Scribd
Upload
60 views19 pages

UML For Security Capturing

The document discusses the use of UML diagrams to model security concerns throughout the software development process. It outlines various diagram types, including Use Case, Class, Sequence, Activity, State Machine, Component, and Deployment diagrams, each serving to capture specific security requirements and interactions. The conclusion emphasizes the importance of integrating security considerations into the design process to mitigate risks and ensure compliance with security requirements.

Uploaded by

mahengejimson02
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
60 views19 pages

UML For Security Capturing

The document discusses the use of UML diagrams to model security concerns throughout the software development process. It outlines various diagram types, including Use Case, Class, Sequence, Activity, State Machine, Component, and Deployment diagrams, each serving to capture specific security requirements and interactions. The conclusion emphasizes the importance of integrating security considerations into the design process to mitigate risks and ensure compliance with security requirements.

Uploaded by

mahengejimson02
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 19

UML for Security

Capturing
MIS. ZUBEDA KILUA
Introduction

 UML provides various diagram types that can


be used to model security concerns
throughout the development process.
 Below are key UML diagrams that are useful
for capturing security requirements, design,
and implementation:
Cont..

a. Use Case Diagram


 Security Use Cases: Create use cases that specifically
define how users interact with the system securely.
Include "Authenticate User," "Authorize Access," or
"View Sensitive Data" as use cases and specify security
conditions.
 Actor Security: Define actors such as users, admins,
and external systems, along with their security
privileges.
Cont..

Example:
 Actor: Admin
 Use Case: Manage User Permissions
 Security Concerns: Role-based access
control (RBAC), authentication.
Cont..
b. Class Diagram
 Security Class Attributes: Add security-
related attributes to classes, such as
encrypted fields, access control lists (ACLs), or
secure tokens.
 Dependencies: Show dependencies between
secure components, like an encryption service,
secure database, or authentication provider.
Cont..

Example:
 Class User: Attributes like passwordHash,
role, and methods such as authenticate() and
authorize().
 Class Session: Methods for createSession()
and validateSession().
Cont..

c. Sequence Diagram
 Security Interactions: Use sequence diagrams
to show secure interactions between actors and
systems, focusing on authentication,
authorization, and data encryption flows.
 Authentication and Authorization: Model the
interactions where a user requests access to a
resource and the system performs authentication
and authorization checks.
Cont..
Example:
 User sends login request.
 Authentication Service validates
credentials.
 Authorization Service checks user’s role.
 System grants or denies access.
Cont..
d. Activity Diagram
 Security Workflow: Model workflows that
include security checks, such as login, logout,
data access, or transaction processes,
ensuring secure transitions between steps.
 Error Handling and Logging: Show
alternative flows for invalid authentication,
logging failed login attempts, or access
denials.
Cont..
Example:
 User initiates login →
 System checks credentials →
 If valid, grant access; otherwise, log error.
Cont..

e. State Machine Diagram


 Security States: Model the states of an
object, such as a user session, highlighting
security-related transitions such as "logged
in," "authenticated," or "suspended."
 Transition Guards: Define conditions that
must be met for transitions, e.g., only allow
access to a particular state after
authentication.
Cont..

Example:
 States: Unauthenticated, Authenticated,
Suspended.
 Transitions: From Unauthenticated to
Authenticated upon successful login.
Cont..

f. Component Diagram
 Secure Components: Model components like
firewalls, security gateways, authentication
modules, and data encryption modules that make
up the secure system architecture.
 Security Interfaces: Specify interfaces between
components that are responsible for security
operations like token generation, encryption, and
access control.
Cont..

Example:
 Components: Web Server, Authentication
Service, Database.
 Interfaces: Auth API, Data Encryption.
Cont..

g. Deployment Diagram
 Security in Deployment: Show the
deployment of security components, such as
firewalls, intrusion detection systems, and VPNs,
to protect the system’s environment.
 Secure Network Topology: Model secure
communication paths (using TLS, VPN) and
network partitions for sensitive services.
Cont..

Example:
 Nodes: Client, Web Server, Database Server.
 Communication paths: HTTPS, VPN, and
access control mechanisms.
Conclusion
 Incorporating secure development methodologies
and using UML diagrams to represent security
aspects can be a powerful way to ensure that
security considerations are not an afterthought
but an integral part of the software design
process.
 By creating these diagrams and following secure
SDLC practices, you can mitigate risks and ensure
that the system meets security requirements.
LAB WORK1:
FIND ANY SYSTEM/ PROJECT,
AND WITH THE HELP OF
SOFTWARE DRAW UML
DIAGRAMS SHOWING
SECURITY FEATURES OF THAT
SYSTEM

You might also like