Managing Software Security Knowledge in Context: An Ontology Based Approach
Abstract
:1. Introduction
2. Context and Knowledge Management
3. Design of the Ontology
3.1. Application Context Modeling
- The functional area (and the corresponding functionalities) that the application is associated with.
- The application category that scenario/functionality belongs to.
- The platforms that the scenario functionality is used.
- Application category: It is a set of characteristics to categorize software applications, in which two sub-classes are included: Paradigms (e.g., web, mobile, and desktop applications, etc.) and Domains (e.g., banking, health, and logistics applications, etc.).
- Platform type: This superclass specifies programming languages, technologies, and architectures that are used to create the software application. Technology can be provided by a certain programming language. For example, Silverlight is the technology that has been implemented in C# language, while J2EE is the subset of Java technologies. Architectures refer to the fundamental system structure used to operate the application, such as the MySQL database management system and an Android operating system.
- Functional area: It is a group of application functionalities, which represents an aspect of software applications that can be performed by users or other systems in a particular application category. For example, “Outputting HTML” is a functional area in web applications paradigm, in which “Generating HTML dynamically using user-supplied data” is one of the functionalities. A functionality is supported and run on some combination of platform types.
3.2. Security Domain Modeling
- Security Attack: This represents actions taken against the software application with the intention of doing harm. Examples are SQL injection, Cross-Site Scripting (XSS), etc. Security attacks exploit security weakness existed in software applications.
- Security Practice: This represents methods, procedures or techniques to prevent security weakness. Examples are “Input validation” and “Output encoding” in preventing XSS.
- Security Weakness: This represents bug, flaws, vulnerabilities and other errors exist in the software applications. Examples are “Improper to neutralize input during HTML generation” and “Fail to perform a bound check while copying data into memory stack”.
3.3. Security Contextualization Modeling
4. Evaluation of the Ontology
- (1)
- Difficulty to model software technologies and architectures in application context model,
- (2)
- No category classes to group knowledge items in the security domain model, and
- (3)
- No vulnerability concepts in the security domain model.
5. Discussion
6. Related Work
7. Conclusions and Future Work
Author Contributions
Funding
Conflicts of Interest
References
- McGraw, G. Software Security: Building Security In; Addison-Wesley Professional: Boston, MA, USA, 2006; Volume 1. [Google Scholar]
- Rus, I.; Lindvall, M. Knowledge management in software engineering. IEEE Softw. 2002, 19, 26. [Google Scholar] [CrossRef]
- Henninger, S. Case-based knowledge management tools for software development. Automated Softw. Eng. 1997, 4, 319–340. [Google Scholar] [CrossRef]
- Cheng, C.K.; Kurfess, F.J. A Context-Based Knowledge Management Framework for Software Development. Int. J. Comp. Integr. Man. 2009, 22, 1073–1088. [Google Scholar]
- Fenz, S.; Ekelhart, A. Formalizing information security knowledge. In Proceedings of the 4th international Symposium on information, Computer, and Communications Security, Sydney, Australia, 10–12 March 2009; pp. 183–194. [Google Scholar]
- Tsoumas, B.; Gritzalis, D. Towards an ontology-based security management. In Proceedings of the 20th International Conference on Advanced Information Networking and Applications, Vienna, Austria, 18–20 April 2006; pp. 985–992. [Google Scholar]
- Brézillon, P. Making context explicit in communicating objects. In Communicating with Smart Objects: Developing Technology for Usable Pervasive Computing Systems; ISTE Publishing Company: London, UK, 2003. [Google Scholar]
- Brézillon, P. Modeling and Using Context: Past, Present and Future. Available online: http://ftp.lip6.fr/lip6/reports/2002/lip6.2002.010.pdf (accessed on 23 March 2019).
- Brézillon, P.; Pomerol, J.-C. Contextual knowledge sharing and cooperation in intelligent assistant systems. Le Travail Humain 1999, 62, 223–246. [Google Scholar]
- Brézillon, P.; Araujo, R. Reinforcing shared context to improve collaboration. Revue d’Intel. Artif. 2005, 19, 537–556. [Google Scholar] [CrossRef]
- Klemke, R. Context Framework - an Open Approach to Enhance Organisational Memory Systems with Context Modelling Techniques. In Proceedings of the Third International Conference on Practical Aspects of Knowledge Management (PAKM2000), Basel, Switzerland, 30–31 October 2000. [Google Scholar]
- Jafari, M.; Fathian, M.; Jahani, A.; Akhavan, P. Exploring the contextual dimensions of organization from knowledge management perspective. VINE 2008, 38, 53–71. [Google Scholar] [CrossRef]
- Goldkuhl, G.; Braf, E. Contextual knowledge analysis-understanding knowledge and its relations to action and communication. In Proceedings of the Second European Conference on Knowledge Management, Bled, Slovenia, 8–9 November 2001; pp. 197–208. [Google Scholar]
- Bishop, M. A Clinic for” Secure” Programming. IEEE Secur. Priv. 2010, 8. [Google Scholar] [CrossRef]
- Birkenkrahe, M. How large multi-nationals manage their knowledge. Bus. Rev. 2002, 4, 2–12. [Google Scholar]
- Rosa, M.G.; Borges, M.R.; Santoro, F.M. A conceptual framework for analyzing the use of context in groupware. In Groupware: Design, Implementation, and Use; Springer: Berlin/Heidelberg, Germany, 2003; pp. 300–313. [Google Scholar]
- Curtis, B.; Krasner, H.; Iscoe, N. A field study of the software design process for large systems. Comm. ACM 1988, 31, 1268–1287. [Google Scholar] [CrossRef]
- Errington, E.P. Being there: Closing the gap between learners sand contextual knowledge using near-world scenarios. Int. J. Learn. 2009, 16, 585–594. [Google Scholar]
- Pashler, H.; Bain, P.M.; Bottge, B.A.; Graesser, A.; Koedinger, K.; McDaniel, M.; Metcalfe, J. Organizing Instruction and Study to Improve Student Learning; U.S. Department of Education, National Center for Education Research: Washington, DC, USA. Available online: https://files.eric.ed.gov/fulltext/ED498555.pdf (accessed on 23 March 2019).
- Tudorache, T.; Nyulas, C.; Noy, N.F.; Musen, M.A. WebProtégé: A collaborative ontology editor and knowledge acquisition tool for the web. Semant. Web 2013, 4, 89–99. [Google Scholar]
- Harris, S.; Seaborne, A.; Prud’hommeaux, E. SPARQL 1.1 query language. 2013. Available online: https://www.w3.org/TR/sparql11-query/ (accessed on 23 March 2019).
- Brank, J.; Grobelnik, M.; Mladenic, D. A survey of ontology evaluation techniques. In Proceedings of the conference on data mining and data warehouses (SiKDD 2005), Ljubljana, Slovenia, 5 October 2015; pp. 166–170. [Google Scholar]
- Hlomani, H.; Stacey, D.J. Approaches, methods, metrics, measures, and subjectivity in ontology evaluation: A survey. Semant. Web Inf. Syst. 2014, 1, 1–11. [Google Scholar]
- Gruber, T.R. A translation approach to portable ontology specifications. Knowl. Acquisit. 1993, 5, 199–220. [Google Scholar] [CrossRef]
- Uschold, M.; Gruninger, M. Ontologies: Principles, methods and applications. Knowl. Eng. Rev. 1996, 11, 93–136. [Google Scholar] [CrossRef]
- Noy, N.F.; McGuinness, D.L. Ontology Development 101: A Guide to Creating Your First Ontology; Stanford knowledge systems laboratory technical report KSL-01-05 and Stanford medical informatics technical report SMI-2001-0880; Stanford University: Stanford, CA, USA, 2001. [Google Scholar]
- Wang, X.; Dong, J.S.; Chin, C.-Y.; Hettiarachchi, S.; Zhang, D. Semantic space: An infrastructure for smart spaces. IEEE Perv. Comp. 2004, 3, 32–39. [Google Scholar] [CrossRef]
- Gruninger, M. Ontology: Applications and design. Commun. ACM 2002, 45, 39–41. [Google Scholar]
- Patel, C.; Supekar, K.; Lee, Y. OntoGenie: Extracting ontology instances from WWW. In Human Language Technology for the Semantic Web and Web Services, Proceedings of the 7th IEEE International Symposium on Wearable Computers ISWC’03, White Plains, NY, USA, 21–23 October 2003; IEEE: Piscataway, NJ, USA.
- Guo, M.; Wang, J.A. An ontology-based approach to model common vulnerabilities and exposures in information security. In Proceedings of the ASEE 2009 Southest Section Conference, Marietta, GA, USA, 5–7 April 2009. [Google Scholar]
- Syed, R.; Zhong, H. Cybersecurity Vulnerability Management: An Ontology-Based Conceptual Model. In Proceedings of the Twenty-fourth Americas Conference on Information Systems, New Orleans, LA, USA, 16–18 August 2018. [Google Scholar]
- Alqahtani, S.S.; Eghan, E.E.; Rilling, J. Tracing known security vulnerabilities in software repositories–A Semantic Web enabled modeling approach. Sci. Comp. Prog. 2016, 121, 153–175. [Google Scholar] [CrossRef]
- Gyrard, A.; Bonnet, C.; Boudaoud, K. The stac (security toolbox: Attacks & countermeasures) ontology. In Proceedings of the 22nd International Conference on World Wide Web, Rio de Janeiro, Brazil, 13–17 May 2013; pp. 165–166. [Google Scholar]
- Kang, W.; Liang, Y. A security ontology with MDA for software development. In Proceedings of the 2013 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), Nanjing, China, 26–29 May 2013; pp. 67–74. [Google Scholar]
- Guan, H.; Yang, H.; Wang, J. An ontology-based approach to security pattern selection. Int. J. Automat. Comp. 2016, 13, 168–182. [Google Scholar] [CrossRef] [Green Version]
- Manzoor, S.; Vateva-Gurova, T.; Trapero, R.; Suri, N. Threat Modeling the Cloud: An Ontology Based Approach. In Proceedings of the International Workshop on Information and Operational Technology Security Systems, Crete, Greece, 13 September 2018; pp. 61–72. [Google Scholar]
- Salini, P.; Kanmani, S. Ontology-based representation of reusable security requirements for developing secure web applications. Int. J. Intern. Tech. Secur. Trans. 2013, 5, 63–83. [Google Scholar] [CrossRef]
- Busch, M.; Wirsing, M. An Ontology for Secure Web Applications. Int. J. Softw. Inf. 2015, 9, 233–258. [Google Scholar]
- Lasheras, J.; Valencia-García, R.; Tomás Fernández-Breis, J.; Ambrosio Toval Álvarez, J. Modelling reusable security requirements based on an ontology framework. J. Res. Pract. Inf. Tech. 2009, 41, 119. [Google Scholar]
© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Wen, S.-F.; Katt, B. Managing Software Security Knowledge in Context: An Ontology Based Approach. Information 2019, 10, 216. https://doi.org/10.3390/info10060216
Wen S-F, Katt B. Managing Software Security Knowledge in Context: An Ontology Based Approach. Information. 2019; 10(6):216. https://doi.org/10.3390/info10060216
Chicago/Turabian StyleWen, Shao-Fang, and Basel Katt. 2019. "Managing Software Security Knowledge in Context: An Ontology Based Approach" Information 10, no. 6: 216. https://doi.org/10.3390/info10060216
APA StyleWen, S. -F., & Katt, B. (2019). Managing Software Security Knowledge in Context: An Ontology Based Approach. Information, 10(6), 216. https://doi.org/10.3390/info10060216