| Currently, software security attribute is not regarded as important in software development process. There are some reasons for this phenomenon. Firstly, software developers do not care about it or they are short of security knowledge. Secondly, the systems are becoming larger and larger. Thirdly, the development time is so limited that developers have to finish the functional part first. The incomplete process causes some security defects in the final product. In order to solve this problem, many researches focused on this area. While, some works are on the security specification language, some others are on the software analysis and design, such as the aspect community and the security pattern community. And still others are from the process of the development perspective. This paper focuses on the latter two kinds.The main concern of this paper is on how to insure software security. It combines the risk management process and the POAD (Pattern-Oriented Analysis and Design) method process, and uses the security pattern to remove the risk from the early phase of the development process. The process of the risk management contains four activities:risk identification, risk evaluation, risk removal and evaluation of solutions. As is common for all the engineering fields, this paper makes it fit for the software development area by following some research on the security insurance method and process. POAD method is about how to compose design pattern to design software system. In this paper, we adopted some ideas that the POAD method proposed. And some studies in the pattern community and security pattern community also contribute a lot. This paper is based on these two main processes, and we arrange the order of the practices in these two processes.We divide our method into three stages which contained nine practices.1) The risk confirmation phase. In this phase two practices need to be done. While one is the risk identification, the other is the risk evaluation.2) The system high level design phase. Four practices need to be done in this phase; they are the acquaintance of the pattern library, selection of the pattern, evaluation of the pattern and construction of the high level design.3) In the system design refinement phase, there are three practices. The first one is design of the business class diagram, the second one is instantiation of the security pattern, and the third is composition of business class diagram and security pattern diagrams. In order to relieve the burden of the developers and automate some processes, a tool is provided to support our method. The main function of this tool is to manage risk information that has been produced in the process and to trace the state of the risk. A security pattern library is also built to support reuse of the security knowledge. Its main functions include: edition of the security pattern, application of the pattern, classification of the pattern and so on. When this tool is designed, MVC architecture pattern is employed to clarify the business logic.The paper has five initiatives which distinguish our work from others'. The first is combination of the process of the risk management and the pattern community's POAD method. The second is localization of the common method. For example, risk management process is common in most engineering area, but this paper makes it specific for the software development; POAD method process is also fit for all the design patterns, but this paper confines the pattern to the security pattern. The third is "micro-creativity" of the way to do the practices. When adopted the above two processes, we do not confined to its original format, but make some changes. The fourth is composition of the existing tools'function. Before this work, the supporting system for the process and pattern library system are different systems, but in our work, the two parts are composed together. The fifth is use of the classical algorithms and the third party class library. The string similarity algorithms are used to automatically recommend the solutions, which facilitates the retrieval process. The SmartUpload is used to upload the file to the database. The IK Analyzer toolkit is used in the Chinese word segmentation and search, which provides much help for the data retrieval. |
PDF Full Text Request