A comparison of approaches for modeling software security requirements using unified modeling language extensions

Abstract

The unified modeling language (UML) supports extension mechanisms called stereo-types, tagged values, and constraints to extend its modeling capabilities. These extension mechanisms are utilized to create new and customized profiles. Their applications in modeling emerging security requirements are discussed. To model authentication, availability, integrity, access control, confidentiality, data integrity, non-repudiation, authorization, encryption, hashing, and session mechanisms, a set of novel stereotypes is proposed in this paper. The proposed stereotypes inherit from baseline security requirements. Further, security concepts within the UML diagram are represented using these stereotypes. In addition, the proposed stereotypes were evaluated with the help of human subject evaluation using real-world scenarios to illustrate the usefulness of these stereotypes in modelling security requirements. The contribution of this paper is a stereotyped model security requirements and library of existing security notations with high quality symbols which can be incorporated in existing and new stereotypes and diagrams to facilitate the process of security requirement modelling. Results indicate that the proposed stereotyped model improves the modeling process of security requirements. It also provides a better representation of emerging security mechanisms in software design. Finally, during the software development process, stakeholders enjoy improved communication and understanding of security requirements.