Assessing security in software product lines; a maintenance analysis
Autor(a) principal: | |
---|---|
Data de Publicação: | 2017 |
Tipo de documento: | Tese |
Idioma: | eng |
Título da fonte: | Repositório Institucional da UFPE |
dARK ID: | ark:/64986/001300000n1zb |
Texto Completo: | https://repositorio.ufpe.br/handle/123456789/26968 |
Resumo: | Different terms such as "the real-time enterprise", "software infrastructures", "service oriented architectures" and "composite software applications" have gained importance in industry. It brings us the need of information systems that support cross-application integration, cross-company transactions and end-user access through a range of channels, including the Internet. In this context, Software Product Line (SPL) Engineering has gained importance by product oriented companies, as a strategy to cope with the increasing demand of large-scale product customization, providing an effective and efficient ways of improving productivity, software quality, and time-to-market. These benefits combined with the need of most applications interact with other applications, and the internet access makes critical assets vulnerable to many threats. For most of the product oriented companies, security requirements are likely to be as varied as for any other quality. Thus, it is important to supply variants of the same product to satisfy different needs. Owing to its variability management capabilities, software product line architectures can satisfy these requirements if carefully designed the resulting system has a better chance of meeting its expectations. All these requirements should be achieved at early design phases. Otherwise the cost to design a secure architecture will increase, which could worsen in SPL context, due to its complexity. In this context, this thesis evaluates different techniques to implement security tactics for the purpose of assessing conditional compilation and aspect-oriented programming as variability mechanisms concerning maintainability by accessing code size, separation of concerns, coupling and cohesion from software architects in the context of Software Product Lines projects. Hence, to better support SPL architects during design decisions, a family of experiments using three different testbeds was performed to analyze different security techniques regarding to maintainability. We have found that for most of the techniques conditional compilation had a smaller amount of lines of code when compared with Aspect Oriented Programming. The separation of concerns attribute had the low impact on maintainability when implemented with aspect-oriented programming. The analysis also showed that detect attack techniques are less costly than resist attack techniques. The results are useful for both researchers and practitioners. On the one hand, researchers can identify useful research directions and get guidance on how the security techniques impact on maintainability. On the other hand, practitioners can benefit from this thesis by identifying the less costly variability implementation mechanism, as well as, learning concrete techniques to implement security tactics at the code level. |
id |
UFPE_89cba479d506d390368e14b1a4919881 |
---|---|
oai_identifier_str |
oai:repositorio.ufpe.br:123456789/26968 |
network_acronym_str |
UFPE |
network_name_str |
Repositório Institucional da UFPE |
repository_id_str |
2221 |
spelling |
SILVEIRA NETO, Paulo Anselmo da Motahttp://lattes.cnpq.br/6465144387155252http://lattes.cnpq.br/6613487636748832GARCIA, Vinícius CardosoALMEIDA, Eduardo Santana de2018-09-26T18:31:38Z2018-09-26T18:31:38Z2017-06-02https://repositorio.ufpe.br/handle/123456789/26968ark:/64986/001300000n1zbDifferent terms such as "the real-time enterprise", "software infrastructures", "service oriented architectures" and "composite software applications" have gained importance in industry. It brings us the need of information systems that support cross-application integration, cross-company transactions and end-user access through a range of channels, including the Internet. In this context, Software Product Line (SPL) Engineering has gained importance by product oriented companies, as a strategy to cope with the increasing demand of large-scale product customization, providing an effective and efficient ways of improving productivity, software quality, and time-to-market. These benefits combined with the need of most applications interact with other applications, and the internet access makes critical assets vulnerable to many threats. For most of the product oriented companies, security requirements are likely to be as varied as for any other quality. Thus, it is important to supply variants of the same product to satisfy different needs. Owing to its variability management capabilities, software product line architectures can satisfy these requirements if carefully designed the resulting system has a better chance of meeting its expectations. All these requirements should be achieved at early design phases. Otherwise the cost to design a secure architecture will increase, which could worsen in SPL context, due to its complexity. In this context, this thesis evaluates different techniques to implement security tactics for the purpose of assessing conditional compilation and aspect-oriented programming as variability mechanisms concerning maintainability by accessing code size, separation of concerns, coupling and cohesion from software architects in the context of Software Product Lines projects. Hence, to better support SPL architects during design decisions, a family of experiments using three different testbeds was performed to analyze different security techniques regarding to maintainability. We have found that for most of the techniques conditional compilation had a smaller amount of lines of code when compared with Aspect Oriented Programming. The separation of concerns attribute had the low impact on maintainability when implemented with aspect-oriented programming. The analysis also showed that detect attack techniques are less costly than resist attack techniques. The results are useful for both researchers and practitioners. On the one hand, researchers can identify useful research directions and get guidance on how the security techniques impact on maintainability. On the other hand, practitioners can benefit from this thesis by identifying the less costly variability implementation mechanism, as well as, learning concrete techniques to implement security tactics at the code level.CNPqDiferentes termos como “empresa em tempo real”, “infraestrutura de software”, “arquiteturas orientadas a serviço” e “aplicações de software” tem ganhado importância na indústria. Isso requer sistemas de informação que suportem a integração com outras aplicações, transações entre empresas e acesso ao usuário final por uma variedade de canais, incluindo internet. Nesse contexto, Linha de Produto de Software (LPS) tem ganhado importância por empresas orientadas a produtos de software, como uma estratégia para lidar com a crescente demanda de personalização de produtos em grande escala, proporcionando uma forma eficaz e eficiente de melhorar a produtividade, a qualidade do software e o tempo de lançamento para o mercado. Esses benefícios combinados com a necessidade da maioria dos aplicativos precisarem interagir com outras aplicações e o acesso à Internet tornam essas aplicações vulneráveis a muitas ameaças. Para a maioria das empresas orientadas à produto, os requisitos de segurança podem variar assim como outro atributo de qualidade do software. Assim, é importante fornecer variantes do mesmo produto para satisfazer diferentes necessidades. Devido às suas capacidades de gerenciamento de variabilidade, arquiteturas de linha de produtos têm a capacidade de satisfazer esses requisitos, se cuidadosamente projetada o sistema resultante terá uma melhor chance de satisfazer as expectativas. Todos esses requisitos devem ser alcançados nas primeiras fases do projeto, caso contrário, o custo para projetar uma arquitetura segura aumentará, o que poderia piorar no contexto SPL, devido à sua natureza complexa. Assim, para melhor apoiar os arquitetos durante as decisões de projeto. Uma família de experimentos utilizando três SPLs distintas foram utilizadas para analisar diferentes técnicas de segurança, implementadas usando compilação condicional (CC) e programação orientada a aspectos (AOP). Essa avaliação teve como objetivo analisar as técnicas e mecanismos em relação a: tamanho, “separation of concerns”, coesão e acoplamento. O resultado nos mostra que para a maioria das técnicas quando implementadas com compilação condicional apresentavam uma menor quantidade de código quando comparadas com AOP. O atributo de “separation of concerns” teve menor impacto na manutenção quando implementado com programação orientada a aspectos. A análise também mostrou que técnicas de detecção de ataque são menos onerosas do que técnicas para resistir a ataque. Os resultados são úteis para pesquisadores e profissionais. Por um lado, os pesquisadores podem identificar direções de pesquisa e obter orientação sobre como as técnicas de segurança impactam na manutenção. Por outro lado, os profissionais podem se beneficiar deste estudo, identificando o mecanismo de implementação da variabilidade menos dispendioso, bem como aprendendo técnicas concretas para implementar táticas de segurança a nível de código.engUniversidade Federal de PernambucoPrograma de Pos Graduacao em Ciencia da ComputacaoUFPEBrasilAttribution-NonCommercial-NoDerivs 3.0 Brazilhttp://creativecommons.org/licenses/by-nc-nd/3.0/br/info:eu-repo/semantics/openAccessEngenharia de softwareSegurança de softwareAssessing security in software product lines; a maintenance analysisinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/doctoralThesisdoutoradoreponame:Repositório Institucional da UFPEinstname:Universidade Federal de Pernambuco (UFPE)instacron:UFPETHUMBNAILTESE Paulo Anselmo da Mota Silveira Neto.pdf.jpgTESE Paulo Anselmo da Mota Silveira Neto.pdf.jpgGenerated Thumbnailimage/jpeg1346https://repositorio.ufpe.br/bitstream/123456789/26968/6/TESE%20Paulo%20Anselmo%20da%20Mota%20Silveira%20Neto.pdf.jpgc7e3c6789df931c094ecd40c04bad4c7MD56CC-LICENSElicense_rdflicense_rdfapplication/rdf+xml; charset=utf-8811https://repositorio.ufpe.br/bitstream/123456789/26968/2/license_rdfe39d27027a6cc9cb039ad269a5db8e34MD52LICENSElicense.txtlicense.txttext/plain; charset=utf-82311https://repositorio.ufpe.br/bitstream/123456789/26968/3/license.txt4b8a02c7f2818eaf00dcf2260dd5eb08MD53ORIGINALTESE Paulo Anselmo da Mota Silveira Neto.pdfTESE Paulo Anselmo da Mota Silveira Neto.pdfapplication/pdf3746031https://repositorio.ufpe.br/bitstream/123456789/26968/4/TESE%20Paulo%20Anselmo%20da%20Mota%20Silveira%20Neto.pdf774406d522d4425eab176f342d17148eMD54TEXTTESE Paulo Anselmo da Mota Silveira Neto.pdf.txtTESE Paulo Anselmo da Mota Silveira Neto.pdf.txtExtracted texttext/plain374394https://repositorio.ufpe.br/bitstream/123456789/26968/5/TESE%20Paulo%20Anselmo%20da%20Mota%20Silveira%20Neto.pdf.txtf7618a56a382739cb2c20ebd45e405abMD55123456789/269682019-10-25 10:49:32.245oai:repositorio.ufpe.br:123456789/26968TGljZW7Dp2EgZGUgRGlzdHJpYnVpw6fDo28gTsOjbyBFeGNsdXNpdmEKClRvZG8gZGVwb3NpdGFudGUgZGUgbWF0ZXJpYWwgbm8gUmVwb3NpdMOzcmlvIEluc3RpdHVjaW9uYWwgKFJJKSBkZXZlIGNvbmNlZGVyLCDDoCBVbml2ZXJzaWRhZGUgRmVkZXJhbCBkZSBQZXJuYW1idWNvIChVRlBFKSwgdW1hIExpY2Vuw6dhIGRlIERpc3RyaWJ1acOnw6NvIE7Do28gRXhjbHVzaXZhIHBhcmEgbWFudGVyIGUgdG9ybmFyIGFjZXNzw612ZWlzIG9zIHNldXMgZG9jdW1lbnRvcywgZW0gZm9ybWF0byBkaWdpdGFsLCBuZXN0ZSByZXBvc2l0w7NyaW8uCgpDb20gYSBjb25jZXNzw6NvIGRlc3RhIGxpY2Vuw6dhIG7Do28gZXhjbHVzaXZhLCBvIGRlcG9zaXRhbnRlIG1hbnTDqW0gdG9kb3Mgb3MgZGlyZWl0b3MgZGUgYXV0b3IuCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwoKTGljZW7Dp2EgZGUgRGlzdHJpYnVpw6fDo28gTsOjbyBFeGNsdXNpdmEKCkFvIGNvbmNvcmRhciBjb20gZXN0YSBsaWNlbsOnYSBlIGFjZWl0w6EtbGEsIHZvY8OqIChhdXRvciBvdSBkZXRlbnRvciBkb3MgZGlyZWl0b3MgYXV0b3JhaXMpOgoKYSkgRGVjbGFyYSBxdWUgY29uaGVjZSBhIHBvbMOtdGljYSBkZSBjb3B5cmlnaHQgZGEgZWRpdG9yYSBkbyBzZXUgZG9jdW1lbnRvOwpiKSBEZWNsYXJhIHF1ZSBjb25oZWNlIGUgYWNlaXRhIGFzIERpcmV0cml6ZXMgcGFyYSBvIFJlcG9zaXTDs3JpbyBJbnN0aXR1Y2lvbmFsIGRhIFVGUEU7CmMpIENvbmNlZGUgw6AgVUZQRSBvIGRpcmVpdG8gbsOjbyBleGNsdXNpdm8gZGUgYXJxdWl2YXIsIHJlcHJvZHV6aXIsIGNvbnZlcnRlciAoY29tbyBkZWZpbmlkbyBhIHNlZ3VpciksIGNvbXVuaWNhciBlL291IGRpc3RyaWJ1aXIsIG5vIFJJLCBvIGRvY3VtZW50byBlbnRyZWd1ZSAoaW5jbHVpbmRvIG8gcmVzdW1vL2Fic3RyYWN0KSBlbSBmb3JtYXRvIGRpZ2l0YWwgb3UgcG9yIG91dHJvIG1laW87CmQpIERlY2xhcmEgcXVlIGF1dG9yaXphIGEgVUZQRSBhIGFycXVpdmFyIG1haXMgZGUgdW1hIGPDs3BpYSBkZXN0ZSBkb2N1bWVudG8gZSBjb252ZXJ0w6otbG8sIHNlbSBhbHRlcmFyIG8gc2V1IGNvbnRlw7pkbywgcGFyYSBxdWFscXVlciBmb3JtYXRvIGRlIGZpY2hlaXJvLCBtZWlvIG91IHN1cG9ydGUsIHBhcmEgZWZlaXRvcyBkZSBzZWd1cmFuw6dhLCBwcmVzZXJ2YcOnw6NvIChiYWNrdXApIGUgYWNlc3NvOwplKSBEZWNsYXJhIHF1ZSBvIGRvY3VtZW50byBzdWJtZXRpZG8gw6kgbyBzZXUgdHJhYmFsaG8gb3JpZ2luYWwgZSBxdWUgZGV0w6ltIG8gZGlyZWl0byBkZSBjb25jZWRlciBhIHRlcmNlaXJvcyBvcyBkaXJlaXRvcyBjb250aWRvcyBuZXN0YSBsaWNlbsOnYS4gRGVjbGFyYSB0YW1iw6ltIHF1ZSBhIGVudHJlZ2EgZG8gZG9jdW1lbnRvIG7Do28gaW5mcmluZ2Ugb3MgZGlyZWl0b3MgZGUgb3V0cmEgcGVzc29hIG91IGVudGlkYWRlOwpmKSBEZWNsYXJhIHF1ZSwgbm8gY2FzbyBkbyBkb2N1bWVudG8gc3VibWV0aWRvIGNvbnRlciBtYXRlcmlhbCBkbyBxdWFsIG7Do28gZGV0w6ltIG9zIGRpcmVpdG9zIGRlCmF1dG9yLCBvYnRldmUgYSBhdXRvcml6YcOnw6NvIGlycmVzdHJpdGEgZG8gcmVzcGVjdGl2byBkZXRlbnRvciBkZXNzZXMgZGlyZWl0b3MgcGFyYSBjZWRlciDDoApVRlBFIG9zIGRpcmVpdG9zIHJlcXVlcmlkb3MgcG9yIGVzdGEgTGljZW7Dp2EgZSBhdXRvcml6YXIgYSB1bml2ZXJzaWRhZGUgYSB1dGlsaXrDoS1sb3MgbGVnYWxtZW50ZS4gRGVjbGFyYSB0YW1iw6ltIHF1ZSBlc3NlIG1hdGVyaWFsIGN1am9zIGRpcmVpdG9zIHPDo28gZGUgdGVyY2Vpcm9zIGVzdMOhIGNsYXJhbWVudGUgaWRlbnRpZmljYWRvIGUgcmVjb25oZWNpZG8gbm8gdGV4dG8gb3UgY29udGXDumRvIGRvIGRvY3VtZW50byBlbnRyZWd1ZTsKZykgU2UgbyBkb2N1bWVudG8gZW50cmVndWUgw6kgYmFzZWFkbyBlbSB0cmFiYWxobyBmaW5hbmNpYWRvIG91IGFwb2lhZG8gcG9yIG91dHJhIGluc3RpdHVpw6fDo28gcXVlIG7Do28gYSBVRlBFLMKgZGVjbGFyYSBxdWUgY3VtcHJpdSBxdWFpc3F1ZXIgb2JyaWdhw6fDtWVzIGV4aWdpZGFzIHBlbG8gcmVzcGVjdGl2byBjb250cmF0byBvdSBhY29yZG8uCgpBIFVGUEUgaWRlbnRpZmljYXLDoSBjbGFyYW1lbnRlIG8ocykgbm9tZShzKSBkbyhzKSBhdXRvciAoZXMpIGRvcyBkaXJlaXRvcyBkbyBkb2N1bWVudG8gZW50cmVndWUgZSBuw6NvIGZhcsOhIHF1YWxxdWVyIGFsdGVyYcOnw6NvLCBwYXJhIGFsw6ltIGRvIHByZXZpc3RvIG5hIGFsw61uZWEgYykuCg==Repositório InstitucionalPUBhttps://repositorio.ufpe.br/oai/requestattena@ufpe.bropendoar:22212019-10-25T13:49:32Repositório Institucional da UFPE - Universidade Federal de Pernambuco (UFPE)false |
dc.title.pt_BR.fl_str_mv |
Assessing security in software product lines; a maintenance analysis |
title |
Assessing security in software product lines; a maintenance analysis |
spellingShingle |
Assessing security in software product lines; a maintenance analysis SILVEIRA NETO, Paulo Anselmo da Mota Engenharia de software Segurança de software |
title_short |
Assessing security in software product lines; a maintenance analysis |
title_full |
Assessing security in software product lines; a maintenance analysis |
title_fullStr |
Assessing security in software product lines; a maintenance analysis |
title_full_unstemmed |
Assessing security in software product lines; a maintenance analysis |
title_sort |
Assessing security in software product lines; a maintenance analysis |
author |
SILVEIRA NETO, Paulo Anselmo da Mota |
author_facet |
SILVEIRA NETO, Paulo Anselmo da Mota |
author_role |
author |
dc.contributor.authorLattes.pt_BR.fl_str_mv |
http://lattes.cnpq.br/6465144387155252 |
dc.contributor.advisorLattes.pt_BR.fl_str_mv |
http://lattes.cnpq.br/6613487636748832 |
dc.contributor.author.fl_str_mv |
SILVEIRA NETO, Paulo Anselmo da Mota |
dc.contributor.advisor1.fl_str_mv |
GARCIA, Vinícius Cardoso |
dc.contributor.advisor-co1.fl_str_mv |
ALMEIDA, Eduardo Santana de |
contributor_str_mv |
GARCIA, Vinícius Cardoso ALMEIDA, Eduardo Santana de |
dc.subject.por.fl_str_mv |
Engenharia de software Segurança de software |
topic |
Engenharia de software Segurança de software |
description |
Different terms such as "the real-time enterprise", "software infrastructures", "service oriented architectures" and "composite software applications" have gained importance in industry. It brings us the need of information systems that support cross-application integration, cross-company transactions and end-user access through a range of channels, including the Internet. In this context, Software Product Line (SPL) Engineering has gained importance by product oriented companies, as a strategy to cope with the increasing demand of large-scale product customization, providing an effective and efficient ways of improving productivity, software quality, and time-to-market. These benefits combined with the need of most applications interact with other applications, and the internet access makes critical assets vulnerable to many threats. For most of the product oriented companies, security requirements are likely to be as varied as for any other quality. Thus, it is important to supply variants of the same product to satisfy different needs. Owing to its variability management capabilities, software product line architectures can satisfy these requirements if carefully designed the resulting system has a better chance of meeting its expectations. All these requirements should be achieved at early design phases. Otherwise the cost to design a secure architecture will increase, which could worsen in SPL context, due to its complexity. In this context, this thesis evaluates different techniques to implement security tactics for the purpose of assessing conditional compilation and aspect-oriented programming as variability mechanisms concerning maintainability by accessing code size, separation of concerns, coupling and cohesion from software architects in the context of Software Product Lines projects. Hence, to better support SPL architects during design decisions, a family of experiments using three different testbeds was performed to analyze different security techniques regarding to maintainability. We have found that for most of the techniques conditional compilation had a smaller amount of lines of code when compared with Aspect Oriented Programming. The separation of concerns attribute had the low impact on maintainability when implemented with aspect-oriented programming. The analysis also showed that detect attack techniques are less costly than resist attack techniques. The results are useful for both researchers and practitioners. On the one hand, researchers can identify useful research directions and get guidance on how the security techniques impact on maintainability. On the other hand, practitioners can benefit from this thesis by identifying the less costly variability implementation mechanism, as well as, learning concrete techniques to implement security tactics at the code level. |
publishDate |
2017 |
dc.date.issued.fl_str_mv |
2017-06-02 |
dc.date.accessioned.fl_str_mv |
2018-09-26T18:31:38Z |
dc.date.available.fl_str_mv |
2018-09-26T18:31:38Z |
dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
dc.type.driver.fl_str_mv |
info:eu-repo/semantics/doctoralThesis |
format |
doctoralThesis |
status_str |
publishedVersion |
dc.identifier.uri.fl_str_mv |
https://repositorio.ufpe.br/handle/123456789/26968 |
dc.identifier.dark.fl_str_mv |
ark:/64986/001300000n1zb |
url |
https://repositorio.ufpe.br/handle/123456789/26968 |
identifier_str_mv |
ark:/64986/001300000n1zb |
dc.language.iso.fl_str_mv |
eng |
language |
eng |
dc.rights.driver.fl_str_mv |
Attribution-NonCommercial-NoDerivs 3.0 Brazil http://creativecommons.org/licenses/by-nc-nd/3.0/br/ info:eu-repo/semantics/openAccess |
rights_invalid_str_mv |
Attribution-NonCommercial-NoDerivs 3.0 Brazil http://creativecommons.org/licenses/by-nc-nd/3.0/br/ |
eu_rights_str_mv |
openAccess |
dc.publisher.none.fl_str_mv |
Universidade Federal de Pernambuco |
dc.publisher.program.fl_str_mv |
Programa de Pos Graduacao em Ciencia da Computacao |
dc.publisher.initials.fl_str_mv |
UFPE |
dc.publisher.country.fl_str_mv |
Brasil |
publisher.none.fl_str_mv |
Universidade Federal de Pernambuco |
dc.source.none.fl_str_mv |
reponame:Repositório Institucional da UFPE instname:Universidade Federal de Pernambuco (UFPE) instacron:UFPE |
instname_str |
Universidade Federal de Pernambuco (UFPE) |
instacron_str |
UFPE |
institution |
UFPE |
reponame_str |
Repositório Institucional da UFPE |
collection |
Repositório Institucional da UFPE |
bitstream.url.fl_str_mv |
https://repositorio.ufpe.br/bitstream/123456789/26968/6/TESE%20Paulo%20Anselmo%20da%20Mota%20Silveira%20Neto.pdf.jpg https://repositorio.ufpe.br/bitstream/123456789/26968/2/license_rdf https://repositorio.ufpe.br/bitstream/123456789/26968/3/license.txt https://repositorio.ufpe.br/bitstream/123456789/26968/4/TESE%20Paulo%20Anselmo%20da%20Mota%20Silveira%20Neto.pdf https://repositorio.ufpe.br/bitstream/123456789/26968/5/TESE%20Paulo%20Anselmo%20da%20Mota%20Silveira%20Neto.pdf.txt |
bitstream.checksum.fl_str_mv |
c7e3c6789df931c094ecd40c04bad4c7 e39d27027a6cc9cb039ad269a5db8e34 4b8a02c7f2818eaf00dcf2260dd5eb08 774406d522d4425eab176f342d17148e f7618a56a382739cb2c20ebd45e405ab |
bitstream.checksumAlgorithm.fl_str_mv |
MD5 MD5 MD5 MD5 MD5 |
repository.name.fl_str_mv |
Repositório Institucional da UFPE - Universidade Federal de Pernambuco (UFPE) |
repository.mail.fl_str_mv |
attena@ufpe.br |
_version_ |
1815172862845124608 |