Pluggable Model-Based Security Policy Enforcement Mechanism for Software Development

Security in software applications is frequently an afterthought. Even if developers are aware of software vulnerabilities, they possess little knowledge of how to secure the applications while writing codes. In addition, the lack of tools for security automation makes it more challenging to protect systems and applications. This dissertation introduces a framework to incorporate security policies for data fields in the transactions of software application during its development phase. The objective is to facilitate developers to apply security policies on the data required by the regulations. The extensibility of the presented model gives the flexibility to accommodate different security requirements and to implement them as security functions. With the simplicity of mapping data fields of business structures with security policies and their associated security functions, this approach provides the programmers, business domain experts and security experts a collaborative process to define and incorporate security requirements in software. The proposed model-based security policy mechanism addresses the complexity of securing confidential information at the process level by enforcing pre-defined security policies on the data before the data is transmitted outside the application boundary, regardless of the destination or repository that the data will be stored. The separation of security policies and the application provides a granular control to protect the data field via different security techniques such as access control or encryption. This mechanism is flexible so that it can be used in either legacy applications or new applications. The application of this approach on the payment card industry payment application data security standard has been evaluated to validate the flexibility and extensibility of the proposed model.