsbasedontheCLASP(Comprehensive Lightweight Application Security Process) methodology in order to enable software developers using XP to construct secure software. CLASP provides a structured way to address security issues throughout the software development lifecycle. The proposed integration is basically based on interweaving the XP core practices with CLASP security best practices. The chapter argues that security measures should be applied in all phases in the development process. The claims are that this integration could possibly minimize the security vulnerabilities exploited by attackers. It is expected that the integration of XPwith security functions enables software developers build more secure software. The proposed approach for extending XP with security complements with CLASP security activities. Chapter 11 analyzes access control mechanisms of the Enterprise Java Beans (EJB) architecture and defines a configuration of the EJB protection system. It claims that the proposed configuration is less ambiguous than the EJB 3.0 standard. It presents an algorithm that formally specifies the semantics of authorization decisions in EJB. The chapter examines the level of support for the American National Standard Institute’s (ANSI) specification of Role-Based Access Control (RBAC) components and functional specification in EJB. It concludes that the EJB specification does not adequately supports the CoreANSI RBAC. This paper finally proposes a framework for assessing implementations ofANSI RBAC for EJB systems. Chapter 12 attempts to describe the process of development and testing of a new encryption key management protocol for highly dynamic and ad hoc networks. The proposed protocol is called Secure KeyDeploymentandExchange(SKYE).Italsodiscussesthesimulationsoftwaredesignparadigmsused to evaluate the performance of the proposed protocol. The research work demonstrates that the network security can be increased by requiring more servers to collaborate in order to generate a certificate for the new member, or by requiring a higher trust threshold along with the certificate request chain. Three different locations for servers relative to other nodes have been experimented with. It concludes with experimental evidence that the location of nodes designated as servers within the network has an impact on the likelihood of a successful issuance of a certificate. Chapter 13 primarily presents a model-driven development framework, namely JavaSPI, that allows the user to reliably develop security protocol implementations in Java. It supports a range of modeling activities ranging from the development of abstract models to the verification of models formally. Java is used as both a modeling language and the implementation language.The proposed JavaSPI framework is validated for its applicability by implementing a scenario of the SSL protocol. The chapter also claims that the framework could be successfully interoperated with OpenSSL, and has comparable execution time with the standard Java JSSE library. Chapter 14 presents a systematic study describing various attempts made to forge fingerprints to fool biometric systems. The chapter reviews a comprehensive number of relevant publications on forging
- 27. xxii fingerprints to fool sensors. It introduces the basics of biometrics in order to define the meaning of the term security along with the state of the art of biometric systems. It focuses on security of fingerprint scanners. It reports that a series of more than 30,000 experiments have been conducted to fool scanners. The experiments demonstrate that fingerprint scanners are not that easy to be deceived as the other re- search works suggest. The chapter provides a good deal of data to convince the reader that fingerprint scanners are secure, and cannot be fooled that easily. This work is believed to store public confidence on finger print scanners. Chapter 15 explores the consequences of integrating patient electronic consents in e-health access control by examining requirements. Based on the analysis, it proposes an architecture incorporating patient consent in the access control service of an e-health system. The work examines various options for representing patient consents, and investigates how to incorporate their directives into the access control decision process.The legal requirements concerning patient are introduced.The chapter proposes a format for representing patient consents, and suggests on how to govern them in their lifecycle. It also presents a policy evaluation algorithm and a reference authorization architecture that incorporates patient consents. The reference architecture is based on the extension of the XACML authorization model. An prototype of the proposed architecture and its evaluation with a case study is also presented. CONCLUSION The collection of these chapters embodies a wealth of research outputs and ideas in secure software development. The book is suitable for researchers, graduate students, as well as practitioners. It is ex- pected that this collection promotes the concepts of security-aware software development to a wider community comprising software engineers, security designers, researchers and beyond. I believe that the above line up of chapters with various flavors would generate enough interests in this topic. These chapters are expected to cover the three major ingredients of security-aware software development that have been outlined in this preface. The focus of each chapter varies from chapter to chapter ranging from hard technology to high level description of different ideas. Some chapters are based on complex mathematics, some are on logic, and few are based on operating system products. I am sure this book will satisfy readers from all areas of security-aware software development. Khaled M. Khan Qatar University, Qatar REFERENCES Alghathbar, K., & Wijesekera, D. (2003). AuthUML: A three-phased framework to model secure use cases. Proceedings of the Workshop on Formal Methods in Security Engineering: From Specifications to Code, (pp. 77-87). Backes, M., Pfitzmann, B., & Waidner, M. (2003). Security in business process engineering. In Proceed- ings of 2003 International Conference on Business Process Management, Lecture Notes in Computer Science vol. 2678, (pp. 168-183). Springer.
- 28. xxiii Baskerville, R. (1988). Designing information systems security. New York, NY: John Wiley & Sons. Bertino, E., Catania, B., Ferrari, E., & Perlasca, P. (2003). A logical framework for reasoning about access control models. ACM Transactions on Information and System Security, 6(1), 71–127. doi:10.1145/605434.605437 D’Aubeterre1, F., Singh, R., & Iyer, L. (2008). Secure activity resource coordination: Empirical evidence of enhanced security awareness in designing secure business processes. European Journal of Informa- tion Systems, 17, 528–542. Das, S. K. (1992). Deductive databases and logic program. Addison-Wesley. Doan, T., Demurjian, S., Michel, L., & Berhe, S. (2010). Integrating access control into UML for secure software modeling and analysis. International Journal of Secure Software Engineering, 1(1). doi:10.4018/jsse.2010102001 Epstein, P., & Sandhu, R. (1999). Towards a UML based approach to role engineering. Proceedings of the 4th ACM Workshop on Role-based Access Control, (pp. 75-85). ACM Press. Erl, T. (2005). Service-oriented architecture (SOA): Concepts, technology, and design. New Jersey: Prentice Hall. Fagin, R., Halpern, J. Y., Moses, Y., & Vardi, M. Y. (1995). Reasoning about knowledge. MIT Press. Fernandez, E. B., France, R. B., & Wei, D. (1995). A formal specification of an authorization model for object-oriented databases. Database Security, IX: Status and Prospects, (pp. 95-109). Herrmann, G., & Pernul, G. (1999). Viewing business-process security from different perspectives. International Journal of Electronic Commerce, 3(3), 89–103. Homeland Security. (2012). Build security in – Setting a high standard for software assurance. Retrieved January 29, 2012, from https://buildsecurityin.us-cert.gov/bsi/home.html Jajodia,S.,Samarati,P.,Sapino,M.L.,&Subrahmanian,V.S.(2001).Flexiblesupportformultipleaccess control policies. ACM Transactions on Database Systems, 29(2), 214–260. doi:10.1145/383891.383894 Jurjens, J. (2002a). Principles for secure systems design. Ph.D. Dissertation, Oxford University Comput- ing Laboratory, Oxford University. Jurjens, J. (2002b). UMLsec: Extending UML for secure systems development. Proceedings of UML, Springer LNCS, Vol. 2460, (pp. 1-9). Khan,K.(2012).Issuesandchallengesinsecurity-awaresoftwaredevelopment.Hershey,PA:IGIGlobal. Lodderstedt, T., et al. (2002). SecureUML:AUML-based modeling language for model-driven security. In Proceedings of UML, LNCS, Vol. 2460, (pp. 426-441). Springer. Mana, A., Montenegro, J. A., Rudolph, C., & Vivas, J. L. (2003). A business process-driven approach to security engineering. Proceedings of the 14th International Workshop on Database and Expert Systems Applications, (pp. 477-481). Prague.
- 29. xxiv Ray, I., et al. (2003). Using parameterized UML to specify and compose access control models. Pro- ceedings of the 6th IFIP Working Conference on Integrity and Internal Control in Information Systems, (pp. 115-124). ACM Press. Shin, M., & Ahn, G. (2000). UML-based representation of role-based access control. Proceedings of the 9th International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, (pp. 195-200). IEEE Computer Society. Siponen, M., Baskerville, R., & Heikka, J. (2006).Adesign theory for secure information systems design methods. Journal of the Association for Information Systems, 7(8), 568–592. Swamy, N., Corcoran, B., & Hicks, M. (2008a). FABLE:Alanguage for enforcing user-defined security policies. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland. Swamy, N., & Hicks, M. (2008b). Verified enforcement of stateful information release policies. In Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security. Wang, S., & Zhang, Y. (2005). A formalization of distributed authorization with delegation. In Proceed- ings of the 10th Australian Conference on Information Security and Privacy, LNCS 3574, (pp. 303-315). Zdancewic, S. (2002). Programming languages for information security. PhD thesis, Cornell University.
- 30. Section 1 Software Development Process
- 32. 1 Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. Chapter 1 DOI: 10.4018/978-1-4666-2482-5.ch001 1. INTRODUCTION The application of ICT to the financial services industry can support the automation of a number of functions, which are crucial for the further de- velopment of the sector, such as the management of pre-employment screening, coordination of financial teams, compliance with relevant regu- lations and analysis of financial data. The credit crunch and the events of the last couple of years meant that the financial services industry is faced with large changes and as such the development Haralambos Mouratidis University of East London, UK Miao Kang Powerchex Ltd., UK Secure by Design: Developing Secure Software Systems from the Ground Up ABSTRACT This paper describes results and reflects on the experience of engineering a secure web based system for the pre-employment screening domain. In particular, the paper presents results from a Knowledge Transfer Partnership (KTP) project between the School of Computing, IT and Engineering at the University of East London and the London-based award winning pre-employment company Powerchex Ltd. The Secure Tropos methodology, which is based on the principle of secure by design, has been ap- plied to the project to guide the development of a web based system to support employment reference and background checking specifically for the financial services industry. Findings indicate the potential of the methodology for the development of secure web based systems, and support the argument of in- corporating security considerations from the early stages of the software development process, i.e., the idea of secure by design. The developed system was tested by a third, independent to the project, party using a well known method of security testing, i.e., penetration testing, and the results provided did not indicate the presence of any major security problems. The experience and lessons learned by the ap- plication of the methodology to an industrial setting are also discussed in the paper.
- 33. 2 Secure by Design of software systems to support the financial ser- vices industry and peripheral sectors introduces a number of new challenges and difficulties. Security is arguably one of the most crucial and necessary features of software systems that support the financial services industry and an acceptable financial software system may under no circumstances endanger the risk of monetary lose and the leakage of relevant sensitive (private or otherwise) data. In software engineering practice the usual approach is to perform the analysis, design and implementation of a software system without considering security, and then add security as an afterthought (Devanbu & Stubblebine, 2000; Mouratidis et al., 2006). Nevertheless, recent re- search has shown that such approach introduces a number of problematic areas and it leads to security vulnerabilities that are usually identified after the implementation and deployment of the system. Since at this point it is quite expensive to redevelop the system to completely overcome such vulnerabilities, the usual approach is to “patch” some of these vulnerabilities as they are identified. However, this is not an acceptable standardforthedevelopmentofhighrisksoftware systemssoftwaresystems(Blobel&France,2001; Mouratidis, 2004). The last few years, it has been widely argued, especially within the requirements engineering (Haleyetal.,2006;Basinetal.,2003;Hermann& Pernul,1999)andinformationsystems(Devanbu, 2000; McDermott & Fox, 1999; Mouratidis & Giorgini, 2006) research communities, that the number of security vulnerabilities could be reduced if security is considered from the early stages of the development process, i.e., a Secure by Design (SbD) approach is employed to sup- port the development of secure software systems. Generallyspeaking,SecurebyDesign,withinthe context of software engineering, means that the software has been designed from the ground up to be secure. In academia, this practice is mostly known as secure software systems engineering or software engineering for secure systems amongst other terms. Our work is not the only effort at integrating security considerations into software engineering practices and methods. Security requirements frameworks have been proposed (Haley et al., 2006; Mead, 2006) for security re- quirementselicitation,specificationandanalysis. Onanotherlineofwork,thebehaviourofpotential attackers is used to model security (Lamsweerde & Letier, 2000; Lin et al., 2003). Works have also beenpresentedthatextendedusecaseswithrespect to security analysis (Hermann & Pernul, 1999; Alexander, 2003). In addition, a large number of effortsarefocusedonextendingexistingmethods and languages for software systems development (Basin et al., 2003; McDermott & Fox, 1999). Apart from the academic works, industry has also started to recognize the advantages of de- veloping software systems following the Secure by Design principles. Microsoft has introduced the Security Development Process (http://www. microsoft.com/security/sdl/) while IBM has long supported the idea of introducing security as part of the development process (http://www-01.ibm. com/software/rational/announce/innovate/secure. html). McAfee and Citrix Systems have recently announced that they are focused on providing virtual desktops with products that are “secure by design” in order to protect large enterprises from thechangingsecuritylandscapeasemployeesare increasingly using mobile devices to access cor- porateresources(http://www.siliconrepublic.com/ strategy/item/18252-citrix-and-mcafee-release/). Nevertheless, empirical studies on the use of secure software systems engineering methodolo- gies have so far been limited. In fact, as far as we are aware, an industrial case study on using a methodology that supports the idea of secure by design from the early requirements stages and throughout the development stages has not been published so far. This paper aims to contribute to this gap by presenting and discussing the ap- plication of a software engineering methodology, which supports the idea of secure by design by in-
- 34. 3 Secure by Design corporatingtheanalysisofsecurityconsiderations from the early stages of the development system, to the development of a web based system for the financialservicesindustry.Ourfindingsfromthis project indicate the potential of the methodology forthedevelopmentofsecurewebbasedsystems, and they support the argument of incorporating security considerations from the early stages of the system development process, i.e., the idea of secure by design. The security of the developed web based system was tested using penetration testing techniques run by an independent to the project party. On the other hand, the paper de- scribes in the form of questions and answers our experienceandthelessonslearnedbythisproject. This paper is structured as follows. Section 2 discusses some of the challenges of Secure Software Systems Engineering and provides some requirements for a software engineering methodologytosupporttheintegrationofsecurity analysis. Section 3 provides information on the background of the project discussing the project setting, aims and the main challenges. Section 4 describes the methodology used and it reports on themainoutputsofitsapplicationtothePowerchex system. Section 5 reflects on our experiences by discussing the lessons learned, while Section 6 concludes the paper. 2. CHALLENGES OF SECURE SOFTWARE SYSTEMS ENGINEERING This section discusses the challenges faced in Secure Software Systems Engineering, along with a set of requirements for a methodology to support Secure Software Systems Engineering. Challenges 1. Developers,whoarenotsecurityspecialists, usually need to develop software systems that require knowledge of security; 2. Securityiswidelyinfluencedbytheenviron- ment in which the system resides. However, the environment can be unreliable and change rapidly; 3. Securityneedstobeconsideredinthecontext of the system development taking into ac- countlimitedresourcesandhighconstraints; 4. Security is an issue that crosses many dif- ferent research and practice areas. As such different security terms are understood differently in different domains. A typical example is that security solutions, such as encryptionandauthentication,aresometime considered security requirements. As a re- sult, there is an abstraction gap that makes the integration of security concerns into the softwareengineeringprocessmoredifficult; 5. It is difficult to define together security and functional components and at the same time provide a clear distinction. For instance, which components are part of the security architecture, and which ones are part of the functional specification; 6. It is difficult to move from a set of security requirements to a design that satisfies these requirements, and also understand what are theconsequencesofadoptingspecificdesign solutions for such requirements; 7. It is difficult to get empirical evidence of security issues during the design stage.This makestheprocessofanalysingsecuritydur- ing the design stage more difficult; 8. Itisdifficulttofullytesttheproposedsecurity solutions at the design level; 9. Lack of automated tools to support a secure by design process. Requirements for Methodology 1. Must allow novice security developers to successfully consider security issues dur- ing the analysis and the design of software systems;
- 35. 4 Secure by Design 2. Must employ the same concepts and nota- tionsduringthewholedevelopmentprocess in order to provide a common analysis foundation; 3. Must support the explicit definition of the applicability of the security process within its stages; 4. Must be clear and well guided; 5. Must define together security and func- tional requirements but also provide a clear distinction; 6. Must allow developers to identify possible conflicts between security and other func- tionalandnon-functionalrequirements,early in the process; 7. Must allow developers to analyse security requirements and base design solutions on such an analysis. In other words, it should allow developers to explore different archi- tectural designs according to the identified security requirements; 8. Must allow developers to validate the de- veloped security solution at design stage. It is worth noting that the above set of require- ments is not meant to be an extensive or static list but rather a set of minimum sets that each methodology should demonstrate. 3. PROJECT BACKGROUND The project is an active collaboration between the School of Computing, IT and Engineering at the University of East London and Powerchex Ltd. It is funded under the Knowledge Transfer Partnership(KTP)programme,whichisEurope’s leadingprogrammehelpingbusinessestoimprove theircompetitivenessandproductivitythroughthe betteruseofknowledge,technologyandskillsthat residewithintheUKknowledgebase(http://www. ktponline.org.uk) [i.e., academic institutions]. Powerchex specialises in pre-employment screening services for the UK financial services sector.Thecompany’sUniqueSellingPoint(USP) is based on a novel, labour-intensive, distributed screening-processreducingturnaroundtimeofthe pre-employment screening service from 20 busi- ness days, provided by competitors, to 5 business days.Powerchexclients,whoincludesomeofthe largest financial institutions in the UK and world- wide,senddetailsofjobapplicantstoPowerchex, who then performs a number of pre-employment screenings, ranging from full background checks toindividualcheckssuchascreditsearch,criminal record search, address verification and academic and professional qualification verification. A number of professionals from Powerchex wereinvolvedintheprojectrangingfromthecom- pany’s Managing Director (MD), the Operations Manager (OM), the Financial Manager (FM), the Quality Manager (QM), a number of Screeners andtheTechnicalDevelopmentManager(TDM). Therewasalsoinvolvementfromvarioussoftware engineersemployedeitherbyPowerchex’sservice providers (e.g., IT infrastructure, online and in house servers) or by Powerchex’s clients IT de- partments.Ourinitialanalysisandthediscussions with these stakeholders indicated that the current system demonstrates a number of problems: • Labour intensive and prone to errors, cost- ly and not readily scaleable and therefore lacking the capacity to deal with the vol- ume of work required for the expansion of Powerchex; • Not secure enough; the financial sector deals with large amounts of sensitive and private data and therefore security is the number one concern for major banks; • Cannot readily incorporate any additional services for clients (current or future); • Not conducive to staff retention (i.e., re- petitive tasks with little reward).
- 36. 5 Secure by Design As such the main challenge was to develop a system that will support faster and more efficient screeningprocess,withlesserrors;Reducethecost ofoperationbyenlargingthenumberofscreening applications that can be simultaneously handled; Support the collection and analysis of important data, leading to improved operational activity; Ensure the provision of secure services and of the security of the screening process; Support the provision of additional services and functional- ity for existing and new clients (e.g., electronic submission of applications for checking) as well as being a tool for attracting new clients (e.g., providing a psychometric testing option). Moreover,amainrequirementisthatthesecu- rity of the system must withstand various attack teststhatPowerchex’sClientswillperformbefore the system is in operation. Based on the above challenges and the va- riety of the team involved in the project and in particular the different knowledge of software developmentand/orITCingeneral,themainfour requirements for the selection of the appropriate methodology were: 1. To follow the Secure by Design idea and incorporatesecurityconsiderationsfromthe early stages of the development process; 2. To employ concepts that are easily under- stoodbysoftwareengineersaswellasstake- holders that are not familiar with software development; 3. To enable the analysis of security in various stages of the development process; 4. To enable the validation of the developed system at design stage. Toachievethese,wedecidedtousetheSecure Tropos methodology which includes (1) a model- ing language that is based on concepts, such as actor, goal, plan, resource, security constraint, attacker and attack, which are easily understood evenbynoITCsavvystakeholders;(2)asecurity- aware process that introduces security analysis from the early stages of the development process; (3)andanautomatedtoolthatsupportstheanalysis of security at different level and in various stages of the development process. 4. SECURE BY DESIGN DEVELOPMENT OF POWERCHEX’S PRE-EMPLOYMENT SYSTEM 4.1. Secure Tropos 4.1.1. Modelling Language The Secure Tropos methodology (Mouratidis, 2004)isbasedontheprinciplethatsecurityshould be considered from the early stages of the devel- opment process and not added as an afterthought. The modeling language of Secure Tropos is basedontheconceptofSecurityConstraint.ASe- curityConstraintisaspecialisationoftheconcept of constraint. In the context of software engineer- ing, a constraint is usually defined as a restriction that can influence the analysis and design of a softwaresystemunderdevelopmentbyrestricting some alternative design solutions, by conflicting withsomeoftherequirementsofthesystem,orby refining some of the system’s objectives. In other words,constraintscanrepresentasetofrestrictions that do not permit specific actions to be taken or prevent certain objectives from being achieved. Often constraints are integrated in the specifica- tionofexistingtextualdescriptions.However,this approachcanoftenleadtomisunderstandingsand an unclear definition of a constraint and its role in the development process. Consequently, this results in errors in the very early development stages that propagate to the later stages of the de- velopment process causing many problems when discovered; if they are discovered. Therefore, in the Secure Tropos modelling language we define security constraints, as a separate concept.To this end, the concept of security constraint has been defined within the context of Secure Tropos as:
- 37. 6 Secure by Design A security condition imposed to an actor that restricts achievement of an actor’s goals, execu- tion of plans or availability of resources. Security constraints are outside the control of an actor.An actor (Bresciani et al., 2004) represents an entity that has intentionality and strategic goals within the software system or within its organisational setting. Within a network of actors, which is usually the case in large software systems with multiple stakeholders, one actor might depend on another actor for a goal, a plan or a resource. A goal(Brescianietal.,2004)representsacondition in the world that an actor would like to achieve. In other words, goals represent actor’s strategic interests.Aplan represents, at an abstract level, a way of doing something (Bresciani et al., 2004). The fulfillment of a plan can be a means for satisfying a goal. As such, different (alternative) plans, that actors might employ to achieve their goals, are modeled enabling software engineers to reason about the different ways that actors can achievetheirgoalsanddecideforthebestpossible way. A resource (Bresciani et al., 2004) presents a physical or informational entity that one of the actors requires. The main concern when dealing withresourcesiswhethertheresourceisavailable and who is responsible for its delivery. To model goals,plansandresourcesthataresecuritycrucial, the modeling language extends the original defi- nition of goal, plan and resource by introducing secure goals, secure plans and secure resources. A secure goal represents a strategic interest of an actor with respect to security. In the Secure Tropos context, strategic interest means a course of action that an actor needs to follow to satisfy one or more security constraints. The satisfaction of one or more security constraints by a secure goal is defined through a Satisfies relationship. It is worth stating that a secure goal does not define operationaldetailsofhowasecurityconstraintcan be satisfied, since operational alternatives can be considered. A secure plan represents a particular way for satisfying a secure goal. In the context of Secure Tropos, this means a specific and defined action that an actor executes to operationalise a secure goal. A secure resource is defined as an entity that is security critical for the system under development. To support the modeling of an actor depending on another actor for a secure goal, secure plan and/or secure resource, Secure TroposintroducestheideaofSecureDependency. A Secure Dependency introduces one or more Security Constraint(s) that must be fulfilled for the dependency to be valid. To support the analysis and evaluation of the developed security solution, the modeling language supports the modeling of security at- tacks. An attack is an action that might cause a potential violation of security in the system (this definition has been adopted by Matt Bishop’s definitionofacomputerattack).Withinthecontext of an attack, an attacker represents a malicious actor that has an interest to attack the system. As described above, an actor has intentionality and strategic goals within the system. In the case of an attacker, the intentionality and strategic goals are related to breaking the security of a system and identifying and executing threats. Threats represent circumstances that have the potential to cause loss; or problems that can put in danger the security features of the system. In order to understand the threats that an attacker introduces to the system, it is important to have clear knowl- edge of the security capabilities of the system. A securecapabilityrepresentstheabilityofanactor to achieve a secure goal, carry out a secure plan and/or deliver a secure resource. 4.1.2. Process and Tool Support To support the requirements for a security-aware methodologyidentifiedintheprevioussection,we developedaniterativeprocessthattakesadvantage of the Secure Tropos modeling language in the context of four different models. The process, which starts at the early requirements stage and it covers up to detailed design, is one of identifying the security requirements of the software system, transforming these requirements to a design that satisfiesthemandvalidatingthedevelopedsystem
- 38. 7 Secure by Design with respect to security. The process is supported by a number of modeling activities (Mouratidis, 2004),whichresultinclearmodels.Thesemodels are described. The methodology is also supported by an automated tool. The tool, called secTro (http:// sectro.securetropos.org/), is a platform indepen- dent analysis and modelling tool that supports the development and analysis of the methodology’s models. The tool has been developed following an iterative approach and it is based on JAVA. In particular,thetoolallowsdeveloperstomodelthe system under development and its environment and it supports the capture of properties of the various models, and of their components. These are represented as XML type specifications and can be then fed into tools that support the analy- sis of the security properties of the system under development such as the UMLsec set of tools. The UMLsec set of tools (http://ls14-www.cs.tu- dortmund.de/main2/jj/umlsectool/index.html) generate logical formulas formalizing the execu- tionsemanticsandtheannotatedsecurityrequire- ments. Automated theorem provers and model checkers automatically establish whether the securityrequirementshold.Ifnot,aProlog-based tool automatically generates an attack sequence violating the security requirement, which can be examinedtodetermineandremovetheweakness. This way we encapsulate knowledge on practical security engineering as annotations in models or code and make it available to developers who may not be security experts. Since the analysis that is performed is too sophisticated to be done manually, it is also valuable to security experts. 4.1.3. Models • Security Analysis Model (SAM): A Security Analysis Model supports the un- derstanding of the social dimension of se- curity by considering the social issues, of the system environment, which might af- fect its security. In doing so, the environ- ment in which the system will be operation- al is analysed with respect to security. The model enables software system developers to understand the security concerns of each actor and model these concerns with appro- priate security constraints. In particular, the model allows software engineers to model the various actors along with their strategic and security needs; and to identify for each actor security constraints. Further analysis is then taking place to examine the security constraints imposed on individual actors and identify any related secure goals, plans and resources that assist in satisfying those security constraints. Figure 1 shows a limited view1 of the Pow- erchex Security Analysis Model. In particular, the model captures the main actors of the system environment along with their goal dependen- cies and security constraints. The Client actor depends on Powerchex to Screen Employment Candidates. This goal dependency however introduces a security constraint for Powerchex to Comply with Relevant Privacy Laws. In order for Powerchex to perform the relevant checks, information is needed from the Applicant. This is provided through a pre-employment screening form that the Applicants need to fill in and send to Powerchex. Once Powerchex has this form, the screeningprocesscanstart.Powerchexisimposed a security constraint to Secure theApplicant Data as part of the Receive Filled in Form dependency. To perform the relevant checks, Powerchex depends on a number of search providers as well as the Financial Services Authority (FSA). Rel- evant security constraints have been identified based on these dependencies as shown in Figure 1. For example, Screener 1 Team depends on Online Service Providers to Obtain Relevant
- 39. 8 Secure by Design Searches. However, Online Services Providers are imposed with security constraints such as AllowAccessOnlytoRegistered[totheirservice] Users. Once the environment of the system has been analysed and modeled, that information is fed to the System Security Requirements Model. • System Security Requirements Model: This model allows the capturing and analy- sis of the technical dimension of security and how this translates to security require- ments for the system. It allows a deeper understanding of how the system under de- velopment can support goals to be fulfilled, security constraints to be operationalised, secure plans to be performed and avail- ability of security related resources. In the Systems Security Requirements Model the system is introduced, as another actor, and its security constraints are furthered ana- lysed until a set of security requirements based on these security constraints are de- rived. In particular, the system is allocated all the relevant goals and dependencies identified in the previous model along with the relevant security constraints. By us- ing standard software engineering analysis techniques, such as means-end and decom- position, along with automated tool sup- port the information captured in this model is the definition of the system’s security re- quirements enhanced with a set of security constraints, along with the system’s secu- rity goals and entities that allow the satis- faction of the security requirements of the system. With respect to the Powerchex System, the information captured by the Security Analysis Model provides a number of security constraints that Powerchex and its relevant actors need to satisfy. For example, see Figure 2, the main goal oftheSystemistosupporttheAutomatedApplica- tion Process. In doing so, a number of goals are identified that support the achievement of that root goal. Two of these goals are: Manage Client Information and Requests and Supports Checks Registration and Monitoring. Through such analysis a number of security constraints are identified and imposed to the systemsuchasKeepApplicantInformationSecure, SecureInformationAccess,KeepSearchesSecure and Produce Proof of Relevant Searches Further analysis of these security constraints results in the identification of a number of security require- Figure 1. Security analysis model
- 40. 9 Secure by Design ments for the system such as Support Encrypted Information Sharing, Keep Record of Communi- cation, Ensure Security of Authentication Cre- dentialsandMonitorandRecordRelevantChecks. • Secure Components Specification Model: The main aim of this model is to define the architecture of the system with respect to its security requirements. To achieve this, the Secure Components Specification model consists of Secure Capability Diagrams and UMLsec Deployment Diagrams (Jürjens, 2004). This combination allows us to determine the general architecture and the compo- nents of the system, and model the security properties of the data structures and archi- tecture. The translation between Secure Tropos diagrams and UMLsec diagrams is taking place following a set of transfor- mation rules (Mouratidis et al., 2006) and with the aid of the automated tools pro- vided. The Secure Tropos tool produces XML code from the corresponding Secure Tropos models, while the UMLsec tool ac- cepts XML input. Moreover, the constraints associated with UMLsec stereotypes are checked mechanically, based on an XMI representation of the UML models and using sophisticated analysis engines such as model-checkers and automated theorem provers. The results of the analysis are given back to the developer, together with a modified model, where the weaknesses that were found are highlighted. Figure 3 provides an example of an UMLsec Deployment Diagram illustrating the physical al- location of part of the Powerchex System related to the Support Encrypted Information Sharing security requirement. TheApplicant submit their informationthroughasecurechannel(information istransmittedencryptedusingSSLv3).Thesystem performsappropriatecheckstoensurethatcorrect Figure 2. System security requirements model
- 41. 10 Secure by Design certificates have been provided and once that is ensured the relevant information is registered. Ontheotherhand,SecureCapabilityDiagrams are used to analyse specific security related ca- pabilities of the system. For example, Figure 4 illustrates a Secure Capability Diagram for the Applicant Search Request sent by a Client to Powerchex. When a client submits a request to Figure 3. Physical allocation of the system for applicant registration Figure 4. Secure capability diagram for applicant search request
- 42. 11 Secure by Design the Powerchex system to provide information aboutaparticularapplicant’ssearches,thesystem verifiestherelevantrequestsandifthecertificates provided are valid it provides the information. Security Attack Model The Security Attack Model enables us to test the developed solution against potential attacks at the design level. Initially, we develop scenarios to assist in the identification of relevant attack situations and potential vulnerabilities in the system.Forthisreason,SecurityAttackScenarios (Mouratidis & Giorgini, 2007) are employed. A Security Attack Scenario (SAS) is defined as an attack situation describing the actors of the soft- ware system and their secure capabilities as well as possible attackers and their goals. It identifies how the secure capabilities of the system prevent (if they prevent) the satisfaction of the attackers’ goals. A security attack scenario involves pos- sible attacks to an information system, a possible attacker, the resources that are attacked, and the actors of the system related to the attack together with their secure capabilities. To support uniformity throughout the security process, we use the same concepts as in the Se- curity Analysis Model. In particular, an attacker is depicted as an actor who aims to break the security of the system. The attacker intentions are modeled as goals and tasks and their analysis follows the same reasoning techniques as in the Security Analysis Model. Scenarios are derived by identifying potential attacks to the security features of the system identified in the Secure Components Specification Model. For the Powerchex system, our analysis iden- tified the following categories of attacks as first described by Stallings (1999): 1. Interception: In which an unauthorised party, such as a person, a program or a computer, gains access to an asset. This is an attack on privacy. 2. Modification: In which an unauthorised partynotonlygainspartytobutalsotampers with an asset. This is an attack on integrity. 3. Interruption: In which an asset of the sys- tem is destroyed or becomes unavailable or unusable. This is an attack on availability. Figure 5 illustrates a simple interception se- curity attack scenario for the Powerchex system. The attacker’s main aim is to attack theApplicant Information (Private Information) transmitted between the Powerchex System (Internal System Agent) and a Client (External Agent). However, the analysis in the previous stages have resulted in the introduction of Enryption and Decryption processes and the creation of a secure channel that helps towards that type of attack. Moreover, with the aid of automated theorem provers and using the information from the secu- rity attack scenarios together with the physical allocation of the system components (as defined in the previous model) we are able to investigate further these attacks. We use UMLsec tools for this analysis. In general,wheninvokingthetoolwiththeUMLsec models, a security attack scenario is included as an input, and the tool generates the input for the automated theorem prover. The input specifies the assumptions on the initial knowledge of the attacker and the attack conjecture, in first-order logic. An example of this information is shown in Box 1. The automated theorem prover that is called by the UMLsec tool framework then investigates whethertheattackconjecturecanbederivedfrom the logical formulae formalizing the assumptions on the system and the adversary. The output from the automated theorem prover is then interpreted bytheUMLsectool,anditsinterpretationregard- ing the security requirements under analysis are provided to the user. Taking into account the information from the interception scenario modeled with the aid of the security attack scenarios process, a potential at- tacktothePowerchexsysteminvolvesanattacker listening to the messages sent between the system
- 43. 12 Secure by Design and the Clients (man-in the-middle-attack). As a result,thecommunicationunderliesthefollowing threats:(1)Theintruderinterceptsallthemessages sent between objects. She/He can save them for analysis and further use; (2) Messages can be deleted by the intruder, so that the receiver is not able to get a specific message; (3) The intruder is able to insert messages into the communication between objects; (4) By combination of these threats,theintruderisabletomanipulatemessages. Such threat can be avoided by using an additional encryptionmechanismfortransmittingpermission certificates. For this reason, for the Powerchex system we have employed an appropriate secure protocol. After invoking the automated theorem prover, with the above information, the UMLsec tool reported that the attack conjecture is not derivable from the axioms, which means that the protocol is secure with respect to the threat scenario and the security requirements that were considered. 5. LESSONS LEARNED In this sub-section we discuss all the lessons learned from the application of the methodology. We employed a questions/answers format fol- lowing similar evaluations found in the literature (Jürjens et al., 2008). Box 1. %-------- Attackers Initial Knowledge ----------- input_formula(previous_knowledge,axiom,(knows(conc(k_ca, conc(conc(id_a, conc(k_a, eol)), conc(inv(k_a), conc(sign(conc(id_a, conc(k_a, eol)), inv(k_ ca)), eol))))))). %------------------------ Conjecture ------------------------- input_formula(attack,conjecture,( knows(sign(conc(id_p, conc(id_a, conc(m_nt, conc(nt, eol)))), inv(k_p))))). Figure 5. Example of security attack scenario representation
- 44. 13 Secure by Design 5.1. Lessons Related to Software Engineering Practice How the Approach is Perceived by Software Engineers? The majority of the models are created using the secureTroposmodellinglanguage.Suchlanguage isbasedonthei*(Yu,1995)andTropos(Bresciani etal.,2004)notationandconceptsthatalthoughare notwidelypopulartosoftwareengineers–suchas forexampleUMLconceptsandnotation-theyare well known in the requirements engineering area. As such we expect that an initial effort is required to understand these concepts and familiarise with the relevant notation. The project included a number of software engineers with different skills. None of them was familiar with the Secure Tropos modelling language and notation. Introductory sessions took place to familiarise the engineers with the methodology.The feedback received was that the concepts and models are easy to understand. A number of questions were raised about some of the notation used and about the scalability of the models. Moreover, as indicated in the previous sections, a number of UMLsec models are used at the later stage of the approach. In general, these wereeasilyunderstoodsincetheyaremainlybased on UML, with which all the software engineers were familiar. Did You Encounter Any Problems With The Development Of The Models? Asdiscussedinprevioussections,thetoolsupports an automated consistency check of the developed models with the aid of a pre-defined set of con- sistency rules. However, during the project we encountered some issues related to inconsistent models. This was mainly the case because the implementationoftheconsistencyrulestothetool wasnotproperlyexecuted.Amanualinspectionof some of the models indicated that the inter-model rules were enforced by the tool properly but there were some issues with the outer-model rules, which resulted in problems with the consistency of the Secure Components Specification Model and the Attack Scenarios Model. This was the case because these models were created using information from previous models, which use the secure tropos modelling language together with UMLsec concepts and diagrams. As the concepts and notations of these two approaches are different, a number of issues were present that the initial set of consistency rules (Mouratidis, 2004) did not anticipate. A set of guidelines and steps were developed (Mouratidis et al., 2006) to support the correct integration and eliminate the inconsistencies. Another issue encountered was the scalability of the models. Due to the complexity of the case study, the models developed were very large and that made their development and analysis very difficult. It is worth mentioning however, that the software engineers acknowledged that this is not just an issue with this specific approach but it is anissuefoundinanumberofrelevantapproaches. Did You Come Across Any Unexpected Obstacles On The Application Of The Approach On Any Of The Case Studies? The application of the approach to the case study did no yield any unexpected obstacles. As dis- cussed above, there were some inconsistencies between the models due to some errors on the guidelines, but we were expecting something like this since this was the first time our approach was applied to such complex system and to that specific domain. On the other hand, once these inconsistencies were solved, the methodology worked as expected and we were able to analyse the environment of the system in terms of its security, transform this analysis to a design, and validate the design.
- 45. 14 Secure by Design Does the Application Of The Methodology Guarantee The Development Of A Totally Secure Software System? It is widely accepted that no software systems can be considered to be 100% secure. We share this view, and we do not claim that the application of our methodology guarantees the development of totallysecuresoftwaresystems.Ontheotherhand, we argue that the application of our methodology assist in the development of a system that is more secure than a system that has been developed by a methodologythatdoesnotconsidersecurity.This argument is mainly supported by experimental findings of the penetration testing and the valida- tion of the security solution, where we identified initialvulnerabilitiesthatthemethodologyhelped us to analyse further and resolve. Moreover, this claim can also be supported by theoretical argu- ments. First of all, the methodology allows the consideration of both the technical and social aspects of security and therefore allows develop- ers to obtain, from very early in the development process, a clear understanding of any potential security vulnerabilities that might raise from the interplay of the two security aspects. By identify- ing such vulnerabilities early in the development process, developers are given the opportunity to proper analyse them and find ways to overcome them. Moreover, the methodology allows the consideration of the organisational environment forthemodellingofsecurityissues,byfacilitating the understanding of the security needs in terms of the real security needs of the stakeholders, and then it allows the transformation of the security requirements to a design that is amenable to for- mal verification with the aid of automatic tools. This introduces a well structured approach to support the idea of secure by design. In addition, the production of models that integrate security concerns, as opposed to the production of models without security concerns, allows developers to (1) reason in a conclusive way and by taking into account simultaneously the general requirements of the system together with the security require- ments and therefore identify any conflicts; (2) develop a extensive and precise security-aware documentation, something that it is required by common security standards, such as the Common Criteria(http://www.commoncriteriaportal.org/). Does The Methodology Require Security Expertise? Not all software engineers involved in the project had extensive security training and knowledge. Theyhadhoweverabasicsecurityknowledge.By applying our approach to the case study it became obviousthatbecauseoftheintegrationofsecurity analysis into the software engineering process, some extra effort and knowledge is required from software engineers to familiarise with the security concepts, and the process of considering security requirements from the early stages of the development process. Because of this, we expect that our approach will be an attractive option to software engineers looking to develop security- critical systems rather than a general option for any software system development. 5.2. Specific Case Study Related Lessons How Appropriate Is The Methodology For The Development Of Secure Financial Service Software Systems? We found the approach appropriate for the proj- ect. We believe that the appropriateness of the methodology lies on the fact that it allows us to analyse in a unified framework both the social and the technical dimensions of security.Another important issue for software systems used for the
- 46. 15 Secure by Design financial services industry is the need to consider in detail any privacy requirements of the system. Our approach allows developers not only to elicit the privacy requirements imposed to the system by the various stakeholders and users, but also by its environment (for instance data sharing laws and rules of a country). Such requirements are subsequently used to determine the architecture of the system and also to analyse whether the developed system is protected against a number of various security scenarios at design stage. How The Application Of The Methodology Helped To Improve The Security Of The PowerChex System? The methodology allowed us to identify the secu- rity requirements of the systems early in the de- velopmentprocessandmotivatethedevelopment of an architecture that meets these requirements. Then,withtheaidofappropriateautomations,we were able to check whether the security require- mentsaresatisfiedornot.Forexample,ouranaly- sis indicated the need to ensure a strong session management.Strongsessionmanagementensures an authenticated user has a cryptographically se- cure association with his session. To support that issue,ouranalysisindicatedtheneedtorandomise session identifiers to an appropriate size and use extensive available characters. It also indicated the need to automatically time out after 1 hour when the applicant is completing the form and after 10 minutes when the applicant is viewing the submitted form. The session data should be stored in encrypted and self-deleted cookies. Our analysis also helped to identify measurements to reducevulnerabilitiesbasedonCross-sitescripting (XSS)andSQLInjection.Inparticular,weidenti- fied that this issue can be avoided by designing the system to filter all user inputs, e.g., silently strip certain punctuation characters, keywords in script languages and keywords in SQLlanguages to avoid SQL injection. What was the Perception Of The Non-It Savvy Participants Of The Methodology’s Concepts And Models? In their majority, they found the concepts of the methodology easy to understand and use. This is particularly true of the concepts employed during the initial models (Security Analysis Model and System Security Requirements Model) i.e., these modelsthatrequiremaximuminteractionwiththe potential system users.The feedback we received stated that it is easy to understand concepts such as actors, goals, plans, security constraints and attackers. This is mainly due to the association of theseconceptstoreallifeconceptsthatarewidely used in everyday life. On the other hand, similar to the software engineers, concerns were raised about the potential complexity of the models, especiallyastheanalysisofthesystemprogresses and the models are becoming larger. 5.3. Penetration Testing The system was tested by third party security expert companies performing penetration testing (Wilhelm, 2009) by simulating attacks from ma- licious sources. The penetration tests performed automated security scannings of the system, fol- lowed by manual attack tests and non-technical attackstoidentifyanyvulnerabilityinthesystem. Inparticular,thetestswerebasedona“black-box” approach, which assumes no access to the system source code or internal details about the system. The tests were conducted both from the point of view of an anonymous internet-based attacker, and from the point of view of legitimate users of the service. The tests examined, amongst oth- ers, the following areas of the system: Network services are securely configured; Externally vis- ible backdoors; URL parameters or hidden fields manipulation; System access out of sequence or without required authorization; Use of cookies; Uploaded data to the system is handled safely; Data validation; Secure authentication; Secure
- 47. 16 Secure by Design session management; Strong encryption is used; Appropriate error handling is performed. To test the application’s security, the third party company performed the following attacks: Source Code Itwasunabletodecompiletheapplication’ssource code which was also compiled with debugging informationexcluded(whichcouldrevealthefile namesandpathsonthesystemwhereitwasbuilt). Anonymous Access and Information Leaks The application developed is served entirely over secure HTTPS, with connections to the HTTP version of the site being immediately redirected to the corresponding HTTPS URL. The results found that no comments or infor- mation that would be useful to an attacker were found in the source code of the publicly available application pages. The third party company also entered various SQLmeta-characters into the username and pass- word fields of the login form and was unable to provoke any error messages. This indicates that the inputs are encoded correctly and so the login form is not susceptible to SQL injection.And the username and password are never echoed back to the user and therefore the login form is not vulnerable to cross-site scripting attacks. Login and Session Management The results found that usernames and passwords suppliedbytheapplicationappeartoberandomly generated and highly secure with characters con- tained upper and lower case letters, numbers and punctuation. And it is highly unlikely that an attacker would be able to gain access to a confidential page. Authorisation It has been not possible to log in using one user’s URL and another user’s credentials. Attempting to access a URLnot associated with a user results in a “Not Found” error page. Data Handling Punctuation characters were all removed from inputs, so a user could not construct a cross-site scripting attacks (XSS) attack by entering a string suchas</textarea><script>alert(‘XSS’)</script>. SQLmeta-charactersandexpressionswerealso submitted, but in all cases the data were handled correctly and it was unable to construct an SQL injection attack. The official report received about the penetra- tion testing2 indicated that no sensitive informa- tion is leaked from the system, and that relevant securitymechanismsenforcethesecuritypolicies and requirements of the system. 6. RELATED WORK In recent years, a considerable number of works withthedesiretointroducesecurityconsiderations during the various stages of the software systems development process have been presented in the literature. Anton et al. (2004) propose a set of general taxonomies for security and privacy, to be used as a general knowledge repository for a (security) goal refinement process. Schumacher and Roedig (2001) apply the pattern approach to thesecurityproblembyproposingasetofpatterns, called security patterns, which contribute to the overall process of security engineering.Although useful, these approaches lack the definition of a structuredprocessforconsideringsecurity.Awell defined and structured process is of paramount importance when considering security during the development stages of software systems.
- 48. 17 Secure by Design On the other hand, a number of researchers model security by taking into account the be- haviour of potential attackers. Van Lamsweerde and Letier (2000) use the concept of security goals and anti-goals. Anti goals represent mali- cious obstacles set up by attackers to threaten the security goals of a system. Crook et al. (2002), introduce the notion of anti-requirements to rep- resent the requirements of malicious attackers. Anti-requirements are expressed in terms of the problem domain phenomena and are satisfied when the security threats imposed by the attacker are realised in any one instance of the problem. Similarly, Lin et al. (2003), incorporate anti- requirements into abuse frames. The purpose of abuse frames is to represent security threats and to facilitate the analysis of the conditions in the system in which a security violation occurs. An importantlimitationofalltheseapproachesisthat securityisconsideredasavaguegoaltobesatisfied whereas a precise description and enumeration of specific security properties is still missing. Differently, another “school of thinking” indi- cates the development of methods to analyse and reason about security based on the relationships between actors (such as users, stakeholders and attackers)andthesystem.Liuetal.(2003)analyse security requirements as relationships amongst strategic actors by proposing different kinds of analysistechniquestomodelpotentialthreatsand security measures.Although a relationship based analysis is suitable for reasoning about security, an important limitation of existing approaches is thateachofthemonlyguidesthewaysecuritycan be handled within a certain stage of the software development process. Another direction of work is based on the extension of use cases and the Unified Modelling Language (UML). In particular, McDermott and Fox (1999) adapt use cases to capture and analyse security requirements, and they call the adaption an abuse case model. An abuse case is defined as a specification of a type of complete interaction betweenasystemandoneormoreactors,wherethe resultsoftheinteractionareharmfultothesystem, one of the actors, or one of the stakeholders of the system. Similarly, Sindre and Opdahl (2005) define the concept of misuse case, the inverse of usecase,whichdescribesafunctionthatthesystem should not allow. They also define the concept of mis-actor as someone who intentionally or ac- cidentally initiates a misuse case and whom the system should not support in doing so. Jurgens et al. (2004) proposes UMLsec, an extension of the Unified Modelling Language (UML), to include modelling of security related features, such as confidentiality and access control. Lodderstedt et al. (2002) also extend UML to model security. In their work, they present a security modelling language called SecureUML. They describe how UML can be used to specify information related to access control in the overall design of an ap- plication and how this information can be used toautomaticallygeneratecompleteaccesscontrol infrastructures.An important limitation of all the use-case and/or UML related approaches is that they do not support the modelling and analysis of security requirements at a social level but they treat security in system-oriented terms. In other words, they lack models that focus on high-level security requirements, meaning models that do not force the designer to immediately go down to security requirements. 7. CONCLUSION Thispaperpresentsourexperiencesfromtheappli- cationofaSecurebyDesignsoftwareengineering methodologytothedevelopmentofthePowerchex System. Our findings indicate that the use of our approachsupportedthedevelopmentofasoftware system that meets its security requirements and it has withstand penetration tests performed by an external to the project party. Our experience on the other hand also indicated some issues for consideration, such as potential complexity of
- 49. 18 Secure by Design the models, and resolving these issues is our aim for future work. Although this paper presents the application of our approach to the financial services industry domain,webelievethattheapproachisapplicable tothedevelopmentofsecurity-criticalsystemsfor domains such as telecommunications and health care. Depending on the application domain and thesecurityfocusofthatparticulardomain,minor modifications might be necessary. Nevertheless, webelievethatthemethodologyisflexibleenough to allow such modifications with minor effort. REFERENCES Alexander, I. (2003). Misuse cases: Use cases with hostile intent. IEEE Software, 20(1), 58–66. doi:10.1109/MS.2003.1159030 Anton, A. I., & Earp, J. B. (2004). A require- ments taxonomy for reducing web site privacy vulnerabilities. Requirements Engineering, 9(3), 169–185. doi:10.1007/s00766-003-0183-z Basin, D., Doser, J., & Lodderstedt, T. (2003). Model driven security for process oriented sys- tems. In Proceedings of the 8th ACM Symposium on Access Control Models and Technologies, Como, Italy. Blobel, B., & France, R. A. (2001). A systematic approach for analysis and design of secure health information systems. International Journal of Medical Informatics, 62(2). Bresciani, P., Giorgini, P., Giunchiglia, F., My- lopoulos, J., & Perini, A. (2004). TROPOS: An agent oriented software development methodol- ogy. Journal of Autonomous Agents and Multi- Agent Systems, 8(3), 203–236. doi:10.1023/ B:AGNT.0000018806.20944.ef Crook, R., Ince, D., Lin, L., & Nuseibeh, B. (2002).Securityrequirementsengineering:When anti-requirements hit the fan. In Proceedings of the10thInternationalRequirementsEngineering Conference (pp. 203-205). Devanbu, P., & Stubblebine, S. (2000). Software engineering for security:Aroadmap. In Proceed- ingsoftheInternationalConferenceontheFuture of Software Engineering (pp. 201-211). Haley,C.B.,Laney,R.,Moffett,J.D.,&Nuseibeh, B.(2006).Arguingsatisfactionofsecurityrequire- ments. In Mouratidis, H., & Giorgini, P. (Eds.), Integrating security and software engineering: Advancesandfuturevisions(pp.16–43).Hershey, PA:IdeaGroup.doi:10.4018/978-1-59904-147-6. ch002 Hermann, G., & Pernul, G. (1999). Viewing business-processsecurityfromdifferentperspec- tives. International Journal of Electronic Com- merce, 3, 89–103. Jürjens, J. (2004). Secure systems development with UML. New York, NY: Springer. Jürjens, J., Schreck, J., & Bartmann, P. (2008). Model-based security analysis for mobile com- munications. In Proceedings of the International Conference on Software Engineering (pp. 683- 692). Lamsweerde, A., & Letier, E. (2000). Handling obstaclesingoal-orientedrequirementsengineer- ing. IEEETransactionsonSoftwareEngineering, 26(10), 978–1005. doi:10.1109/32.879820 Lin, L., Nuseibeh, B., Ince, D., Jackson, M., & Moffett, J. (2003). Introducing abuse frames for analysing security requirements. In Proceedings ofthe11thIEEEInternationalRequirementsEngi- neeringConference,Monterey,CA(pp.371-372).
- 50. 19 Secure by Design Liu, L.,Yu, E., & Mylopoulos, J. (2003). Security and privacy requirements analysis within a social setting. In Proceedings of the 11th International Requirements Engineering Conference (pp. 151- 161). Lodderstedt, T., Basin, D., & Doser, J. (2002). SecureUML: A UML-based modelling language for model-driven security. In J.-M. Jézéquel, H. Hussmann, & S. Cook (Eds.), Proceedings of the 5th International Conference on the Unified Modeling Language (LNCS 2460, pp. 426-441). McDermott, J., & Fox, C. (1999). Using abuse casemodelsforsecurityrequirementsanalysis.In Proceedingsofthe15thAnnualComputerSecurity Applications Conference (pp. 55-64). Mead, N. R. (2006). Identifying security require- ments using the security quality requirements engineering (SQUARE) method. In Mouratidis, H., & Giorgini, P. (Eds.), Integrating security and software engineering (pp. 44–69). Hershey, PA: Idea Group. Mouratidis, H. (2004). A security oriented ap- proach in the development of multiagent systems: Applied to the management of the health and social care needs of older people in England. Unpublished doctoral dissertation, University of Sheffield, South Yorkshire, UK. Mouratidis, H., & Giorgini, P. (Eds.). (2006). Integrating security and software engineering: Advances and future visions. Hershey, PA: Idea Group. doi:10.4018/978-1-59904-147-6 Mouratidis,H.,&Giorgini,P.(2007).Securityat- tacktesting(SAT)-testingthesecurityofinforma- tionsystemsatdesigntime. InformationSystems, 32(8), 1166–1183. doi:10.1016/j.is.2007.03.002 Mouratidis, H., Jürjens, J., & Fox, J. (2006). Towards a comprehensive framework for secure systems development. In E. Dubois & K. Pohl (Eds.), Proceedings of the 18th International Conference on Advanced Information Systems Engineering (LNCS 4001, pp. 48-62). Schumacher, M., & Roedig, U. (2001). Security engineering with patterns. In Proceedings of the 8th Conference on Pattern Languages for Pro- grams, Chicago, IL. Sindre, G., & Opdahl, A. L. (2005). Eliciting securityrequirementswithmisusecases. Require- ments Engineering, 10(1), 34–44. doi:10.1007/ s00766-004-0194-4 Stallings, W. (1999). Cryptography and network security:Principlesandpractice(2nded.).Upper Saddle River, NJ: Prentice Hall. Wilhelm, T. (2009). Professional penetration testing: Creating and operating a formal hacking lab. Oxford, UK: Syngress. Yu, E. (1995). Modelling strategic relationships for process reengineering. Unpublished doctoral dissertation, University of Toronto, Toronto, ON, Canada. ENDNOTES 1 To support easier understanding, we have decided to limit the number of actors, de- pendencies and security constraints shown in the Security Analysis Model. 2 For security issues, we are not allowed to maketheresultsofthepenetrationtestwidely available. This work was previously published in the International Journal of Secure Software Engineering, Volume 2, Issue 3, edited by Khaled M. Khan, pp. 23-41, copyright 2011 by IGI Publishing (an imprint of IGI Global).
- 51. 20 Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. Chapter 2 INTRODUCTION Service-oriented software architectures (SOA) promise enhanced reusability, interoperability, and flexibility for the implementation of business processes in information systems. However, this increase in flexibility and versatility comes at a price: it aggravates software quality assurance. The distributed, inhomogeneous, and often non- transparent nature of service building blocks stemming from different organizational domains is a supplementary constraint for the reliable Christian Jung Fraunhofer Institute for Experimental Software Engineering, Germany Manuel Rudolph Fraunhofer Institute for Experimental Software Engineering, Germany Reinhard Schwarz Fraunhofer Institute for Experimental Software Engineering, Germany Security Evaluation of Service-Oriented Systems Using the SiSOA Method ABSTRACT The Service-Oriented Architecture paradigm (SOA) is commonly applied for the implementation of complex, distributed business processes. The service-oriented approach promises higher flexibility, in- teroperability and reusability of the IT infrastructure. However, evaluating the quality attribute security of such complex SOA configurations is not sufficiently mastered yet. To tackle this complex problem, the authors developed a method for evaluating the security of existing service-oriented systems on the architectural level. The method is based on recovering security-relevant facts about the system by using reverse engineering techniques and subsequently providing automated support for further interactive security analysis at the structural level. By using generic, system-independent indicators and a knowl- edge base, the method is not limited to a specific programming language or technology. Therefore, the method can be applied to various systems and adapt it to specific evaluation needs. The paper describes the general structure of the method, the knowledge base, and presents an instantiation aligned to the Service Component Architecture (SCA) specification. DOI: 10.4018/978-1-4666-2482-5.ch002
- 52. 21 Security Evaluation of Service-Oriented Systems Using the SiSOA Method determination of software quality attributes, especially those that are global properties of the overall SOA system, such as safety or security. Although technical standards such as the Web Services Security Specification (OASIS, 2010) exist, SOA systems are still vulnerable to many basic threat types. Securityisanoverarchingqualityconcernthat requires adequate treatment at a holistic system level. It cannot be handled effectively by analyz- ing the security issues only at source code level, especially not in a manual manner. To better keep track of the global security characteristics and to survey the logical security design of a system, all security-related information should be assessed in the context of a more abstract, structural level of the fundamental system architecture. Security- relatedinformationreferstosystemcharacteristics that can have a positive or negative impact on the system’ssecurity,suchascodelocationswherese- curity functions (e.g., authentication, encryption, integritycheck)arecalledor whereconfiguration parameterscontrollingthesefunctionsaredefined. We claim that architectural views provide an ad- equate point of view for the security assessment of complex software systems. In a SOA, all components have to be analyzed in their current configuration. However, the num- ber of components, their changing orchestration and the distributed nature of SOA systems often renders a manual analysis impracticable. System behavior, especially the dynamic se- curity characteristics of the system in its entirety, is hard to obtain if the relevant information is scatteredacrossmanySOAcomponentsandtheir respective design artifacts. Inanearlierpublication(Antonino,Duszynski, Jung, & Rudolph, 2010), we presented SiSOA (»Security in Service-oriented Architectures«), an assessment method for collecting security- related system properties and presenting them in architecturalviewsforefficientevaluation.SiSOA comprisesthreephases:Extraction,Identification, and Analysis of security properties, as shown in Figure 1. The Extraction phase uses static analy- sis and standard reverse engineering techniques to gather security-related information from the system under evaluation. This information from source code, configuration, and policy files is abstracted and generalized in the subsequent Identificationphase,anddisplayedinarchitectural views.Abstractionisbasedonsecurityrulesfrom a knowledge base. In the finalAnalysis phase the abstracted and generalized information is inter- actively assessed, augmented, and evaluated by the human inspector. To this end, the inspector is guided through different views where potentially harmfulsecurityissuesaswellaspositivesecurity features are marked. A more detailed description of SiSOA, especially of the Extraction and Iden- tification phases together with technical details, can be found in Antonino, Duszynski, Jung, and Rudolph (2010). In this article, we explain the SiSOA method and show how the knowledge base fits into our SiSOA methodology. In addition, we briefly de- scribe our prototype tool that implements SiSOA including the knowledge base and provides sup- port for semi-automatic security evaluation of SOA systems. This includes the description of our security estimation values: severity and cred- ibility. MODEL EXTRACTION The purpose of the Extraction phase is to create a model of the analyzed system that stores all basic information necessary for further analysis steps. Thismodeliscalledsystemmodel;itisconstructed byusingreverseengineeringtechniques(Chikof- sky & Cross, 1990). The system model contains information about diverse software artifacts such as classes, packages, relations between classes or packages, and any other structural information that may potentially contribute to further security analysis. The input for building the model is the source code of the evaluated system and some
- 53. 22 Security Evaluation of Service-Oriented Systems Using the SiSOA Method complementary artifacts such as SOAconfigura- tion files. The system model is based on the Eclipse Modeling Framework (EMF) (Steinberg, Bu- dinsky, Paternostro, & Merks, 2008). In our prototype implementation, we reuse two exist- ing EMF models: One is from Apache Tuscany (Davis,2009;Laws,Combellack,Feng,Mahbod, & Nash, 2011; The Apache Foundation, 2011), a Service ComponentArchitecture (SCA) (OSOA, 2011) implementation; the other is from SAVE (Duszynski, Knodel, & Lindvall, 2009), an Eclipse-based tool for the analysis of software architecturethathasbeendevelopedatFraunhofer IESE and Fraunhofer CESE. The SCA model of Apache Tuscany provides higher-level informa- tionaboutservicesandpoliciesimplementedinthe analyzedsystem,whiletheSAVEmodelprovides lower-level information, for example, about Java classes, methods, and their dependencies. The information stored in the system model is extracted from the source code and configuration files of the analyzed system. Extraction of class- level information is performed by a customized Java parser, while service-specific information is providedbytheapplicationprogramminginterface of the Tuscany framework. We augmented these EMF models with a connector model that relates the elements of the reused models to each other and adds additional information not included in the original models. After the linking and integration of the partial models, the system model is complete and can be used as input in the Identification phase. KNOWLEDGE BASE Basically, the knowledge base is a tree structure forstoringsecurity-relatedinformationthathelps to reveal and assess security properties of a soft- ware system, and for relating these properties to fundamental security goals. Several hierarchical levels are used for structuring the information. TheselevelsreflecttheIdentificationandAnalysis phases,respectively(Figure1).TheIdentification phase (see Section »Identification«) is supported by implementation- and technology-dependent informationatthebottomofthehierarchy,whereas theAnalysisphase(seeSection»ExampleofaSe- curityAnalysis«) uses abstract security goals and indicators forming the top level of the knowledge base hierarchy. The model hierarchy comprises three main levels: • Tagging rules form the lowest level of the knowledge base. They describe which se- curity related artifacts (e.g., security-re- Figure 1. Overview of the SiSOA approach
- 54. 23 Security Evaluation of Service-Oriented Systems Using the SiSOA Method lated import or call relations, annotations, exceptions, access relations) must be pres- ent in a specific part of the system so that a security property can be tagged, and how to derive new security tags based on ex- isting tag constellations. A security tag is a marker that represents a security issue or feature, for instance, the use of crypto- graphic functions. Tagging rules consist of one or more security tags and subordinate artifacts (i.e., security-related information extracted from the system that triggered the tag assignment). • At an intermediate level the indicator map- ping interconnects security indicators that are human-readable and checkable with re- ferring security tags. • At the top of the hierarchy abstract security knowledge is represented by security goals as root nodes, which are decomposed into corresponding security indicators. The knowledge base has to be built by secu- rity experts, using insights gained from previous security analyses. For reusing the stored security information, the knowledge base expresses the information in a generalized way, especially in the highest abstraction layer. It may also contain system-specific goals, indicators, or tagging rules, or it can be tailored to individual needs of asecurityaudit.Theidentificationandabstraction process is semi-automatic because new security tags can be added manually to the knowledge base, and existing security tags may be modified by user intervention. The remainder of this sec- tion describes the three levels of the knowledge base in more detail. Tagging Rules Each security tag is represented as a tree structure (see layers 3 and 4 in Figure 4). This tag tree can be either a »basic« tree where the leaves repre- sent concrete characteristics that can directly be found in the system model during the Extraction phase—so-calledsecurityartifacts.Alternatively, the tree can be a »complex« tree combining exist- ing security tags to a new tag at a higher level of abstraction. In the latter case, the leaves of the security tag tree are other security tags. It is also possibletohavemixedstructures(tagsandsecurity artifacts as tree nodes). Logical operators (OR, XOR, AND, NOT) are used to link the subordi- nate trees that define the overall tag specification. To structure tags that address similar kinds of security properties (e.g., »DES-encrypted« and »AES-encrypted«)andtosimplifytheirinterpreta- tion,theknowledgebasedefinesmultipletagging levels. For example, the tags »DES-encrypted« and»AES-encrypted«canbeconnectedbyanOR operatortoconstituteamoregeneral»encrypted« tag.We can basically distinguish between two tag types. On the one hand, there are tags depending on programming languages or technologies; on the other hand, there are more general tags that aggregate the technology-dependent tags into moreabstract,technology-independentconcepts. Everysecuritytaghasapredefinedapplication target, which can be a system component such as a class, a service, an interface, or a composite. A security rule will only apply if all its security ar- tifacts (or subordinate security tags, respectively) appear within the scope of their respective appli- cation target. Since it is possible to create rules thatcombinesecuritytagsintoanew securitytag, higher-levelsecuritytagsthatspandifferenttargets are promoted to a more general target scope (e.g., from class to service) as required. Whenspecifyingtaggingrules,theconnections between security artifacts and security tags are weighted. The weighting adds to modeling secu- rity knowledge more accurately. Weights reflect the significance of security artifacts that imply a specific security tag, that is, their discriminatory power with respect to the security issue at hand. Weights have to be estimated by a security expert who can judge the impact of an artifact on the security property reflected by the tag. Based on
- 55. Another Random Document on Scribd Without Any Related Topics
- 56. impropriety of speculating on the likelihood that representations of the universal spirit were admitted in a temple built for the ritual of a creed which acknowledges neither a god nor a soul aspiring to communion with the divine essence in prayer, desiring nothing but annihilation. Yet the Buddhists did learn to pray and to give transcendental ideas a tangible expression in human shape, though they never sank to idolatry. And in Java, mixing freely with Brahmanism, not impermeable to the Sankhya doctrine, Buddhism seems to have swerved occasionally from its longings for extermination in the Nirvana to entertain vague, confused notions of something more hopeful, witness the oft repeated Banaspatis. Herein lies, perhaps, the explanation of otherwise embarrassing peculiarities observed in the conception, the attributes and attitudes of many Buddhist statues in the island which, for the rest, are distinguished by great simplicity of execution. So is the throne which extends over half the floor of the inner room of the central temple of the chandi Sewu, and the same applies to the few headless Dhyani Buddhas lying round, sundered from their stations where they faced the cardinal points, the four quarters of the world, and the first of them, the very elevated, facing the sky. A gigantic finger of bronze, found in the chapel of the throne, supports the theory that the principal statue was of that alloy, an additional incentive to plunder— ancient images of bronze have become scarce indeed: the form of the cushioned pedestal in the chandi Kalasan too betokens a captured metallic Tara, to the further detriment of the domiciliary rights there claimed for the homeless Lady of Mystery in the residency grounds at Jogja. Although the bulky raksasas which keep her company in that place of exile, prove that official vandalism did not hesitate to avail itself of facilities of transportation afforded by forced labour, the uncommonly heavy guardians of the chandi Sewu balked even the absolute decrees of local despotism. Everything desirable that could be detached and removed, is, however, gone. Those in authority having exercised their privilege by helping themselves, mere private individuals gleaned after their reaping, with or without permission,
- 57. and exceedingly interesting collections of antiquities were formed by owners of neighbouring sugar-mills. What they appropriated, did, at least, remain in the country, but, among other sculpture, the lion- fighting elephants which lined the fourteen staircases, ten feet high and eight feet wide, still in place as late as 1841, cannot even be traced—they are dissolved, battling animals, staircases and all. It is always and everywhere the same story: statuary and ornament are stolen, treasure-seekers smash the rest, the stones are prime building material and who cares for the preservation of worthless, because already looted and demolished, tumble-down temples? The monuments in the plain of Soro Gedoog have suffered exceptional outrages; at this moment hardly anything is left because there exists absolutely no control, says Major van Erp. His investigations disclosed that stones taken from the chandi Prambanan and, when this was stopped, from the chandi Sewu, were used for the building of a dam in the river Opak. Had not public opinion made itself heard, both these temples might have shared the fate of the chandi Singo, once one of the finest in that region, whose gracefully decorated walls excited the admiration of Brumund in 1845, whose substructure with damaged ornament still held out until 1886, while now the ground-plan cannot even be guessed at and deep holes, dug to get at the foundations, are the only indications of the razed building’s site. To give an idea of the quantity of material used for the dam in the river Opak, I transcribe the measurements of its revetments: 35 metres on the left and from 50 to 60 metres on the right bank; the facings, running up to a height of 6 metres, make it evident beyond doubt where the stone for that work was quarried. Neither are we quite sure that such frightful spoliation belongs wholly to the past. The value of Government solicitude, so eloquently paraded in circulars and colonial reports, can be gauged from the fact, stated by Mr. L. Serrurier, that, during officially sanctioned excavations among the ruins of the chandis Plahosan and Sewu, the stones brought to the surface were simply thrown pell- mell on a heap without their being marked as to locality and position, quite in keeping, it should be added, with the prevailing custom.
- 58. This accounts for the sad desolation, more pitiful since soi-disant archaeologists got their hands in, shone upon at the chandi Sewu as at the chandis Plahosan, Sari, Kalasan, Panataran, to restrict myself to one name from East Java,—shone upon by the sun, the egg of the world, whose yolk holds the germ of creation, Surya, the solar orb personified, is a companion wonderfully, grandly suggestive among the “thousand temples” of life accomplished, decaying into new birth, whether he scorches the earth and withers the drooping flowers, or climbs a dim, hazy sky to attract the vapours that descend again in precious showers when the clouds collect and cover the stars, charming from darkness the lovely dawn and budding day. The meditations he disposes the mind to are mostly directed to the future, dreams of coming happiness, and even the contemplative Buddhist images under the Banaspatis seem agitated by their knowledge of a promise excelling the hope of Nirvana, which cannot satisfy the aspirations of the children of this island, full of the joy of existence. What will the future bring to them, the people cradled in tempest, who were taught forbearance by a creed profoundly imbued with the inner nature of things, and submission when misery of war and pestilence came as the harbingers of bondage to an alien race? Too trustful, they sacrificed their birthright for a mess of pottage and after the encroachments of the Company, past ages crowding on their memory, the felicity of the jaman buda assumes to their imagination a tangible shape in the ancient monuments founded by the rulers of their own flesh and blood, edifices so widely different from the meretricious Government opium-dens and Government pawn-shops in which the predatory instinct of the present masters manifests itself—layin dahulu, layin sekarang.[123] Resigned to fate, which wills the mutability of earthly relations, the Javanese philosopher—and all Javanese are philosophers in their way—takes the practical view of the Vedantins, considering that calamities mean purification to the victor in moral contest, and looking for a serene morning after a night of distress. He has more beliefs than one to draw upon when seeking refuge in his cherished maxim, his phlegmatic apa boleh buwat,[124] and
- 59. doubts not the possibility of obtaining a Moslim equivalent for the Buddhist arahat, the perfect state, irrespective of outward conditions, by the help of a Hindu deity, Ganesa, who knows what is to happen and, as Vinayaka, the guide, conquers obstacles hurtful to his votaries in the course of events preordained according to their Islāmic doctrine—syncretism yet more complex than that of their forefathers of Old Mataram! Watch well the heart, commanded the master. As to the watched heart dominating the senses, the Javanese, rather a mystic than an ascetic, and predominantly a child of nature, whence he proceeds and whither he returns in his search of the divine, prefers enjoyment of the world’s fullness to mortification of the flesh. He feels much more closely drawn to Padmapani, the lord of the world that is, than to any other of the emanations of the essence of the Universe, be it Diansh Pitar or the One, the Eternal, who sent Muhammad as a mercy to all creatures, or the Adi-Buddha, the primitive, the primordial, the incarnate denial of god and soul together. Whatever he prays by, the deity involved is one of overflowing gladness, who presents a flower with each hand, like Surya when circling land and sea and air in three steps; and, notwithstanding his sorrows, he rests content with his portion for, though the light of day sets, it will rise again in glory.
- 60. CHAPTER VIII THE APPROACH TO THE BORO BUDOOR The goodly works, and stones of rich assay, Cast into sundry shapes by wondrous skill, That like on earth no where I reckon may; Edmund Spenser, Faerie Queene, Canto X. Among the ancient monuments of Insulinde[125] the chandi Boro Budoor stands facile princeps. Situated in the Kadu, it is easily reached from Jogjakarta, about twenty-five miles, or from Magelang, about eighteen miles distant, by carriage or, still more easily, by taking the steam-tram which connects those two provincial capitals and leaving the cars at Moontilan where an enterprising Chinaman provides vehicles, at short notice, for the rest of the journey via the chandi Mendoot on the left bank of the Ello, just above its confluence with the Progo. No better approach to the most consummate achievement of Buddhist architecture in the island or in the whole world, can be imagined than this one, which leads past the smaller but scarcely less nobly conceived and conscientiously executed temple, a commensurate introduction to the wonderful, crowning edifice across the waters, portal to the holiest in gradation
- 61. of majestic beauty. The Kadu has been well styled the garden of Java, as Java the pleasance of the East, full of natural charms which captivate the senses, abounding in amenities soothing to body and soul; but if it had nothing more to offer than the Boro Budoor and the Mendoot, it would reward the visitor to those central shrines of Buddhism far beyond expectation. Behind the horses, a mental recapitulation of the characteristics of Hindu and Buddhist architecture in the golden age of Javanese art will not come amiss, and there may be some wonder that with so much veneration for the Bhagavat in friendly competition with the Jagad Guru, nowhere in the negri Jawa an imprint is shown of the blessed foot of promise, with the deliverer’s thirty-first sign, the wheel of the law on the sole. If, in explanation, it should be adduced that he never travelled to those distant shores, what does that matter? Has he been in Ceylon? And how then about the sripada, the record left there as in so many other countries, with the sixty- five hints at good luck? While we revolve such questions, our carriage rolls on; the coachman cracks his whip, evidently proud of his skill in turning sharp corners without reining in; the runners jump with amazing agility off and on the foot-board and crack their whips, rush to the front to encourage the leaders of the team up steep inclines, fall again to the rear when it goes down hill in full gallop. The exhilarating motion makes the blood tingle in the veins. How lovely the landscape, the valley shining in the brilliant light reflected from the mountain slopes, ... Another turn and we dash like a whirlwind past the kachang-oil[126] and boongkil[127] mill of Mendoot; still another turn and, with a magnificent display of his dexterity in pulling up, our Jehu brings us to a sudden standstill before the temple. Opposite is a mission- school conducted for many years, with marked success, by Father P. J. Hoevenaars, in his leisure hours an ardent student of Java’s history and antiquities, ever ready to apply the vast amount of learning accumulated in his comprehensive reading on a solid classical basis, to the clearing up of disputed points, though his
- 62. modesty suffered the honours of discovery to go to the noisy players of the archaeological big drum. His large stock of information was and is always at the disposal of whoever may choose to avail himself of it and, writing of the chandis Mendoot and Boro Budoor, I acknowledge gratefully the benefit derived from my intercourse with this accomplished scholar, lately transferred to Cheribon. The exact date of the birth of the chandi Mendoot is unknown but there are reasons for believing that it was built shortly after the chandi Boro Budoor, at some time between 700 and 850 Saka (778 and 928 of the Christian era), in the glorious period of Javanese architecture to which we owe also the Prambanan group, the chandis Kalasan, Sewu and whatever is of the best in the island. There are additional reasons for believing that the splendour loving prince who ordered the Boro Budoor to be raised and under whose reign the work on that stupendous monument was begun, founded the Mendoot too as a mausoleum to perpetuate his memory, and that his ashes were deposited in the royal tomb of his own designing before its completion. If so, he was one of the most prolific and liberal builders we have cognisance of; but his memory is nameless and all we know of him personally, besides the imposing evidence to his Augustan disposition contained in the superb structures he left, rests upon two pieces of sculpture at the entrance to the inner chamber of the mortuary chapel, if such it be, which represent a royal couple with a round dozen of children, just as we find in some old western churches the carved or painted images of their founders’ families.[128] We are perhaps indebted for the preservation of these suggestive reliefs to the circumstance of the chandi Mendoot having been covered, hidden from view during centuries and to a certain extent protected against sacrilegious hands by volcanic sand, earth and vegetation. Almost forgotten, its slumbers were, however, not wholly undisturbed for, when Resident Hartman, his curiosity being excited by wild tales, began to clear it in 1836, he found that treasure-seekers, out for plunder, had pierced the wall above the porch and that by way of consolation or out of vexation at missing the untold wealth reported to be buried inside, they had carried off
- 63. or smashed the smaller, free standing statuary. The process of cleaning up rather stimulated than prevented new outrages: stripped of its covering of detritus, which had shielded it at least against petty, casual pilfering, the chandi Mendoot excited by its helpless beauty the most injurious enthusiasm. Fortunately, the statues which formed its chief attraction were too big for the attentions of the long-fingered gentry whose peculiar methods in dealing with native art strongly needed but never experienced repression by the local authorities. XXIII. CHANDI MENDOOT BEFORE ITS RESTORATION (Cephas Sr.) Speaking of the statuary and comparing it with Indian models, more particularly a four-armed image, seated cross-legged on a lotus, the stem of which is supported by two figures with seven-headed snake- hoods, Fergusson says: The curious part of the matter is, that the Mendoot example is so very much more refined and perfect than that at Karli. The one seems the feeble effort of an expiring art, the Javan example is as refined and elegant as anything in the best age of Indian sculpture. Of the Mendoot carvings, however, more anon. I
- 64. shall first endeavour to give a general idea of this temple which, according to the same writer, though small, is of extreme interest for the history of Javanese architecture. Rouffaer calls it the classic model of a central shrine with substructure and churchyard, while observing that the principal statue of the Boro Budoor, the rest of whose statues are turned either towards one of the cardinal points or towards the zenith, faces the east and the Mendoot opens to the west, the two temples therefore fronting each other. Closely observed, the latter proved of double design since it consists of a stone outer sheath, built round an older structure of brick, the original form with its panellings, horizontal and perpendicular projections, having been scrupulously followed. The neatly fitting joints, both of the hewn stones and of the bricks of the interior filling, show a mastery of constructive detail rarely met with at the present day and certainly not in Java. To this wonderful technique, adding solidity to a graceful execution of the ground-plan, belongs all the credit for the Mendoot holding out, notwithstanding persistent ill-usage. An ecstatic thought brightly bodied forth by a daring imagination and astonishing skill, a charming act of devotion blossoming from the flower-decked soil as the lotus of the good law did from the garden of wisdom and universal love, it must have looked grandly beautiful in its profuse ornament, which taught how to be precise without pettiness, how to attain the utmost finish without sacrificing the ensemble to trivial elaboration. Yet this gem of Javanese architecture seemed destined to complete destruction. Its pitiful decay did not touch the successors of Resident Hartman. When, in 1895, after several years’ absence from the island, I came to renew acquaintance, it had visibly crumbled away; official interference with “collectors” limited itself to notices, stuck up on a bambu fence, warning them of the danger they ran from the roof falling in. It needed two years more of demolition, the walls bulging out, the copings tumbling down, before the correspondence, opened in 1882 anent a desirable restoration, produced some result; before the Mendoot, the jewelled clasp of that string of pearls, the Buddhist chandis pendent on the breast of Java from the Boro Budoor, her diamond tiara, was going to be refitted.
- 65. And how? It is an unpleasant tale to tell: after two decades of consideration and reconsideration, in the fourth year of the preliminary labours of restoration, the local representative of the Department of Public Works, put in charge of the job as a side issue of his already sufficiently exacting normal duties, aroused suspicions concerning his competency in the archaeological line. An altercation with Dr. Brandes, followed by more controversy de viva voce, in writing and in print, led to compliance with his request that it might please his superiors to relieve him from his additional and subordinate task as reconstructor of ancient monuments. From that moment, January 2, 1901, until May 1, 1908, absolutely nothing was done and the scaffoldings erected all round the building were suffered to rot away, symbolic of the extravagant impecuniosity of a Government which never cares how money is wasted but always postpones needful and urgent improvements till the Greek Kalends on the plea of its chronic state of kurang wang.[129] When most of the fl. 8600, fl. 7235, fl. 25142 and fl. 4274, successively wrung from Parliament for excavations and restoration, had been squandered on what Dr. Brandes considered to be bungling patchwork, the expensive, useless scaffoldings, becoming dangerous to the passers- by in their neglected state, necessitated the disbursement, in 1906, of fl. 350 for their removal. On the continuation of the work, in 1908, by other hands, of course a new one, also of teak-wood, had to be erected. And, the restoration once more being under way on the strength of fl. 6800 grudgingly allotted, Parliament decided finally that no sufficient cause had been shown to burden the colonial budget with the sum which, according to an estimate of 1910, was required to bring it to an end! The profligately penurious mandarins of an exchequer exhausted by almost limitless liberality in the matter of high bounties, subsidies, allowances, grants for experiments which never lead to anything of practical value; in the matter of schemes which cost millions and millions only to prove their utter worthlessness,—the penny-wise, pound-foolish heads refused, after an expenditure of fl. 52401 to little purpose, to disburse fl. 21700 or even fl. 7000 more for the completion of the work commenced, this
- 66. time under guarantee of success. Arguments advanced to make them revoke their decision, were met with the statement that the Government did not intend to deviate from the line of conduct, adopted after mature deliberation in regard to the ancient monuments of Java, restricting its care to preservation of the remains ... a characteristic sample of Governmental cant in the face of grossest carelessness and the kind of preservation inflicted on the chandi Panataran or wherever its officials felt constrained by public opinion to act upon make-believe circulars from Batavia and Buitenzorg before pigeon-holing them. And so the perplexing inconsistencies of Dutch East Indian finance, parsimony playing chassez-croisez with boundless prodigality, are faithfully mirrored in the tribulations of the chandi Mendoot: the reauthorised work of restoration was stopped again, on the usual progress killing plea of kurang wang, after the adjustment of the first tier above the cornice, and the temple, bereft of its crowning roof in dagob style, calculated to fix the basic conception in the beholder’s mind, has in its stunted condition been aptly compared to a bird of gorgeous plumage, all ruffled and with the crest-feathers pulled out.
- 67. XXIV. CHANDI MENDOOT AFTER ITS RESTORATION (Archaeological Service.) The operations were hampered by still other contrarieties. A tremendous battle was waged apropos of the question whether or not gaps in the layers of stones of the front wall above the porch pointed to the existence of a passage or passages for the admittance of air and light to the inner chamber; if so, whether or not those passages inclined at an angle sufficient to let the sun’s rays illumine the head of the principal statue in that inner chamber. To rehearse the heated dispute is not profitable: as usual, after the chandi had fallen into ruin and an endless official correspondence had lifted its ruin into prominence, archaeological faddists of every description tried to acquire fame with absurd suggestions and crazy speculations. Leaving their theories regarding the inclinations of the axes of probable or possible transmural apertures for what they are, more instruction is to be derived from the decorative arrangements. The inherent beauty of the ornament survived happily the injurious effects of changing monsoons, of ruthless robbery, of preservation in the Government sense of the word. When the sun caresses it, the Friendly Day, under the blue vault of the all-compassing sky, smiling at this gem of human art, offered in conjugal obedience by the earth, which trembles at his touch, it seems a sacrificial gift of reflowering mortality to heaven. In art, said Lessing, the privilege of the ancients was to give no thing either too much or too little, and the remark of the great critic, as here we can see, applies to a wider range of classic activity than he had in mind. Wherever the ancient artist wrought, in Greece or in Java, we find moreover that he drew his inspiration directly from nature; that his handiwork reflects his consciousness of the moving soul of the world; that the secret of its imperishable charm lies pre-eminently in his keenness of observation. To Javanese sculpture in this period may be applied what Fergusson remarked of Hindu sculpture some thousand years older in date: It is thoroughly original, absolutely without a trace of foreign influence, but quite capable of expressing its ideas and of telling its story with a distinction that never was surpassed, at least
- 68. in India. Some animals, such as elephants, deer and monkeys, are better represented there than in any sculptures known in any part of the world; so, too, are some trees and the architectural details are cut with an elegance and precision which are very admirable. Turning to the Mendoot we notice how the sculptors charged with its decoration, always truthful and singularly accurate in the expression of their thoughts and feelings, portrayed their surroundings in outline and detail, wrote in bas-reliefs, ornament and statuary the history, the ethics, the philosophy, the religion of the people they belonged to and materialised their splendid dreams for. What conveys a better knowledge of the Tripitaka, the Buddhist system of rules for the conduct of life, discipline and metaphysics, than their imagery, coloured by the very hue of kindliness and effacement of self in daily intercourse; what inculcates better the paramitas, the six virtues, and charity the first of them, than their carved mementos of the reverence we owe to the life of all sentient creatures, our poor relations the animals, striving on lower planes to obtain ultimate delivery from sin and pain but no less entitled to benevolence than man? As in the decoration of the younger chandis Panataran and Toompang, fables occupy a prominent position in that of the chandi Mendoot. Among the twenty-two scenes spread over the nearly triangular spaces to the right and left of the staircase which ascends to the entrance, eleven on each side, partly lost and wholly damaged, are, for instance, reliefs illustrative of the popular stories of the tortoise and the geese, of the brahman, the crab, the crow and the serpents, etc. Of one of them only a small fragment is left, representing a turtle with its head turned upward, gazing at something in the air, whence Dr. Brandes infers its connection with the following tale, inserted in the account of the concerted action of the animals which conspired to kill the elephant, as rendered in the Tantri, an old Javanese collection of fables: Once upon a time there were turtles who took counsel together about the depredations of a ravenous vulture and their kabayan (chief of the community) asked: —What do you intend to do to escape being eaten by that bird?
- 69. Accept my advice and lay him a wager that you can cross the sea quicker than he; if he laughs at your conceit, you must crawl into the sea where the big waves are, except two of you, one who stays to start on the race when he begins to fly, and one who swims across the day before and waits for him at the other side. What do you think, turtles? You cannot lose if you manage this well.—Your advice is excellent, answered they, and while the kabayan was still instructing them, the vulture arrived and demanded a turtle to eat.— What is your hurry, spoke the kabayan for them all; I bet you that any one of us can swim quicker across the sea than you can fly.—I take that bet, replied the vulture, but what shall I have if I win?—If you win, you will be at liberty to eat me and my people and our children and grandchildren and great-grandchildren and so on and so on to the end of time; but you must pledge your word that if you lose, you will move from here and seek your food elsewhere. It is now rather late but to-morrow morning you can choose any one of my people you please to match your swift flight with.—All right, said the vulture and he went to his nest to sleep, but the kabayan sent one of his turtle-people across the sea. The vulture showed himself again a little after dawn, not to waste time, for he felt pretty hungry and the sooner he could win the race, the sooner he would have breakfast. He did not even take the precaution to select an adversary among the decrepit and slow, so sure was he of his superiority, and, besides, all the turtles were so much alike. The kabayan counted one, two, three, go! and the vulture heard one of them plunge into the water and he unfolded his wings and alighted at the other side in an instant, when, lo! there he saw the beast calmly waiting for him. The vulture felt ashamed and moved to a distant country for he did not know that he had been cheated. And there was only one vulture but there were many turtles. And the boar told this event to his friends, exactly as the reverend Basubarga saw it happen. Another fable, still more widely distributed and clinching the same moral, is that of the kanchil (a small, extremely fleet species of deer) and the snail; travelling to Europe, it is there best known in its
- 70. German form recorded by Jakob and Wilhelm Grimm. Of its many variants in the Malay Archipelago we may mention the wager between a snail and a tiger as to which could most easily jump a river; the snail, attaching herself to one of her big competitor’s paws, wins, of course, and convinces the terror of the woods by means of his hairs adhering to her body, that she is accustomed to feed on his kind, two or three per diem, freshly killed, whereupon the tiger leaves off blustering and sneaks away.[130] The prose version of the Tantri which, somewhat different from the two metrical readings known to us, contains the vulture and turtle incident, dates probably from the last half of the Mojopahit period and is therefore at least four centuries younger than the chandi Mendoot, so that its author and the sculptors of the scenes from popular beast-stories on the temple’s walls, must have had access to a common stock of ancient fables. All turned it to best advantage and the decorators of this splendid edifice seized their opportunity to let the men and animals they carved in illustration of their national literature, express what they had to say in their passionate overflow of the creative instinct. They gave their narrative a frame in ornament of dazzling beauty, sweetly harmonious with the moral of the lessons they taught, stirring to deepest emotion; they cased thoughts of happiest purport in shrines embossed and laced with fretwork more suggestive of ivory than of stone. They adorned the Mendoot as a bride, to be displayed before her husband, the Boro Budoor, revelling in the fanciful idea which makes the saktis of the Dhyani Buddhas carry budding flowers to honour incarnate love. The wealth of statuary, while orthodox Buddhism did not admit the worship of images either of a saintly founder of temples or of his saintly followers; the deities with the attributes of Doorga, Siva and Brahma, who diversify the ornament of the exterior walls, from which right distribution of lines and surfaces may be learnt in rhythmical relation to contour and dimension, are further indications of the syncretism signalising the tolerance, the fraternal mingling of different creeds in the distant age of Mataram’s vigour and artistic energy.
- 71. The religious principles underlying that empire’s greatness and providing a basis for a firm sense of duty to guide a temperament of fire, are nobly embodied in the three gigantic statues placed in the inner chamber of the Mendoot or, to be quite exact, round which that chandi was reared, for the entrance is too small to let them through, especially the largest of them which, miraculously undamaged save one missing finger-tip, has slid down from its pedestal and consequently occupies a lower station between the subordinate figures than originally intended. All three are seated and the first in rank, of one piece with his unembellished throne, measures fourteen feet; the two to his right and left, of less grave aspect, wearing richly wrought necklaces, armlets, wristbands, anklets and tiaras, measure eight feet each. If the oorna[131] more excellent than a crown, identifies the master among them, the position of whose fingers reminds of Vajrochana, the first Dhyani Buddha, the others have been taken respectively for a Bodhisatva and for a devotee who attained by his meritorious life a high degree of saintliness but whose Brahmanic adornment flatly contradicts the Buddhist character of such perfection. This explanation is therefore considered unsatisfactory and unacceptable by many, as, for instance, his Majesty Somdetch Phra Paramindr Chulalongkorn, the late King of Siam, who, by the way, when visiting the chandis Mendoot and Boro Budoor in 1896, claimed those masterpieces of mahayanistic art for his own, the southern church, to use the incorrect but convenient distinction. According to this royal interpreter, the idea was to represent the Buddha in the act of blessing the Buddhist prince who ordered the Boro Budoor to be built, here placed at his right with an image of the deliverer in his makuta and carrying no upawita but a monk’s robe under the insignia of his dignity; the third statue, directly opposite, at the Buddha’s left, without Buddhist accessories but with an upawita hanging down from its left shoulder, might impersonate him again in his state before conversion, or his unconverted father on whom, after death, he wished to bestow a share in the deliverer’s benediction. However this may be, there is no doubt of the
- 72. Enlightened One’s identity in one of his many personifications and, leaving the eighty secondary marks unexplored (three for the nails, three for the fingers, three for the palms of the hands, three for the forty evenly set teeth, one for the nose, six for the piercing eyes, five for the eyebrows, three for the cheeks, nine for the hair, ten for the lower members in general,—without our entering into further detail!), the thirty-two primary signs are all present: the protuberance on the top of the skull; the crisped hair (of a glossy black which the sculptor could not reproduce) curling towards the right;[132] the ample forehead; the oorna, which sheds a white light (also unsculpturable) as the sheen of polished silver or snow smiled upon by the sun; etc. Though the colossal statue of the welcome redeemer, like those of the worshipping kings, does not recommend itself by faultless modelling, it breathes the spirit which sustains the arahat, him who becomes worthy; it radiates the tranquil felicity of annihilation of existence, sin, sorrow and pain; it promises the final blowing out of life’s candle, the Nirvana, when the understanding will be reached of the Adi-Buddha, the primitive, primordial, immeasurable. And the lowest of the four degrees of the Nirvana, it seems to say, is already attainable on earth by emancipation from the bondage of fleshly desire and vice, by avoidance of that which taints and corrupts.... The noonday glare, subdued by the heavy shadow of the porch, fills the sanctuary with a golden haze and upon its dimly gleaming wings a faint music descends, a song of deliverance. The psalmist’s visions of the covering of iniquity compass us about and invite to recognition of a common source of divine inspiration in mankind of whatever creed. The scent of the melati and champaka flowers, strewn at the feet and in the lap of the deity—the image of him who taught that there is none such, and revered by professed believers in the Book which consigns idolaters to hell-fire!—mingles with the pungent odour of the droppings of the bats, fluttering and screeching things in the dark recesses of the roof, disturbed in their sleep. Truly there ought to be a limit to syncretism and this last mentioned mixture of heterogeneous
- 73. elements soon affects the visitor in a manner so offensive that retreat becomes a matter of necessity. XXV. INTERIOR OF THE CHANDI MENDOOT (Cephas Sr.) As we step outside, our eyes are blinded by the burning light inundating the valley, the fiery furnace ablaze at the foot of mountains flaming up to the sky, a terror of beauty: Think of the fire that shall consume all creation and early seek your rescue, said the Buddha. It speaks to us of the cataclysm which shook Java on her foundation in the waters and upset the work of man, killing him in his thousands and burying his temples, the Mendoot and many, many more, under the ashes of her volcanoes, some such upheaval as when the conflict began between the Saviour of the World and the Great Enemy, to quote from the sacred scriptures; when the earth was convulsed, the sea uprose from its bed, the rivers turned back to their sources, the hill-tops fell crashing to the plains; when the day at length was darkened and a host of headless spirits rode upon the tempest. Though the ground has also been raised by the
- 74. drift down the slopes of the Merapi, by the overflowing runnels discharging their load of mud into the Ello and the Progo, the magnitude of volcanic devastation can be gauged from the difference in level between the base of the chandi and the site of the kampong higher up, under which the platform extends whereon its subsidiary buildings stood. Excavations in the detritus have already resulted in the discovery of portions of a brick parapet once enclosing the temple grounds; of vestiges of smaller shrines in the east corner of the terrace and of a cruciform brick substructure to the northeast with fragments of bell-shaped chaityas;[133] of a Banaspati, probably from the balustrade of the staircase, and detached stones with and without sculptured ornament, which revealed the former existence of several miniature temples surrounding the central one. At the time of my last visit (which came near terminating my career in my present earthly frame, through the rotten scaffolding giving way under my feet when ascending to the roof), more than half of the space conjecturally encompassed by the parapet, still awaited exploration, and since then restoration, within the limits of the scanty sums allowed, seems to have superseded excavation. In connection with both, the names should be mentioned of P. H. van der Ham, who did wonders with the little means at his disposal, and C. den Hamer, who showed that the decoration of the Mendoot too was not completed before the great catastrophe which devastated Central Java and stopped architectural pursuits.[134] Reviewing the history of the ancient monuments of the island, not one can pass without a repetition of the sad tale of spoliation. However unpleasant it be to record in every single instance the culpable negligence of a Government stiffening general indifference and almost encouraging downright robbery, the rapid deterioration of those splendid edifices allows no alternative in the matter of explanation. When officials and private individuals of the ruling race set the example, the natives saw no harm in quarrying building material on their own account for their own houses, and they had no time to lose in the rapid process of the razing of their chandis for the
- 75. adornment of residency and assistant-residency gardens, the construction of dams, sugar-mills and indigo factories. Temple stones have been found in many villages round the Mendoot and particularly in Ngrajeg, about two miles distant on the main road, there is no native dwelling in the substructure of which they have not been used.[135] Though the wealth of the dessa Ngrajeg in this respect may be explained by its once having boasted its own chandi, of which nothing remains but the foundations, there is abundant proof that the chief quarry of the neighbourhood on this side of the river was the Mendoot as the Boro Budoor on the other. From a juridical standpoint, the natives in possession of such spoil, acquired by their fathers or grandfathers, have a prescriptive right on it not disputable in law, averred the administration at Batavia, and so whatever the architects in charge of the restoration needed, had to be bought back and diminished still further the disposable funds. Leaving the doubtful points of this legal question and the enforcement in practice of the theoretical decision for what they are worth to Kromo or Wongso, ordered to part with his doorstep or coinings, there is no doubt that it is illegal and highly censurable to demolish temples, and temples like the Mendoot at that, to secure building material for Government dams and bridges. What happened in Mojokerto with the bricks of Mojopahit and has been complained of elsewhere, I saw happen in 1885 with Mendoot stones, freely used for abutments, piers, spandrel fillings, etc., when near by the spanning of the Progo was in progress. That bridge has since succumbed like the railway bridge then in course of construction farther down the Progo, a warning which, if heeded, might have prevented, for instance, the chronic misfortunes of the railway bridge in the Anei gorge, West Coast of Sumatra. With Government bridges lacking the strength to resist the impetuosity of more than ordinarily boisterous freshets, there may always be a surprise in store for the pilgrim to the Boro Budoor who has arrived at the first station, the Mendoot: will he or will he not find the means to cross? For, in time of banjir, i.e. when the river is in spate, the primitive ferry which maintains the communication in
- 76. Welcome to our website – the perfect destination for book lovers and knowledge seekers. We believe that every book holds a new world, offering opportunities for learning, discovery, and personal growth. That’s why we are dedicated to bringing you a diverse collection of books, ranging from classic literature and specialized publications to self-development guides and children's books. More than just a book-buying platform, we strive to be a bridge connecting you with timeless cultural and intellectual values. With an elegant, user-friendly interface and a smart search system, you can quickly find the books that best suit your interests. Additionally, our special promotions and home delivery services help you save time and fully enjoy the joy of reading. Join us on a journey of knowledge exploration, passion nurturing, and personal growth every day! ebookbell.com