Integrating Security Concerns into Software Development

It has become clear in software development that functionality and security must go hand in hand in cases where security concerns are to be incorporated early in stages of design. An essential aspect of such a process is threat modeling that integrates security with functional specification. Such an approach includes construction of two models: a functional model and a security (threat) model. The problem of integration involves assimilating security concerns while developing system specifications. One solution is to represent the dynamic behavior of security attacks as statechart diagrams and integrate the attacks into the functional behavior of the system; however, such an approach results in a complex set of fragmented descriptions lacking an underlying conceptual representation that can be tailored to include security concerns. This paper introduces a flow-based diagrammatic representation that includes such features. The advantages of the methodology are demonstrated through contrasting it with a statechart-based study case.