A Model and Implementation of a Security plug-in for the Software Life Cycle

Ardi, Shanai

January 2008

<p>Currently, security is frequently considered late in software life cycle. It is often bolted on late in development, or even during deployment or maintenance, through activities such as add-on security software and penetration-and-patch maintenance. Even if software developers aim to incorporate security into their products from the beginning of the software life cycle, they face an exhaustive amount of ad hoc unstructured information without any practical guidance on how and why this information should be used and what the costs and benefits of using it are. This is due to a lack of structured methods.</p><p>In this thesis we present a model for secure software development and implementation of a security plug-in that deploys this model in software life cycle. The model is a structured unified process, named S3P (Sustainable Software Security Process) and is designed to be easily adaptable to any software development process. S3P provides the formalism required to identify the causes of vulnerabilities and the mitigation techniques that address these causes to prevent vulnerabilities. We present a prototype of the security plug-in implemented for the OpenUP/Basic development process in Eclipse Process Framework. We also present the results of the evaluation of this plug-in. The work in this thesis is a first step towards a general framework for introducing security into the software life cycle and to support software process improvements to prevent recurrence of software vulnerabilities.</p> / Report code: LiU-Tek-Lic-2008:11.

Software security

Vulnerability modeling

Plug-in

Software development process

Software life cycle

Computer science

Datavetenskap

A Model and Implementation of a Security plug-in for the Software Life Cycle

Ardi, Shanai

January 2008

Currently, security is frequently considered late in software life cycle. It is often bolted on late in development, or even during deployment or maintenance, through activities such as add-on security software and penetration-and-patch maintenance. Even if software developers aim to incorporate security into their products from the beginning of the software life cycle, they face an exhaustive amount of ad hoc unstructured information without any practical guidance on how and why this information should be used and what the costs and benefits of using it are. This is due to a lack of structured methods. In this thesis we present a model for secure software development and implementation of a security plug-in that deploys this model in software life cycle. The model is a structured unified process, named S3P (Sustainable Software Security Process) and is designed to be easily adaptable to any software development process. S3P provides the formalism required to identify the causes of vulnerabilities and the mitigation techniques that address these causes to prevent vulnerabilities. We present a prototype of the security plug-in implemented for the OpenUP/Basic development process in Eclipse Process Framework. We also present the results of the evaluation of this plug-in. The work in this thesis is a first step towards a general framework for introducing security into the software life cycle and to support software process improvements to prevent recurrence of software vulnerabilities. / <p>Report code: LiU-Tek-Lic-2008:11.</p>

Software security

Vulnerability modeling

Plug-in

Software development process

Software life cycle

Computer Sciences

Datavetenskap (datalogi)

Stormwater Infiltration and Groundwater Integrity: An Analysis of BMP Siting Tools and Groundwater Vulnerability

Gallagher, Kristopher Craig

22 March 2017

Nonpoint source pollution captured by urban stormwater runoff is the greatest challenge for surface water quality improvements. Computer-based design tools have been developed to help mediate this issue by guiding end users through the implementation of decentralized stormwater management. The majority of these tools focus on treatment via biofiltration, yet concern regarding this treatment regime is rising. Case studies from research past clearly indicate the susceptibility of groundwater to contamination from extensive anthropogenic activity at the surface. Contaminants, such as nitrates and pathogens, are not completely removed before runoff enters the underground watercourse. Additionally, national and state legislation, which explicitly lists where neglect for groundwater quality is permissible—exacerbate concerns. This research analyzes the efficiency the BMP Siting Tool developed by the US Environmental Protection Agency and the Grey-to-Green Decision Support Tool developed by the University of South Florida. The tools were used to obtain cartographic data illustrating suitable sites for bioswales and infiltration basins throughout northern portion of Hillsborough County, Florida. This data was then integrated with the Karst Aquifer Vulnerability Index (KAVI) groundwater vulnerability model. The area of bioswales and infiltration basins that intersected areas of the KAVI model listed as ‘highly vulnerable’ or ‘moderate-to-highly vulnerable’ was calculated. This permitted an assessment of which BMP facility had the greatest sitings atop vulnerable areas, respective of the tool. The BMP Siting Tool sited 2.80% of all bioswales and 27.89% of all infiltration basins above vulnerable areas. Likewise, the Grey-to-Green Decision Support Tool sited 21.66% of all bioswales and 9.62% of all infiltration basins above vulnerable areas. These results prompted the development of a supplemental groundwater vulnerability framework to be incorporated into both tools’ analytical process.

BMP Siting Tool

Gray-to-Green Decision Support Tool

Groundwater vulnerability modeling

Biofiltration

Urban stormwater runoff

Environmental Sciences

Water Resource Management