Secure Software
Design with UML
Secure UML:
Requirements
System Architecture/Design
Test
Acknowledgments
References are provided per page. Most diagrams are original, but
ideas are adapted from references.
Author: Susan J Lincke, PhD
Univ. of Wisconsin-Parkside
Contributors/Reviewers:
Tim Knautz, Janine Spears PhD, David Green PhD, Megan Reid
Funded by National Science Foundation (NSF) Course, Curriculum and
Laboratory Improvement (CCLI) grant 0837574: Information
Security: Audit, Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations
expressed in this material are those of the author(s) and/or
source(s) and do not necessarily reflect the views of the National
Science Foundation.
Security Assures … CIA
Confidentiality: Limits access of
authorized users and prevents
access to unauthorized users
Integrity: The reliability of
information resources and data
have not been changed
inappropriately
Availability: When something
needs to be accessed by the
user, it is available
Security Vocabulary
Asset: Diamonds
Threat: Theft
Vulnerability: Open
door or windows
Threat agent: Burglar
Owner: Those
accountable or who
value the asset
Risk: Danger to assets
Registration System
Use Case
Register: Clients register to
obtain documentation by
providing name, email, job
function
Provider: Send periodic
updates to Clients to indicate
changes in materials
OCTAVE Security
Requirements Process
Risk: Threat and vulnerability(s) -> negative impact
1. Identify critical assets
2. Define security goals
3. Identify threats
4. Analyze risks
5. Define security requirements
Step 1. Identify Critical Assets
via Business Process Diagram



Contact Info: Name, email, job function
Materials: Course materials
Comments: Feedback, saved & sent as email
Step 2. Define Security Goals
Assets
Contact Info
Materials
Comments
Confidentiality
Integrity
Availability
**
No PII maintained
***
Require accurate
list of interested
persons
*
Weekly backup
*
Public with login
***
Accurate –
tamper-proof
**
24/7 preferred
**
Confidential pref.
***
Accurate –
tamper-proof
*
Weekly backup,
email
Impact Rating:
* Low Priority
** Medium Priority
*** High Priority
Step 3: Identify Threats
What it is
STRIDE
General
Threats
Software Techniques Advanced Security
Secure Password
Digital Certificate
Sec. Awareness
Spoof
Identity
Assume identity
Bypass
protection
Tamper w.
Data
Modify data
Validate input
Stop buffer overruns
Close unused resources
Authentication
Access Control
Message Digest
Repudiation
Hide activities
Require passwords
Log user transactions
Trans. Logging
Digital Signature
Info
Disclosure
Read data
Encrypt data
Encrypt packets
Minimal permissions
Encryption
Authentication
Secure Handling
Denial of
Service
Unreliable
execution,
resource
consumption
Validate real user via
CAPTCHA
Test for Failures
Firewall
Intrusion
Prevention
System
Elevation of
Privilege
Gain privileges
Execute
unauthorized
cmds/code
Take care with error
messages
Hide system files
Require approval
Access Control
Segregation of
Duties
Encrypt passwords
No backdoor entry
Step 3. Identify Threats
via Misuse Case Diagram
Which misuse cases relate
to:
•Confidentiality?
•Integrity?
•Availability?
Definitions:
DOS = Denial of Service
misuser
Misuse case
Step 3 (cont’d):
Expand DOS Misuse Case
Overflow DB: Fill disk with records
Send Continual Requests: (Distributed Denial of Service) No processor remains
Step 3 (optional)
Threat Tree
Step 3 cont’d: Lightweight Misuse Case:
Change Valid Data
User Intention
System Response
Security Threat
User requests Reg. form
System provides form
Attacker enters form
input but appends
additional SQL
commands
SQL injection
System processes input
Obtain (client) list
Change valid data
Step 3 Cont’d: Mid-weight Misuse Case
DOS
Misuse Case: Denial of Service
Summary: An attacker issues repeated Registrations, resulting in filling the
database with fake data, and depleting system and file resources.
Basic Path:
1. Do forever
2.
The attacker requests a Registration form
3.
The attacker sends random fake data in the form
4. Enddo
Alternative Paths:
AP1. Repeat data is entered
Mitigation Points:
MP1. At BP Step 2-3 use CAPTCHA in Registration form to avoid bot attack.
MP2. At BP Step 3 validate data: no duplicates, data type matching
Step 3 Cont’d: Mid-weight Misuse Case:
Circumvent Input
Misuse Case: Circumvent Input
Summary: Deviant Client bypasses registration by going directly to the
download web page.
PreCondition: Client does Google search and finds link to download web
page OR obtains link reference from a colleague
Basic Path:
1. DeviantClient obtains web reference from Google or friend.
2. DeviantClient uses web reference to download materials without registering.
Mitigation Points:
MP1: Web page has no other web references.
MP2: Create dynamic web page with unique reference. This web page is
accessible only if a key is provided during registration. Key expires in one
week.
Related Business Rule: Users must register to obtain materials.
Mitigation Guarantee: MP1 and MP2 solves Google search problems. MP2
could be used by friends for one week, which is acceptable.
Step 4: Analyze Risks
Threat
Impact
Likelihood
Priority = I*L
DOS
***
***
9
SQL Attack
(affects integrity,
confidentiality)
***
***
9
Invalid Input
*
***
3
Circumvent input
**
***
6
Step 5:
Define Security Requirements
Definitions
Stage 5: Define Security Requirements
Modify Register Use Case Desc.
Use Case: Register
Summary: Client registers to obtain access to download materials.
Preconditions: Client is at Welcome Web Page
Basic Path:
1. The client selects the Obtain Materials link.
2. The system asks the client for name, email address, job function, and
CAPTCHA.
3. The client enters all three required information.
4. Include (Validate Registration)
5. The system displays the URL for the download materials.
Alternative Path:
AP1. If an attack is detected, no URL is displayed.
Postcondition:
The client has access to the download materials.
The database contains the client contact information.
Stage 5: Define Security Requirements:
Validate Registration Security Use Case
Use Case: Validate Registration
Summary: This include validates a registration.
Precondition: A name, email, job function, and Captcha are provided.
Basic Path:
1. The user enters a name, email, and job function in Step 3 of Register
2. Do until valid CAPTCHA.
3.
Rerequest form with new CAPTCHA
4. The system checks for valid characters, to prevent SQL injection.
5. The system checks for valid name, email and job function
6. If email is unique in database
7.
Save record to database
8. The system returns success.
Postconditions:
The input has been checked for bot attempt, SQL attempt, and validity.
Business Process Diagram
Enhancement
Loc
Loc
Local
Access
AD
AD
Attack
Detection
Pr
Pr
Privacy
Secure UML
SECURE DESIGN
Mis-Sequence Diagram
State Diagram
State Diagrams can
ensure software:
 Retains proper order
of processing
 Recognizes out-ofsequence steps
 Can change behavior
based on time or past
history
Documenting Security
Packages
Sanitizer
Registration
<<Security Package>> Sanitize Input
<<Risk Factor>> 9
<<Security Descriptor>> Injection Attack
Defense
<<protects>>
CAPTCHA
<<Security Package>>
<<Risk Factor>> 9
<<Security Descriptor>> DOS Defense
<<Security Descriptor>> 3rd Party S/W
Open Group’s Common Data
Security Architecture
Application
Common Security Services Manager Application Programming Interface
System Security Services
(Digital Certificate, key management, integrity services, security contexts)
Cryptographic
Services Mgr.
CS Library
Trust
Policy
Services
Mgr.
Trust
Library
Authorization
Certificate
Computation
Library Mgr.
Mgr.
AC Library
Data
Storage
Library
Mgr.
Cert. Library DS Library
Elective
Module
Mgr
New
Services
Lib.
Security Diagrams:
Security Patterns
Authenticator Pattern
Authorization Pattern
Misuse Deployment Diagram



Shows
attacks/defenses
Shows where
attacks are
handled
Useful for:
 Security
Planning
 Audit
 Test
- QC
 S/W Development
Confidentiality
Integrity
Secure UML
SECURE TEST
Availability
BugBar
Bug Bar Standard for Tampering and Repudiation
Severity
Permanent modification of any user data in a common scenario High
that persists after restarting the OS/application.
Permanent modification of any user data in a specific scenario, Moderate
or temporary modification of user data in a common scenario.
Temporary modification of data in a specific scenario that does Low
not persist after restarting the OS/application.
When to Release Software?
Attack Surface
 Knight: suit of armor
protects attack surface by
covering most of his body
 Software: where are
(new) vulnerabilities that
are not mitigated?
Bug Bar
 Security threshold that
must be achieved for
release
Testing
Software Testing = Software works as it should
Vulnerability Testing = Automated testing
checks for holes
Penetration Testing = Probes security risks
addressing threats to policy
Reliability testing: Can s/w survive unusual
conditions: faults or unusual operating
conditions?
Software Testing

Static Testing: Analyzes
code (not execution) for
potential bugs: warnings


May be an option on a
compiler
Fuzz Testing: generates
random input to test
exceptions, incorrect
input
Vulnerability Testing
Buffer Overflow: Can long input affect service?
Script Injection: Can input with scripts execute?
Numeric Overflow: Can a large number become a
negative or small number?
Race Condition: Can multiple threads cause errors?
Configuration Issues: Can software be installed
improperly, causing abuse?
Programmer Backdoors: Have programmers left hooks
providing entry or information?
Mature Software Practices
Software Assurance Maturity Model
Building Security In Maturity Model
(SAMM)
(BSIMM)
Governance
Construction
Verification
Strategy & Metrics
Strategy & Metrics
Policy & Compliance
Compliance & Policy
Education & Guidance
Training
Threat Assessment
Intelligence
Attack Models
Security Requirements
Security Features & Design
Secure Architecture
Standards & Requirements
Design Review
Security Testing
Secure
Architectural Analysis
Software
Development Code Review
Life Cycle
Security Testing
Touchpoints
Vulnerability Mgmt
Deployment
Code Review
Deployment
Governance
Penetration Testing
Environment Hardening
Software Environment
Operational Enablement
Configuration Mgmt. &
Vulnerability Mgmt.
Agile Development


Security training is important!
Include Evil User Stories in every Sprint



Analyze risk at start of sprint, backlog change
Address Security features



"As a hacker, I send bad data in forms, so I can modify the
database in unauthorized ways."
authentication, access control, input validation, output encoding,
error/exception handling, encryption, data integrity, logging and
alarms, and data communication security
Review code for security
Test using code analyzers, fuzz testing, auto/manual
penetration tests
Jamie Ramon MD
Doctor
Chris Ramon RD
Dietician
Terry
Medical Admin
Pat
Software Consultant
HEALTH FIRST CASE STUDY
Security Requirements
Step 1: Identify Critical Assets
All of this information is
protected by HIPAA
HIPAA=Health
Insurance Portability
and Accountability Act
HIPAA protects:
Confidentiality: In
transmission, on disk,
or any other form.
Integrity: All
transactions are logged
as to who did them and
why. Hashing
(sophisticated
checksums) are also
required.
Step 2: Define security goals
Confidentiality
Integrity
Patient
Information:
Appointments,
Medical history,
Treatment,
Prescriptions,
Bills
Impact Rating:
* Low Priority
** Medium Priority
*** High Priority
Availability
Step 2: Define security goals
Patient
Information:
Appointments,
Medical history,
Treatment,
Prescriptions,
Bills
Confidentiality
Integrity
Availability
HIPAA
Requirement
HIPAA
Requirement,
Malpractice law
suit if accidental
death
Malpractice law
suit if information
not available
***
***
Impact Rating:
* Low Priority
** Medium Priority
*** High Priority
***
Step 3: Identify Threats
Medical Admin use cases include:
 Make appointment: Patient
may phone for an appt.
 Create Patient Record To
make an appt, a minimal
patient record must exist or be
created
 Register for Appointment:
When the patient arrives for
his/her appt.
 Update Patient: Update
patient medical history
 Determine Health Plan
Eligibility: Ask HMO/PPO
what the patient is eligible for
in coverage – and conditions
Use Case Diagram
Step 3: Identify Threats
What it is
STRIDE
General
Threats
Software Techniques Advanced Security
Secure Password
Digital Certificate
Sec. Awareness
Spoof
Identity
Impersonation
Social Eng.
Tamper w.
Data
No Integrity /
Fraud
Validate input
Stop buffer overruns
Close unused resources
Authentication
Access Control
Message Digest
Repudiation
“I did not do
that!”
Require passwords
Log user transactions
Trans. Logging
Digital Signature
Info
Disclosure
No
Confidentiality
Encrypt data
Encrypt packets
Minimal permissions
Encryption
Authentication
Secure Handling
Denial of
Service
No Availability
System/Network
/DB Full
Validate real user via
CAPTCHA
Test for Failures
Firewall
Intrusion
Prevention
System
Exceed Authority
Take care with error
messages
Hide system files
Require approval
Access Control
Segregation of
Duties
Elevation of
Privilege
Encrypt passwords
No backdoor entry
Security Requirements Process
OCTAVE Security Requirements Process
 Identify critical assets
 Define security goals
3. Identify threats

4.
Analyze risks:

5.
Draw Misuse Diagram from Use Case Diagram
Priority = Impact * Likelihood
Define security requirements


Draw Misuse Diagram with Security Use Cases
Define one Misuse Description (Lightweight or Midweight)