proSecCo - providing Security in Component-based Systems
Data integrity (including program code), information confidentiality and service availability are typical security requirements which often must be taken into account when developing and operating software. In software engineering, there is only little support for a rigorous implementation of such security demands by an adequate design procedure.
The project proSecCo aims at developing procedures and tools offering to the engineer a systematic and verifiable implementation of the security requirements. Based on preceding research activities at the Department of Software Engineering (project CITY),
At implementation level, a separate view of security logic and actual functional code will be supported as far as possible; this helps reducing fault proneness and easing the re-use of proven security logic.
Among the most important security requirements in information technology is a reliable, timely and confidential identification of system users. For this purpose a number of different authentication strategies are already available, mainly characterised by knowledge-based, owner-based or biometry-based techniques. Depending on the specific demands of a given application different (possibly combined) technique(s) may be most appropriate.
This sub-project deals with the identification and the analysis of factors influencing the optimal authentication strategy. Such factors include number and roles of the users to be identified, as well as requirements underlying the application considered such as performance, accuracy, reliability and scalability.
Based on a preliminary analysis classical risk analysis techniques, such as fault tree analysis will be applied in order to determine as systematically and completely as possible potentially insecure scenarios and to tolerate them by efficient countermeasures, possibly via adequate fall-back levels and exception handlers.
The results obtained will be exemplarily applied to the specification, the design, the implementation and the test of a real-world system for data acquisition in the service industry.