Misalignment challenges when integrating security requirements into mobile banking application development

This study identifies and explores the core challenge faced when integrating security requirements into the mobile application software development life cycle. Studies on key issues in Information Systems (IS) have been on-going in the past decades, with security moving up the ranks of top issues in IS. Security requirements can be added into mobile application development processes by practising secure coding or by adding a third party security tool. This study gathered data from a single case study and employs grounded theory methodology to reveal misalignment as the core challenge to integrating security requirements into mobile banking application development. Identified forms of misalignment include that between security requirements and (1) external entities, (2) roles, (3) skills and (4) system requirements. Some of the findings indicate the need for further research. Research indicates that mobile application development follows agile methods for development. Agile methods have been compared with Complex Adaptive Systems (CAS). For this reason, research in IS could benefit from studies that focus on CAS as a theory to provide a better explanation on the misalignment issues in mobile application development. From the current study, the research also identified the need to address misalignment issues before embarking on a project involving integrating of security requirements

Misalignment - the core challenge in integrating security and privacy requirements into mobile banking application development

This study identifies and explores the core challenge faced when integrating security and privacy requirements into the mobile banking software development life cycle. Studies on key issues in Information Systems (IS) have been on-going for several decades, with security and privacy moving up the ranks of top issues in IS. Security and privacy requirements can be added into the mobile application development processes by practising secure coding, and/or, by adding a third party security tool. This study gathered data from a single case study; it employs grounded theory methodology to reveal misalignment as the core challenge to integrating security and privacy requirements into mobile banking application development. The forms of misalignment are between security and privacy requirements and (1) external entities, (2) roles, (3) skills and (4) system requirements. The nature of the mobile application domain results in the misalignment forms identified above. Some of the findings indicate the need for further research. Research indicates that mobile application development follows agile methods for development. Agile methods have been compared with Complex Adaptive Systems (CAS). For this reason, research in IS could benefit from studies that focus on CAS as a theory to provide a better explanation on the misalignment issues in mobile application development

Aspect-Oriented Modeling for Representing and Integrating Security Aspects in UML Models

Security is a challenging task in software engineering. Traditionally, addressing security concerns are considered as an afterthought to the development process and security mechanisms are fitted into pre-existing software without considering the consequences on the main functionality of the software. Enforcing security policies should be taken care of during early phases of the software development life cycle; this benefits the development costs and reduces the maintenance time. In addition to cost saving, this encourages development of reliable software. Since security related concepts will be considered in each step of the design, the implications of inserting such concepts into the existing system requirements will help mitigate the defects and vulnerabilities present in the system. Although integrating security solutions into every stage of the software development cycle, results in scattering and tangling of security features across the entire design. The traditional security hardening approaches are tedious and prone to many errors as they involve manual modifications. In this context, the need for a systematic way to integrate security aspects/mechanisms into the design phase of the development cycle should be considered. In this work, an aspect-oriented modeling approach for specifying and integrating security aspects in to Unified Modeling Language (UML) design model is presented. This approach allows the security experts to specify generic security aspects and weave them into target software base model early in the software development phase. In contrast to traditional approaches, model-to-model transformation mechanisms discussed in this approach are designed to have an efficient and a fully automatic weaving process. This work further discusses additional components that are introduced into the weaving process. These newly introduced components allow the security experts to provide more appropriate security hardening concepts. Furthermore, the additional components are designed based on object-oriented principles and allow the security experts to exercise these principles in the model-to-model transformation. The additions to the weaver application are tested using the Session Initiation Protocol (SIP) communicator as a base model. The description of the additional components and the results of testing of the weaving process are discussed further in this thesis

A Framework for Analyzing Composition of Security Aspects

The methodology of aspect-oriented software engineering has been proposed to factor out concerns that are orthogonal to the core functionality of a system. In particular, this is a useful approach to handling the difficulties of integrating non-functional requirements such as security into complex software systems. Doing so correctly and securely, however, still remains a non-trivial task. For example, one has to make sure that the "weaving" process actually enforces the aspects needed. This is highly non-obvious especially in the case of security, since different security aspects may actually contradict each other, in which case they cannot be woven in a sequential way without destroying each other. To address these problems, this paper introduces a framework for the aspect-oriented development of secure software using composition filters at the model level. Using an underlying foundation based on streamprocessing functions, we explore under which conditions security properties are preserved when composed as filters. Thanks to this foundation we may also rely on model level verification tools and on code and model weaving to remedy security failures. Our approach is explained using as case-studies a web banking application developed by a major German bank and a webstore design

Model-Driven Development of Distributed Ledger Applications

Distributed Ledger Technology (DLT) is one of the most durable results of virtual currencies, which goes beyond the financial sector and impacts business applications in general. Developers can empower their solutions with DLT capabilities to attain such benefits as decentralization, transparency, non-repudiability of actions and security and immutability of data assets, to the price of integrating a distributed ledger framework into their software architecture. Model-Driven Development (MDD) is the discipline that advocates the use of abstract models and of code generation to reduce the application development and integration effort by delegating repetitive coding to an automated model-to-code transformation engine. In this paper, we explore the suitability of MDD to support the development of hybrid applications that integrate centralized database and distributed ledger architectures and describe a prototypical tool capable of generating the implementation artefacts starting from a high-level model of the application and its architecture.This preprint has not undergone peer review (when applicable) or any post-submission improvements or corrections. The Version of Record of this contribution is published in Lecture Notes in Computer Science, and a link to the published version will be added when available

A taxonomy of approaches for integrating attack awareness in applications

Software applications are subject to an increasing number of attacks, resulting in data breaches and financial damage. Many solutions have been considered to help mitigate these attacks, such as the integration of attack-awareness techniques. In this paper, we propose a taxonomy illustrating how existing attack awareness techniques can be integrated into applications. This work provides a guide for security researchers and developers, aiding them when choosing the approach which best fits the needs of their application

A Static Verification Framework for Secure Peer-to-Peer Applications

In this paper we present a static verification framework to support the design and verification of secure peer-to-peer applications. The framework supports the specification, modeling, and analysis of security aspects together with the general characteristics of the system, during early stages of the development life-cycle. The approach avoids security issues to be taken into consideration as a separate layer that is added to the system as an afterthought by the use of security protocols. The main functionality supported by the framework are concerned with the modeling of the system together with its security aspects by using an extension of UML, modeling of abuse cases to represent scenarios of attackers and assist with the identification of properties to be verified, specification of properties to be verified in a graphical template language, verification of the models against the properties, and visualization of the results of the verification process