Mehrez Essafi | University of Manouba (original) (raw)
Papers by Mehrez Essafi
International Journal of Secure Software Engineering, 2014
This work suggests a multilevel support to software developers, who often lack knowledge and skil... more This work suggests a multilevel support to software developers, who often lack knowledge and skills on how to proceed to develop secure software. In fact, developing software with such quality is a hard and complex task that involves many additional security-dedicated activities which are usually omitted in traditional software development lifecycles or integrated but not efficiently and appropriately deployed in some others. To federate all these software security-assurance activities in a structured way and provide the required guidelines for choosing and using them in a flexible development process, authors used meta-modeling techniques and dynamic process execution that consider developer's affinities and product's states. The proposed approach formalizes existing secure software development processes, allows integration of new ones, prevents ad-hoc executions and is supported by a tool to facilitate its deployment. A case study is given here to exemplify the proposed approach application and to illustrate some of its advantages.
Building Secure Software is about taking security into account during all phases of software deve... more Building Secure Software is about taking security into account during all phases of software development. This practice is missing in, widely used, traditional developments due to domain immaturity, newness of the field and process complexity. Software development includes two views, a product view and a process view. Product view defines what the product is, whereas process view describes how the product is developed. Here we are concerned with the process view. Modelling the process allows simulate and analyze a software development process, which can help developers better understand, manage and optimize the software development process. In this paper we present our approach S2D-ProM, for Secure Software Development Process Model, which is a strategy oriented process model. This latter, capture steps and strategies that are required for the development of secure software and provide a two level guidance. The first level guidance is strategic helping developers choosing one among several strategies. The second level guidance is tactical helping developers achieving their selection for producing secure software. The proposed process model is easily extensible and allows building customized processes adapted to context, developer's finalities and product state. This flexibility allows the environment evolving through time to support new securing strategies.
Secure software engineering is a big challenge. This is mainly due to the increasing complexity, ... more Secure software engineering is a big challenge. This is mainly due to the increasing complexity, openness and extensibility of modern applications, which make a complete analysis of security requirements very hard. The overall problem space is consequently no longer easily comprehensible for developers. This paper is an attempt to explore some of these issues underlying secure software engineering. We propose a secure software engineering framework, which suggests considering secure software engineering along four different, but complementary, views. Each view is capturing a particular relevant aspect of secure software engineering. Our motivations for developing this framework are to: (a) help understand and clarify the secure software engineering domain, (b) guide in classifying and comparing both secure software and securing approaches and (c) help researchers to identify new research axes.
Understanding software development process has always been a great challenge in the software engi... more Understanding software development process has always been a great challenge in the software engineering field. Actual engineering has many aspects and processes that need to be well understood and modeled. We focus on simulating the development process according to two complementary points of view: method and application engineering views. We use a formalism to represent the process model, which is the map. Maps are dynamic: they provide several non-deterministic strategies to achieve given intentions from given products. Navigation in a map is dynamic. We design and develop an agent-based simulator where its main components are environment and actors: the environment which is composed of the map structure being simulated and the product being developed; software engineers are modeled as autonomous agents able to select sections and achieve intentions. By agent cloning, we were able to develop exhaustive and concurrent multi-process and multiproduct building. Our simulation supports engineers in building their maps and validating process models by giving an exhaustive and simultaneous navigation through one map. Maps incoherencies have been detected and flexibility assessed.
Security is an emergent property of a software system. Several efforts are undertaken, to improve... more Security is an emergent property of a software system. Several efforts are undertaken, to improve software security. However, developers still miss or misuse acquired knowledge. This is mainly due to domain immaturity, newness of the field, process complexity and absence of environments supporting such development. This paper presents our environment denoted ASASI for Addressing Software Application Security Issues. The main feature of the proposed environment is that it is based on a strategy oriented process model that provides a two level guidance. The first level guidance is strategic helping developers choosing one among compilations of the existing methods, standards and best practices. The second level guidance is tactical helping developers achieving their selection for producing secure software. The supported process model is easily extensible and allows building customized processes adapted to context, developer¿s finalities and product state. This flexibility allows the environment evolving through time to support new security requirements. Keywords-environment;
International Journal of Secure Software Engineering, 2014
This work suggests a multilevel support to software developers, who often lack knowledge and skil... more This work suggests a multilevel support to software developers, who often lack knowledge and skills on how to proceed to develop secure software. In fact, developing software with such quality is a hard and complex task that involves many additional security-dedicated activities which are usually omitted in traditional software development lifecycles or integrated but not efficiently and appropriately deployed in some others. To federate all these software security-assurance activities in a structured way and provide the required guidelines for choosing and using them in a flexible development process, authors used meta-modeling techniques and dynamic process execution that consider developer's affinities and product's states. The proposed approach formalizes existing secure software development processes, allows integration of new ones, prevents ad-hoc executions and is supported by a tool to facilitate its deployment. A case study is given here to exemplify the proposed approach application and to illustrate some of its advantages.
Building Secure Software is about taking security into account during all phases of software deve... more Building Secure Software is about taking security into account during all phases of software development. This practice is missing in, widely used, traditional developments due to domain immaturity, newness of the field and process complexity. Software development includes two views, a product view and a process view. Product view defines what the product is, whereas process view describes how the product is developed. Here we are concerned with the process view. Modelling the process allows simulate and analyze a software development process, which can help developers better understand, manage and optimize the software development process. In this paper we present our approach S2D-ProM, for Secure Software Development Process Model, which is a strategy oriented process model. This latter, capture steps and strategies that are required for the development of secure software and provide a two level guidance. The first level guidance is strategic helping developers choosing one among several strategies. The second level guidance is tactical helping developers achieving their selection for producing secure software. The proposed process model is easily extensible and allows building customized processes adapted to context, developer's finalities and product state. This flexibility allows the environment evolving through time to support new securing strategies.
Secure software engineering is a big challenge. This is mainly due to the increasing complexity, ... more Secure software engineering is a big challenge. This is mainly due to the increasing complexity, openness and extensibility of modern applications, which make a complete analysis of security requirements very hard. The overall problem space is consequently no longer easily comprehensible for developers. This paper is an attempt to explore some of these issues underlying secure software engineering. We propose a secure software engineering framework, which suggests considering secure software engineering along four different, but complementary, views. Each view is capturing a particular relevant aspect of secure software engineering. Our motivations for developing this framework are to: (a) help understand and clarify the secure software engineering domain, (b) guide in classifying and comparing both secure software and securing approaches and (c) help researchers to identify new research axes.
Understanding software development process has always been a great challenge in the software engi... more Understanding software development process has always been a great challenge in the software engineering field. Actual engineering has many aspects and processes that need to be well understood and modeled. We focus on simulating the development process according to two complementary points of view: method and application engineering views. We use a formalism to represent the process model, which is the map. Maps are dynamic: they provide several non-deterministic strategies to achieve given intentions from given products. Navigation in a map is dynamic. We design and develop an agent-based simulator where its main components are environment and actors: the environment which is composed of the map structure being simulated and the product being developed; software engineers are modeled as autonomous agents able to select sections and achieve intentions. By agent cloning, we were able to develop exhaustive and concurrent multi-process and multiproduct building. Our simulation supports engineers in building their maps and validating process models by giving an exhaustive and simultaneous navigation through one map. Maps incoherencies have been detected and flexibility assessed.
Security is an emergent property of a software system. Several efforts are undertaken, to improve... more Security is an emergent property of a software system. Several efforts are undertaken, to improve software security. However, developers still miss or misuse acquired knowledge. This is mainly due to domain immaturity, newness of the field, process complexity and absence of environments supporting such development. This paper presents our environment denoted ASASI for Addressing Software Application Security Issues. The main feature of the proposed environment is that it is based on a strategy oriented process model that provides a two level guidance. The first level guidance is strategic helping developers choosing one among compilations of the existing methods, standards and best practices. The second level guidance is tactical helping developers achieving their selection for producing secure software. The supported process model is easily extensible and allows building customized processes adapted to context, developer¿s finalities and product state. This flexibility allows the environment evolving through time to support new security requirements. Keywords-environment;