Security Engineering Process - Short Description
The Security Engineering Process (SEP) helps the system engineer in the creation of her secure system in many ways. This process (and the tool that supports it) is being developed together with NoMagic Inc. (creator of MagicDraw). While in the current processes the system engineer needs a very strong security expertise in order to create the security properties of the system, its solutions (implementations), tests that check if they are secure and provide the necessary functionality, etc. the SEP provides the necessary information and tools to the system engineer so her work is very simplified.
The process has a separation of responsibilities functionality so each specific task is done by a specific user. This way, there exist a user that creates the security libraries (DSMs), other user creates the security solutions and patterns (Security Patterns and Security Building Blocks), other user creates the system model using the security libraries, etc. The best benefit for the system engineer is that she doesn't need to create the security solutions, tests and certifications for the system she is creating, she only needs to obtain a DSM for the specific domain she is working with (MANET, Web Services, Metering Devices, etc.) and apply the security properties defined there for fulfilling the security requirements of the system.
Each security property provides: information about the property, tests for checking its resilience, information of the external or additional elements it needs, the different solutions that implement the security property (e.g. a solution using a security api, using TPMs, etc.), certifications provided by the security solution and how to assure them, etc.
The other main role of the SEP is the DSM creator. She creates DSMs that contain solutions for each security properties. The DSMs are uploaded to a web repository (e.g. http://proteus.lcc.uma.es:8600/RepositorySite/dsm/list.html) where they are parsed and can be accessed by any user. We plan in creating private repositories with companies we have work with in order to help them create DSMs for their work domains so they can be used by their system engineers. The DSMs of the public repositories will be used also for creating a community and improve them with new and better functionality.