Assessing security in software product lines; a maintenance analysis

Detalhes bibliográficos
Autor(a) principal: SILVEIRA NETO, Paulo Anselmo da Mota
Data de Publicação: 2017
Tipo de documento: Tese
Idioma: eng
Título da fonte: Repositório Institucional da UFPE
dARK ID: ark:/64986/001300000n1zb
Texto Completo: https://repositorio.ufpe.br/handle/123456789/26968
Resumo: Different terms such as "the real-time enterprise", "software infrastructures", "service oriented architectures" and "composite software applications" have gained importance in industry. It brings us the need of information systems that support cross-application integration, cross-company transactions and end-user access through a range of channels, including the Internet. In this context, Software Product Line (SPL) Engineering has gained importance by product oriented companies, as a strategy to cope with the increasing demand of large-scale product customization, providing an effective and efficient ways of improving productivity, software quality, and time-to-market. These benefits combined with the need of most applications interact with other applications, and the internet access makes critical assets vulnerable to many threats. For most of the product oriented companies, security requirements are likely to be as varied as for any other quality. Thus, it is important to supply variants of the same product to satisfy different needs. Owing to its variability management capabilities, software product line architectures can satisfy these requirements if carefully designed the resulting system has a better chance of meeting its expectations. All these requirements should be achieved at early design phases. Otherwise the cost to design a secure architecture will increase, which could worsen in SPL context, due to its complexity. In this context, this thesis evaluates different techniques to implement security tactics for the purpose of assessing conditional compilation and aspect-oriented programming as variability mechanisms concerning maintainability by accessing code size, separation of concerns, coupling and cohesion from software architects in the context of Software Product Lines projects. Hence, to better support SPL architects during design decisions, a family of experiments using three different testbeds was performed to analyze different security techniques regarding to maintainability. We have found that for most of the techniques conditional compilation had a smaller amount of lines of code when compared with Aspect Oriented Programming. The separation of concerns attribute had the low impact on maintainability when implemented with aspect-oriented programming. The analysis also showed that detect attack techniques are less costly than resist attack techniques. The results are useful for both researchers and practitioners. On the one hand, researchers can identify useful research directions and get guidance on how the security techniques impact on maintainability. On the other hand, practitioners can benefit from this thesis by identifying the less costly variability implementation mechanism, as well as, learning concrete techniques to implement security tactics at the code level.
id UFPE_89cba479d506d390368e14b1a4919881
oai_identifier_str oai:repositorio.ufpe.br:123456789/26968
network_acronym_str UFPE
network_name_str Repositório Institucional da UFPE
repository_id_str 2221
spelling SILVEIRA NETO, Paulo Anselmo da Motahttp://lattes.cnpq.br/6465144387155252http://lattes.cnpq.br/6613487636748832GARCIA, Vinícius CardosoALMEIDA, Eduardo Santana de2018-09-26T18:31:38Z2018-09-26T18:31:38Z2017-06-02https://repositorio.ufpe.br/handle/123456789/26968ark:/64986/001300000n1zbDifferent terms such as "the real-time enterprise", "software infrastructures", "service oriented architectures" and "composite software applications" have gained importance in industry. It brings us the need of information systems that support cross-application integration, cross-company transactions and end-user access through a range of channels, including the Internet. In this context, Software Product Line (SPL) Engineering has gained importance by product oriented companies, as a strategy to cope with the increasing demand of large-scale product customization, providing an effective and efficient ways of improving productivity, software quality, and time-to-market. These benefits combined with the need of most applications interact with other applications, and the internet access makes critical assets vulnerable to many threats. For most of the product oriented companies, security requirements are likely to be as varied as for any other quality. Thus, it is important to supply variants of the same product to satisfy different needs. Owing to its variability management capabilities, software product line architectures can satisfy these requirements if carefully designed the resulting system has a better chance of meeting its expectations. All these requirements should be achieved at early design phases. Otherwise the cost to design a secure architecture will increase, which could worsen in SPL context, due to its complexity. In this context, this thesis evaluates different techniques to implement security tactics for the purpose of assessing conditional compilation and aspect-oriented programming as variability mechanisms concerning maintainability by accessing code size, separation of concerns, coupling and cohesion from software architects in the context of Software Product Lines projects. Hence, to better support SPL architects during design decisions, a family of experiments using three different testbeds was performed to analyze different security techniques regarding to maintainability. We have found that for most of the techniques conditional compilation had a smaller amount of lines of code when compared with Aspect Oriented Programming. The separation of concerns attribute had the low impact on maintainability when implemented with aspect-oriented programming. The analysis also showed that detect attack techniques are less costly than resist attack techniques. The results are useful for both researchers and practitioners. On the one hand, researchers can identify useful research directions and get guidance on how the security techniques impact on maintainability. On the other hand, practitioners can benefit from this thesis by identifying the less costly variability implementation mechanism, as well as, learning concrete techniques to implement security tactics at the code level.CNPqDiferentes termos como “empresa em tempo real”, “infraestrutura de software”, “arquiteturas orientadas a serviço” e “aplicações de software” tem ganhado importância na indústria. Isso requer sistemas de informação que suportem a integração com outras aplicações, transações entre empresas e acesso ao usuário final por uma variedade de canais, incluindo internet. Nesse contexto, Linha de Produto de Software (LPS) tem ganhado importância por empresas orientadas a produtos de software, como uma estratégia para lidar com a crescente demanda de personalização de produtos em grande escala, proporcionando uma forma eficaz e eficiente de melhorar a produtividade, a qualidade do software e o tempo de lançamento para o mercado. Esses benefícios combinados com a necessidade da maioria dos aplicativos precisarem interagir com outras aplicações e o acesso à Internet tornam essas aplicações vulneráveis a muitas ameaças. Para a maioria das empresas orientadas à produto, os requisitos de segurança podem variar assim como outro atributo de qualidade do software. Assim, é importante fornecer variantes do mesmo produto para satisfazer diferentes necessidades. Devido às suas capacidades de gerenciamento de variabilidade, arquiteturas de linha de produtos têm a capacidade de satisfazer esses requisitos, se cuidadosamente projetada o sistema resultante terá uma melhor chance de satisfazer as expectativas. Todos esses requisitos devem ser alcançados nas primeiras fases do projeto, caso contrário, o custo para projetar uma arquitetura segura aumentará, o que poderia piorar no contexto SPL, devido à sua natureza complexa. Assim, para melhor apoiar os arquitetos durante as decisões de projeto. Uma família de experimentos utilizando três SPLs distintas foram utilizadas para analisar diferentes técnicas de segurança, implementadas usando compilação condicional (CC) e programação orientada a aspectos (AOP). Essa avaliação teve como objetivo analisar as técnicas e mecanismos em relação a: tamanho, “separation of concerns”, coesão e acoplamento. O resultado nos mostra que para a maioria das técnicas quando implementadas com compilação condicional apresentavam uma menor quantidade de código quando comparadas com AOP. O atributo de “separation of concerns” teve menor impacto na manutenção quando implementado com programação orientada a aspectos. A análise também mostrou que técnicas de detecção de ataque são menos onerosas do que técnicas para resistir a ataque. Os resultados são úteis para pesquisadores e profissionais. Por um lado, os pesquisadores podem identificar direções de pesquisa e obter orientação sobre como as técnicas de segurança impactam na manutenção. Por outro lado, os profissionais podem se beneficiar deste estudo, identificando o mecanismo de implementação da variabilidade menos dispendioso, bem como aprendendo técnicas concretas para implementar táticas de segurança a nível de código.engUniversidade Federal de PernambucoPrograma de Pos Graduacao em Ciencia da ComputacaoUFPEBrasilAttribution-NonCommercial-NoDerivs 3.0 Brazilhttp://creativecommons.org/licenses/by-nc-nd/3.0/br/info:eu-repo/semantics/openAccessEngenharia de softwareSegurança de softwareAssessing security in software product lines; a maintenance analysisinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/doctoralThesisdoutoradoreponame:Repositório Institucional da UFPEinstname:Universidade Federal de Pernambuco (UFPE)instacron:UFPETHUMBNAILTESE Paulo Anselmo da Mota Silveira Neto.pdf.jpgTESE Paulo Anselmo da Mota Silveira Neto.pdf.jpgGenerated Thumbnailimage/jpeg1346https://repositorio.ufpe.br/bitstream/123456789/26968/6/TESE%20Paulo%20Anselmo%20da%20Mota%20Silveira%20Neto.pdf.jpgc7e3c6789df931c094ecd40c04bad4c7MD56CC-LICENSElicense_rdflicense_rdfapplication/rdf+xml; charset=utf-8811https://repositorio.ufpe.br/bitstream/123456789/26968/2/license_rdfe39d27027a6cc9cb039ad269a5db8e34MD52LICENSElicense.txtlicense.txttext/plain; charset=utf-82311https://repositorio.ufpe.br/bitstream/123456789/26968/3/license.txt4b8a02c7f2818eaf00dcf2260dd5eb08MD53ORIGINALTESE Paulo Anselmo da Mota Silveira Neto.pdfTESE Paulo Anselmo da Mota Silveira Neto.pdfapplication/pdf3746031https://repositorio.ufpe.br/bitstream/123456789/26968/4/TESE%20Paulo%20Anselmo%20da%20Mota%20Silveira%20Neto.pdf774406d522d4425eab176f342d17148eMD54TEXTTESE Paulo Anselmo da Mota Silveira Neto.pdf.txtTESE Paulo Anselmo da Mota Silveira Neto.pdf.txtExtracted texttext/plain374394https://repositorio.ufpe.br/bitstream/123456789/26968/5/TESE%20Paulo%20Anselmo%20da%20Mota%20Silveira%20Neto.pdf.txtf7618a56a382739cb2c20ebd45e405abMD55123456789/269682019-10-25 10:49:32.245oai:repositorio.ufpe.br:123456789/26968TGljZW7Dp2EgZGUgRGlzdHJpYnVpw6fDo28gTsOjbyBFeGNsdXNpdmEKClRvZG8gZGVwb3NpdGFudGUgZGUgbWF0ZXJpYWwgbm8gUmVwb3NpdMOzcmlvIEluc3RpdHVjaW9uYWwgKFJJKSBkZXZlIGNvbmNlZGVyLCDDoCBVbml2ZXJzaWRhZGUgRmVkZXJhbCBkZSBQZXJuYW1idWNvIChVRlBFKSwgdW1hIExpY2Vuw6dhIGRlIERpc3RyaWJ1acOnw6NvIE7Do28gRXhjbHVzaXZhIHBhcmEgbWFudGVyIGUgdG9ybmFyIGFjZXNzw612ZWlzIG9zIHNldXMgZG9jdW1lbnRvcywgZW0gZm9ybWF0byBkaWdpdGFsLCBuZXN0ZSByZXBvc2l0w7NyaW8uCgpDb20gYSBjb25jZXNzw6NvIGRlc3RhIGxpY2Vuw6dhIG7Do28gZXhjbHVzaXZhLCBvIGRlcG9zaXRhbnRlIG1hbnTDqW0gdG9kb3Mgb3MgZGlyZWl0b3MgZGUgYXV0b3IuCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwoKTGljZW7Dp2EgZGUgRGlzdHJpYnVpw6fDo28gTsOjbyBFeGNsdXNpdmEKCkFvIGNvbmNvcmRhciBjb20gZXN0YSBsaWNlbsOnYSBlIGFjZWl0w6EtbGEsIHZvY8OqIChhdXRvciBvdSBkZXRlbnRvciBkb3MgZGlyZWl0b3MgYXV0b3JhaXMpOgoKYSkgRGVjbGFyYSBxdWUgY29uaGVjZSBhIHBvbMOtdGljYSBkZSBjb3B5cmlnaHQgZGEgZWRpdG9yYSBkbyBzZXUgZG9jdW1lbnRvOwpiKSBEZWNsYXJhIHF1ZSBjb25oZWNlIGUgYWNlaXRhIGFzIERpcmV0cml6ZXMgcGFyYSBvIFJlcG9zaXTDs3JpbyBJbnN0aXR1Y2lvbmFsIGRhIFVGUEU7CmMpIENvbmNlZGUgw6AgVUZQRSBvIGRpcmVpdG8gbsOjbyBleGNsdXNpdm8gZGUgYXJxdWl2YXIsIHJlcHJvZHV6aXIsIGNvbnZlcnRlciAoY29tbyBkZWZpbmlkbyBhIHNlZ3VpciksIGNvbXVuaWNhciBlL291IGRpc3RyaWJ1aXIsIG5vIFJJLCBvIGRvY3VtZW50byBlbnRyZWd1ZSAoaW5jbHVpbmRvIG8gcmVzdW1vL2Fic3RyYWN0KSBlbSBmb3JtYXRvIGRpZ2l0YWwgb3UgcG9yIG91dHJvIG1laW87CmQpIERlY2xhcmEgcXVlIGF1dG9yaXphIGEgVUZQRSBhIGFycXVpdmFyIG1haXMgZGUgdW1hIGPDs3BpYSBkZXN0ZSBkb2N1bWVudG8gZSBjb252ZXJ0w6otbG8sIHNlbSBhbHRlcmFyIG8gc2V1IGNvbnRlw7pkbywgcGFyYSBxdWFscXVlciBmb3JtYXRvIGRlIGZpY2hlaXJvLCBtZWlvIG91IHN1cG9ydGUsIHBhcmEgZWZlaXRvcyBkZSBzZWd1cmFuw6dhLCBwcmVzZXJ2YcOnw6NvIChiYWNrdXApIGUgYWNlc3NvOwplKSBEZWNsYXJhIHF1ZSBvIGRvY3VtZW50byBzdWJtZXRpZG8gw6kgbyBzZXUgdHJhYmFsaG8gb3JpZ2luYWwgZSBxdWUgZGV0w6ltIG8gZGlyZWl0byBkZSBjb25jZWRlciBhIHRlcmNlaXJvcyBvcyBkaXJlaXRvcyBjb250aWRvcyBuZXN0YSBsaWNlbsOnYS4gRGVjbGFyYSB0YW1iw6ltIHF1ZSBhIGVudHJlZ2EgZG8gZG9jdW1lbnRvIG7Do28gaW5mcmluZ2Ugb3MgZGlyZWl0b3MgZGUgb3V0cmEgcGVzc29hIG91IGVudGlkYWRlOwpmKSBEZWNsYXJhIHF1ZSwgbm8gY2FzbyBkbyBkb2N1bWVudG8gc3VibWV0aWRvIGNvbnRlciBtYXRlcmlhbCBkbyBxdWFsIG7Do28gZGV0w6ltIG9zIGRpcmVpdG9zIGRlCmF1dG9yLCBvYnRldmUgYSBhdXRvcml6YcOnw6NvIGlycmVzdHJpdGEgZG8gcmVzcGVjdGl2byBkZXRlbnRvciBkZXNzZXMgZGlyZWl0b3MgcGFyYSBjZWRlciDDoApVRlBFIG9zIGRpcmVpdG9zIHJlcXVlcmlkb3MgcG9yIGVzdGEgTGljZW7Dp2EgZSBhdXRvcml6YXIgYSB1bml2ZXJzaWRhZGUgYSB1dGlsaXrDoS1sb3MgbGVnYWxtZW50ZS4gRGVjbGFyYSB0YW1iw6ltIHF1ZSBlc3NlIG1hdGVyaWFsIGN1am9zIGRpcmVpdG9zIHPDo28gZGUgdGVyY2Vpcm9zIGVzdMOhIGNsYXJhbWVudGUgaWRlbnRpZmljYWRvIGUgcmVjb25oZWNpZG8gbm8gdGV4dG8gb3UgY29udGXDumRvIGRvIGRvY3VtZW50byBlbnRyZWd1ZTsKZykgU2UgbyBkb2N1bWVudG8gZW50cmVndWUgw6kgYmFzZWFkbyBlbSB0cmFiYWxobyBmaW5hbmNpYWRvIG91IGFwb2lhZG8gcG9yIG91dHJhIGluc3RpdHVpw6fDo28gcXVlIG7Do28gYSBVRlBFLMKgZGVjbGFyYSBxdWUgY3VtcHJpdSBxdWFpc3F1ZXIgb2JyaWdhw6fDtWVzIGV4aWdpZGFzIHBlbG8gcmVzcGVjdGl2byBjb250cmF0byBvdSBhY29yZG8uCgpBIFVGUEUgaWRlbnRpZmljYXLDoSBjbGFyYW1lbnRlIG8ocykgbm9tZShzKSBkbyhzKSBhdXRvciAoZXMpIGRvcyBkaXJlaXRvcyBkbyBkb2N1bWVudG8gZW50cmVndWUgZSBuw6NvIGZhcsOhIHF1YWxxdWVyIGFsdGVyYcOnw6NvLCBwYXJhIGFsw6ltIGRvIHByZXZpc3RvIG5hIGFsw61uZWEgYykuCg==Repositório InstitucionalPUBhttps://repositorio.ufpe.br/oai/requestattena@ufpe.bropendoar:22212019-10-25T13:49:32Repositório Institucional da UFPE - Universidade Federal de Pernambuco (UFPE)false
dc.title.pt_BR.fl_str_mv Assessing security in software product lines; a maintenance analysis
title Assessing security in software product lines; a maintenance analysis
spellingShingle Assessing security in software product lines; a maintenance analysis
SILVEIRA NETO, Paulo Anselmo da Mota
Engenharia de software
Segurança de software
title_short Assessing security in software product lines; a maintenance analysis
title_full Assessing security in software product lines; a maintenance analysis
title_fullStr Assessing security in software product lines; a maintenance analysis
title_full_unstemmed Assessing security in software product lines; a maintenance analysis
title_sort Assessing security in software product lines; a maintenance analysis
author SILVEIRA NETO, Paulo Anselmo da Mota
author_facet SILVEIRA NETO, Paulo Anselmo da Mota
author_role author
dc.contributor.authorLattes.pt_BR.fl_str_mv http://lattes.cnpq.br/6465144387155252
dc.contributor.advisorLattes.pt_BR.fl_str_mv http://lattes.cnpq.br/6613487636748832
dc.contributor.author.fl_str_mv SILVEIRA NETO, Paulo Anselmo da Mota
dc.contributor.advisor1.fl_str_mv GARCIA, Vinícius Cardoso
dc.contributor.advisor-co1.fl_str_mv ALMEIDA, Eduardo Santana de
contributor_str_mv GARCIA, Vinícius Cardoso
ALMEIDA, Eduardo Santana de
dc.subject.por.fl_str_mv Engenharia de software
Segurança de software
topic Engenharia de software
Segurança de software
description Different terms such as "the real-time enterprise", "software infrastructures", "service oriented architectures" and "composite software applications" have gained importance in industry. It brings us the need of information systems that support cross-application integration, cross-company transactions and end-user access through a range of channels, including the Internet. In this context, Software Product Line (SPL) Engineering has gained importance by product oriented companies, as a strategy to cope with the increasing demand of large-scale product customization, providing an effective and efficient ways of improving productivity, software quality, and time-to-market. These benefits combined with the need of most applications interact with other applications, and the internet access makes critical assets vulnerable to many threats. For most of the product oriented companies, security requirements are likely to be as varied as for any other quality. Thus, it is important to supply variants of the same product to satisfy different needs. Owing to its variability management capabilities, software product line architectures can satisfy these requirements if carefully designed the resulting system has a better chance of meeting its expectations. All these requirements should be achieved at early design phases. Otherwise the cost to design a secure architecture will increase, which could worsen in SPL context, due to its complexity. In this context, this thesis evaluates different techniques to implement security tactics for the purpose of assessing conditional compilation and aspect-oriented programming as variability mechanisms concerning maintainability by accessing code size, separation of concerns, coupling and cohesion from software architects in the context of Software Product Lines projects. Hence, to better support SPL architects during design decisions, a family of experiments using three different testbeds was performed to analyze different security techniques regarding to maintainability. We have found that for most of the techniques conditional compilation had a smaller amount of lines of code when compared with Aspect Oriented Programming. The separation of concerns attribute had the low impact on maintainability when implemented with aspect-oriented programming. The analysis also showed that detect attack techniques are less costly than resist attack techniques. The results are useful for both researchers and practitioners. On the one hand, researchers can identify useful research directions and get guidance on how the security techniques impact on maintainability. On the other hand, practitioners can benefit from this thesis by identifying the less costly variability implementation mechanism, as well as, learning concrete techniques to implement security tactics at the code level.
publishDate 2017
dc.date.issued.fl_str_mv 2017-06-02
dc.date.accessioned.fl_str_mv 2018-09-26T18:31:38Z
dc.date.available.fl_str_mv 2018-09-26T18:31:38Z
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/doctoralThesis
format doctoralThesis
status_str publishedVersion
dc.identifier.uri.fl_str_mv https://repositorio.ufpe.br/handle/123456789/26968
dc.identifier.dark.fl_str_mv ark:/64986/001300000n1zb
url https://repositorio.ufpe.br/handle/123456789/26968
identifier_str_mv ark:/64986/001300000n1zb
dc.language.iso.fl_str_mv eng
language eng
dc.rights.driver.fl_str_mv Attribution-NonCommercial-NoDerivs 3.0 Brazil
http://creativecommons.org/licenses/by-nc-nd/3.0/br/
info:eu-repo/semantics/openAccess
rights_invalid_str_mv Attribution-NonCommercial-NoDerivs 3.0 Brazil
http://creativecommons.org/licenses/by-nc-nd/3.0/br/
eu_rights_str_mv openAccess
dc.publisher.none.fl_str_mv Universidade Federal de Pernambuco
dc.publisher.program.fl_str_mv Programa de Pos Graduacao em Ciencia da Computacao
dc.publisher.initials.fl_str_mv UFPE
dc.publisher.country.fl_str_mv Brasil
publisher.none.fl_str_mv Universidade Federal de Pernambuco
dc.source.none.fl_str_mv reponame:Repositório Institucional da UFPE
instname:Universidade Federal de Pernambuco (UFPE)
instacron:UFPE
instname_str Universidade Federal de Pernambuco (UFPE)
instacron_str UFPE
institution UFPE
reponame_str Repositório Institucional da UFPE
collection Repositório Institucional da UFPE
bitstream.url.fl_str_mv https://repositorio.ufpe.br/bitstream/123456789/26968/6/TESE%20Paulo%20Anselmo%20da%20Mota%20Silveira%20Neto.pdf.jpg
https://repositorio.ufpe.br/bitstream/123456789/26968/2/license_rdf
https://repositorio.ufpe.br/bitstream/123456789/26968/3/license.txt
https://repositorio.ufpe.br/bitstream/123456789/26968/4/TESE%20Paulo%20Anselmo%20da%20Mota%20Silveira%20Neto.pdf
https://repositorio.ufpe.br/bitstream/123456789/26968/5/TESE%20Paulo%20Anselmo%20da%20Mota%20Silveira%20Neto.pdf.txt
bitstream.checksum.fl_str_mv c7e3c6789df931c094ecd40c04bad4c7
e39d27027a6cc9cb039ad269a5db8e34
4b8a02c7f2818eaf00dcf2260dd5eb08
774406d522d4425eab176f342d17148e
f7618a56a382739cb2c20ebd45e405ab
bitstream.checksumAlgorithm.fl_str_mv MD5
MD5
MD5
MD5
MD5
repository.name.fl_str_mv Repositório Institucional da UFPE - Universidade Federal de Pernambuco (UFPE)
repository.mail.fl_str_mv attena@ufpe.br
_version_ 1815172862845124608