Modeling Complex Systems by Separating Application and

Security Concerns

H. Gomaa, M. Shin, "Modeling Complex Systems by Separating Application and Security Concerns", in 9th IEEE International Conference on Engineering Complex Computer

Systems (ICECCS 2004), pp. 19-28, 2004.

Presented by: VenkataRamana

Outline This paper discusses an approach on how to reduce

system complexity of a complex application by taking into account the following points

• Modeling application requirements separately from security requirements designs using the UML notation.

• Security requirements are captured in security use cases and encapsulated in security objects.

• The security use cases can have parameters, whose values are passed from the business use cases that they extend. i.e. a security use case extends an application use case.

• The security concerns are explained by presenting them in functional view and in both static and dynamic modeling of designs of UML.

Appreciation( in the paper)

Analyzed the significance of security concerns by considering the potential threats to distributed applications like Authorization violation, Confidentiality ,Integrity, System Penetration and Repudiation.

Appreciation ( my view)

In my view this approach helps to know the performance perspective of an application by separating the security concerns.

Security mechanisms become more adaptable and there are chances of reducing implementation errors.

Critical comment

The paper says there are restrictions on extending a business use case with security use cases, but did not come up with a solution that solves the problem.

Example of a security extension case of a banking system.

Question

Some security concerns cannot be well separated in one class or method but can be cut across many classes and methods.

Example- logging, It effects every single logged part of the system.