The Aspect-Oriented Risk Driven Development (AORDD) Framework

The security solution decision support approach developed in this work is called the Aspect Oriented Risk Driven Development (AORDD) framework. The AORDD framework combines the risk driven development (RDD) work of the CORAS project with the aspect-oriented modelling (AOM) work of the AOM group at Colorado State University (CSU) (see http://www.cs.colostate.edu/

~france/#Projects). The framework bene…t from techniques in ATAM, CBAM, subjective expert judgment, security assessment and management, the Common Criteria, operational measures of security and BBN and is tailored for aiding decision makers or designers and the like in choosing the best-…tted security so-lution or set of security soso-lutions among alternatives. The context of this work is security solution decisions for information systems in general and e-commerce systems in particular.

Figure 10.1 illustrates the AORDD framework and its seven components which are:

1. An iterative AORDD process.

2. Security solution aspect repository.

3. Estimation repository to store experience from estimation of security risks and security solution variables involved in the trade-o¤ tool BBN topology of component 5.

4. RDD annotation rules for security risk and security solution variable estima-tion.

5. The AORDD security solution trade-o¤ analysis and trade-o¤ tool BBN topology.

6. Rule set for how to transfer RDD information from the annotated UML diagrams into the trade-o¤ tool BBN topology.

7. Trust-based information aggregation schema to aggregate disparate informa-tion in the trade-o¤ tool BBN topology.

78 10. The AORDD Framework

AORDD security solution trade-off analysis

Security aspect repository Estimation repository

RDD annotation rules RDD information input rule set

Trust-based information aggregation schema AORDD Framework

AORDD Process AORDD security solution

trade-off analysis

Security aspect repository Estimation repository

RDD annotation rules RDD information input rule set

Trust-based information aggregation schema AORDD Framework

AORDD Process

Fig. 10.1.The seven components of the AORDD framework

The main components of the AORDD framework are component 5: the AORDD security solution trade-o¤ analysis and component 7; the trust-based information aggregation schema. The …ve other components in the framework are supportive components for component 5 and 7. This means that they either provide the underlying process or techniques necessary to support the identi…cation of the best-…tted security solution among alternative security solutions, which is the task of components 5 and 7.

What is important to note for the AORDD framework is that it can be used in all phases of the life-cycle of a system and that it is a general security solution decision support framework. The latter means that the approach in principle is applicable for all types of information systems. However, as mentioned earlier this work has only looked into the use of the AORDD framework for supporting security solution decisions in e-commerce systems where the focus has been on the design phase of a development. Details are in Part 6 of this thesis.

Security solution decisions in the design phase of a development are called security design decisions. In such decisions separation of concerns is important to distin-guish between the alternative security solutions so that they can be evaluated against each other. In the AORDD framework separation of concern is supported by the AORDD security solution trade-o¤ analysis by a¢ liating AOM techniques in combination with RDD techniques. AOM techniques o¤er the ability to sep-arate security solutions to security problems and challenges of an information system from the core functionality of the information system. AOM achieves this by modelling each alternative security solution as an separate and independent security solution aspects and by gathering the core functionality of the system in

10. The AORDD Framework 79 what is called the primary model. This clear separation makes it possible to eval-uate one security solution at a time and to observe in practice how the di¤erent alternatives a¤ect the core functionality of the system. For this to be e¤ective in practice e¤ective and tool-supported composition techniques, security veri…cation and composition analysis is necessary.

The AORDD framework makes use of the AOM technique developed at CSU, which includes composition techniques and to some extent tool-support for com-posing security solution aspects with the core functionality of an information system modelled in the primary model. The security veri…cation approach used in the AORDD framework is the UMLsec approach developed by Jürjens (2005) [67]. The UMLsec approach is tool-supported and proven to be fairly e¤ective and accurate. Details are in [67]. It should be noted however that thus fare the AORDD framework has only used the UMLsec approach to verify the security attributes of the security solution aspects and not the …nal composed model.

Techniques for analysing the composed model to check that no security design

‡aws arise as a result of the composition and that the resulting model preserve the security attributes of the security solution has not been explored to much extent thus far. The latter is on-going work and the initial ideas are described in Georg, Houmb and Ray (2006) [35].

Information on AOM and AOM techniques can be found in [33, 34, 98] and the references therein. Additionally, Houmb et al. (2006) [48] in Appendix B.2 provides a brief introduction to AOM and describes the role of AOM in the AORDD security solution trade-o¤ analysis. Details on the AORDD framework and its components are in Houmb and Georg (2005) [42], Appendix B.1. Houmb et al. (2006) [48] in Appendix B.2 gives an overview of a specialised version of the AORDD framework called the Integrated Security Veri…cation and Security Solution Design Trade-O¤ Analysis (SVDT) approach.