Genie in a Model? Why Model Driven Security will not secure your Web Application

Christoph Hochreiner1, Peter Frühwirt1+, Zhendong Ma2, Peter Kieseberg1,
Sebastian Schrittwieser
3, and Edgar Weippl1

1SBA Research, Austria

{hochreiner, pfruehwirt, pkieseberg, eweippl}@sba-research.org

2Austrian Institute of Technology, Austria

zhendong.ma@ait.ac.at

3St. Pölten University of Applied Sciences, Austria

sebastian.schrittwieser@fhstp.ac.at

 

Abstract

More often a new software development methodology called Model Driven Engineering (MDE) is used to increase productivity by supporting powerful code generation tools, which allows a less error-prone implementation process. However the idea of modeling system aspects during the design phase - so called Model Driven Security (MDS) - was proposed by the scientific community decades ago and yet it is still unclear whether MDS can improve the security of a software project. In this paper we provide a comprehensive evaluation of current MDS approaches based on a web application scenario in regards to the most common web security attacks. We discuss their strengths and limitations as well as the practicability of MDS for modern web application security in general.

Keywords: model engineering, model driven security, security engineering.

 

+: Corresponding author: Peter Frühwirt

Favoritenstrasse 16, 1040 Wien, Austria; Tel: +43-699-17941418,
Web: http://www.sba-research.org


Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA),

Vol. 5, No. 3, pp. 44-62, September 2014 [pdf]