An approach to the specification of security concerns in UML

Abstract

The Object Oriented methodology has been applied in software engineering for a wide range of large and critical systems. One of the modeling languages frequently used for this purpose is UML. As yet, however, the means provided by UML to specify and deal with security concerns are rather sparse. In this paper we propose a practical approach that could readily be incorporated into existing software development processes. We begin by reviewing the main types of security concerns in the various phases of the software development cycle, and set up stereotypes to specify those concerns. The stereotypes are then attached to use case diagrams and later to activity diagrams (and other derived diagrams). At the implementation stage, security concerns can be transformed into more detailed aspects via AOP (aspect oriented programming) techniques. By maintaining the consistency of security stereotypes from phase to phase, the concerns about system security are implemented in a traceable fashion. Such use of security stereotypes does not require a high level of skills or deep knowledge of UML, and can therefore be integrated, with relatively little effort, with many current system development methodologies.