Issuu on Google+

IOSR Journal of Computer Engineering (IOSR-JCE) e-ISSN: 2278-0661, p- ISSN: 2278-8727Volume 11, Issue 6 (May. - Jun. 2013), PP 75-82 www.iosrjournals.org

Model for Identifying the Security of a System: A Case Study of Point Of Sale System Md. Alamgir Kabir Sagar1, Md. Mijanur Rahman2 and Md. Ismail Jabiullah3 1,2 3

Department of Software Engineering, Daffodil International University, Dhanmondi, Dhaka, Bangladesh. Professor and Head, Department of Computer Science and Engineering, Hamdard University Bangladesh, New Town, Sonargaon, Narayangonj, Bangladesh,

Abstract: In the competitive economic market the demand of secured and reliable system is increasing day by day. A successful system development is possible by consider equally both functional and nonfunctional requirement. But practically nonfunctional requirements are not identifying as like functional requirement. There are few generic requirements for a system like auditability, extensibility, maintainability, performance, portability, reliability, security, testability, usability and etc. among them security is very vital issue for system development. The security of web based application is vulnerable now a days. For this reason the importance of web based application security is growing over the time. Very often the system fails because of without incorporating the appropriate security specific-process. Our proposed model elicits the system security in a systematic way during requirement analysis phase. Using use case and questionnaires table our model elicits the security requirements of a system. We use Point of Sale System as a case study to identify its security. Keywords- Identify Security, Web Application, Security Model, Functional requirement, Non Functional Requirement

I.

Introduction

The Internet, and in particular the World Wide Web, have become one of the most common communication mediums in the World [1]. Millions of users connect every day to different webbased applications to search for information, exchange messages, interact with each other, conduct business, pay taxes, perform financial operations and many more [1]. For these, web based application is increasing day by day and vulnerabilities of web based application is increasing simultaneously. For securing web based application, we have to secure the network, secure the host and secure the application in Fig. 1 [2]. In this paper, we proposed a model for building secure web based application which is related in application not in host and network. For building a secure application, nonfunctional requirements are necessary along Fig.1 Secure web based application with functional requirements. The term security which is types of nonfunctional requirements. So only functional requirements are not responsible and nonfunctional requirements are also necessary for building secure web application. In software engineering, a functional requirement defines a function of a software system or its component. A function is described as a set of inputs, the behavior, and outputs. Functional requirements may be calculations, technical details, data manipulation and processing and other specific functionality that define what a system is supposed to accomplish [3]. In another word, Functional requirements capture the intended behavior of the system. This behavior may be expressed as services, tasks or functions the system is required to perform [4]. So simply, functional requirements of a system refers to the functions of the system such as business functions, interface functions etc. [5]. Non-functional requirements are often called qualities of a system. Other terms for non-functional requirements are "constraints", "quality attributes", "quality goals", "quality of service requirements" and "non-behavioral requirements" etc. [6]. In another word, nonfunctional requirements have also been called the 'ilities' because they are most simply expressed like this: usability, reliability, interoperability, scalability, security [7]. There are several nonfunctional requirements. These are auditability, extensibility, maintainability, performance, portability, reliability, security, testability, usability and etc. Using use case and questionnaires table, our model identify the security requirements of a system during requirement analysis phase. Where use case consists of functional requirements with actor base and questionnaires table consists of security requirements which are related to nonfunctional requirements. www.iosrjournals.org

75 | Page


Model for Identifying the Security of a System: A Case Study of Point of Sale System II.

Current Problems

It's time for businesses to take the security of their web applications more seriously, and that begins by building more secure applications. For securing web applications, there are some topics to be noted for the developer in Table 1 [8]. Table 1. Strengthen Web Application Security Strengthen Web Application Security Serial Number 1. 2. 3. 4. 5. 6.

Terms User inputs Know which vulnerabilities will compromise Understand security controls Never write own security controls Create a security community emissary Apply security controls consistently

For developer, these above term will be concerned before developing the system. These terms are primary security concern for developer but not fixed guidelines. Rapid development of web based application, there are many vulnerabilities issues are occurred. According to the OWASP Top 10 - 2013 Release [9] Candidate includes the following changes as compared to the 2010 edition in Table 2. Table 2. Top 10 Vulnerabilities Currently Affecting Web Applications Top 10 vulnerabilities currently affecting Web applications Serial Number 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

Terms Injection Broken Authentication and Session Management Cross-Site Scripting (XSS) Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Known Vulnerable Components Un-invalidated Redirects and Forwards

These are the current web application vulnerabilities issues. If we develop a web application we can consider these issues and avoid these issues for securing web application. That’s means for web based application we can develop techniques for avoid these vulnerabilities issues. At end we can say that when we develop a system, we don’t concern about security [10]. And we have no non-functional requirement security model as a model for developing a system and have no security assessment [11] model of security level after developing the system. When we develop a system, we don’t think about the security and after developing the system, then the customer change the security requirement then we face some problems. Problems are in Table 3. Table 3. Current Problems Current Problems Serial Number

Problem Name

1. 2.

Costing Timing

3.

User Unsatisfied Issues

4. 5. 6.

Testing Documentation Changing User Interface Changing Issues etc.

Costing, Timing, User Unsatisfied Issues, Testing, Documentation Changing Issues, User Interface Changing Issues etc. are faced. Delivery Time is a major concern of a software. Costing is another major concern of software.

III.

Proposed Model

In software and systems engineering [12], a use case is a list of steps, typically defining interactions between a role (known in UML [13] as an "actor") and a system, to achieve a goal. The actor can be a human or www.iosrjournals.org

76 | Page


Model for Identifying the Security of a System: A Case Study of Point of Sale System an external system. In systems engineering, use cases are used at a higher level than within software engineering, often representing missions or stakeholder goals. The detailed requirements may then be captured in SysML or as contractual statements [14]. A use case diagram at its simplest is a representation of a user's interaction with the system and depicting the specifications of a use case. A use case diagram can portray the different types of users of a system and the various ways that they interact with the system. This type of diagram is typically used in conjunction with the textual use case and will often be accompanied by other types of diagrams as well [15]. A use case diagram can be used to describe the usage requirements for a system from an external point of view [16]. A use case is a functionality the users need from the system. A use case diagram depicts the relationships among the actors and use cases. It is usually used for requirements analysis. The components in a use case diagram include: actor, use cases and associations [17] in Fig .2.

Fig. 2 Use Case Diagram When we develop a software, we do not think the security issues of a software. Use Case diagram represent the process of an application [18]. So, if we represent a security question table for each process, then most of the security will be concerned after developing the application. The proposed model for identifying security before developing the system is given in Fig. 3.

Fig. 3 Proposed Model of POS System www.iosrjournals.org

77 | Page


Model for Identifying the Security of a System: A Case Study of Point of Sale System

In Fig. 3, this is the Point of Sale System use case diagram. In this use case, for every process have a security sample question table. Every security sample questionnaires table consists of security sample questions for the related process which is used in requirement phase before developing the system. For these, all the requirement related security of related process will concern before developing the system.

IV.

Security Questionnaires Table

Security Question Table contains the requirement related security sample questions of the application which is attached in the Use Case Diagram of the application. Each process have a Security Question Table. Such as LOGSSQ table contains the security questions for the Login process mention in the Table 4. Table 4: LOGSSQ Table for Login Process

For login process, LOGSSQ table [Table 4] questions pattern will help to ensure the requirement related security before developing the system. When we develop a system, we see the Use Case diagram [Figure 3]. Then we can see the security question tables [LOGSSQ Table for Login Process- Table 4, APSSQ Table for Add Product Process- Table 5 etc.]. For this, before developing the system, security concern will be added. And common security will remove before developing the system. www.iosrjournals.org

78 | Page


Model for Identifying the Security of a System: A Case Study of Point of Sale System

Table 5: APSSQ Table for Add Product Process

APSSQ table [Table 5] contains the security sample questions for Add Product process mention in the Use Case Diagram [Fig. 3]. For viewing products process, this security question table [Table 6] can be used before developing system. VPSSQ Question Table [Table 6] contains the security questions for View Product Process to avoid this types of security.

www.iosrjournals.org

79 | Page


Model for Identifying the Security of a System: A Case Study of Point of Sale System

Table 6: VPSSQ Table for Add Product Process

For Viewing Product, some requirement related security is concerned before developing the system or application. VPSSQ Table [Table 6] provides security questions to avoid this types of security.

V. IMPLEMENTATION Pos or pos is an abbreviation for point of sale (or point-of-sale, or point of service). The term is applicable to a retail shop or store, the checkout/cashier counter in the store, or a location where such transactions can occur in this type of environment. It can also apply to the actual point of sale (pos) hardware & software including but not limited to : electronic cash register systems, touch-screen display, barcode scanners, receipt printers, scales and pole displays. Point of sale systems are utilized in many different industries, ranging from restaurants, hotels & hospitality businesses, nail/beauty salons, casinos, stadiums, and let's not forget - the retail environments. In the most basic sense, if something can be exchanged for monetary value - a point of sale system can be used [19]. Point of sale (pos) or checkout is the place where a retail transaction is completed. It is the point at which a customer makes a payment to a merchant in exchange for goods or services. At the point of sale the merchant would use any of a range of possible methods to calculate the amount owing, such as a manual system, weighing machines, scanners or an electronic cash register. The merchant will usually provide hardware and options for use by the customer to make payment, such as an eftpos terminal. The merchant will also normally issue a receipt for the transaction. For small and medium-sized retailers, the pos will be customized by retail industry as different industries have different needs. For example, a grocery or candy store will need a scale at the point of sale, while bars and restaurants will need to customize the item sold when a customer has a special meal or drink request. The modern point of sale will also include advanced functionalities to cater to different verticals, such as inventory, crm, financials, warehousing, etc., all built into the pos software. Prior to the modern pos, all of these functions were done independently and required the manual re-keying of information, which resulted in a lot of errors [20]. For implementation this model, we tested a system proposed by softdemo.net/pos, the security question table LOGSSQ for login process [Table 4], VPSSQ Table [Table 6] for View Products Process and APSSQ Table [Table 5]for Add Products are tested before developing the application [21]. Demo soft is the Point of Sale (POS) application which Sample Use Case is Figure 3. In Figure 4, LOGSSQ Table for Survey form survey the security sample question for login process. Here have some sample questions for identifying the security in requirement stage. For every survey form contains the information of user who will survey the form. For other process, we can create survey form. Here we have shown a survey form for LOGSSQ Table [Table 4] and a survey result in Figure 5. www.iosrjournals.org

80 | Page


Model for Identifying the Security of a System: A Case Study of Point of Sale System

Figure 5. LOGSSQ Table Survey for POS

Figure 4. LOGSSQ Table for Survey Form In Figure 5, this is the survey result of LOGSSQ Table [Table 4] and survey form of figure 3. In survey result, name of user and email address is mentioned in survey result [Figure 4]. Question serial number (SQN) and Remarks are shown in survey result. For this way, we can survey other table such as VPSSQ Table [Table 6], APSSQ Table [Table 5] etc.

VI.

CONCLUSION

Security is a nonfunctional requirement that specifies the security criteria and that can be used to judge the system functionally. Now a days, rapid development of web application, security is not considered before developing the system. For this, after developing the system, existing system contains big hole and vulnerabilities issues are occurred. Our model specifies the system security in a systematic way during requirement analysis phase and for this before developing the system, security concern will be added and for this this model help to mitigate the loss and risk of software before and after developing the system. And the www.iosrjournals.org

81 | Page


Model for Identifying the Security of a System: A Case Study of Point of Sale System security as a non-functional requirement will high concern and important issues before developing any system. This model is implemented a point of sale system as a case study.

References [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21]

Teodoro, N., Serrao, C., Web application security: Improving critical web-based applications quality through in-depth security analysis. Information Society (i-Society), 2011 International Conference on , London, 27-29 June 2011,457 - 462 Chapter 1- Web Application Security Fundamentals, Web Application Security Fundamentals, [Online] 2013, http://msdn.microsoft.com/en-us/library/ff648636.aspx (Accessed: 22 May 2013) Functional Requirement, Functional Requirement – Wikipedia, the free encyclopedia, [Online] 2013, http://en.wikipedia.org/wiki/Functional_requirement (Accessed: 18 May, 2013) Ruth Malan and Dana Bredemeyer, Functional Requirements and Use Cases , 2001 bredemeyer consulting, white paper 8/3/01 R. T. Yeh (1982) "Requirements Analysis- A Management Perspective," Proc. COMPSAC '82, Nov. 1982, pp. 410–416. Stellman, Andrew; Greene, Jennifer (2005). Applied Software Project Management. O'Reilly Media. p. 113. ISBN 978-0-596-009489. Nonfunctional Requirements, [Online] 2010, http://c2.com/cgi/wiki?NonFunctionalRequirements (Accessed: 15 May, 2013) Mathew J. Schwartz, 6 Ways To Strengthen Web App Security. [Online] http://www.informationweek.com/security/applicationsecurity/6-ways-to-strengthen-web-app-security/240006962(Accessed: 5 May 2013) Category: OWASP Top Ten Project, Category: OWASP Top Ten Project – OWASP. [Online] 2013, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project (Accessed:10 May 2013) J. McDermott and C. Fox, “Using abuse-case models for security requirements analysis”, Proceedings of the 15th annual computer security applications conference (ACSAC’99), Phoenix, Arizona, 1999. E. Chew, S. Marianne, S. Kevin, B. Nadya, B. Anthony and R. Will, “Performance measurement guide for information security”. Research Technical Report, NIST National Institute of Standards and Technology, Special Publication 800-55. July (2008). System Engineering, System Engineering Wikipedia, the free encyclopedia [Online] 2013, http://en.wikipedia.org/wiki/Systems_engineering (Accessed:8 April 2013) Unified Modeling LanguageWikipedia, the free encyclopedia. [Online] 2013, http://en.wikipedia.org/wiki/Unified_Modeling_Language .(Accessed: 10 April 2013) Use Case -Wikipedia, the free encyclopedia, 2013[Online] , http://en.wikipedia.org/wiki/Use_Case ,(Accessed: 11 April 2013) Use Case Diagram-Wikipedia, the free encyclopedia, 2013[Online].http://en.wikipedia.org/wiki/Use_Case_Diagram (Accessed : 4 March 2013) Quick definition of a UML use case diagram, How to create a UML use case diagram, [Online] 2013, http://www.modelio.org/tutorials/how-to-create-uml-use-case-diagram.html.(Accessed : 4 March 2013) Laurie Williams, Dright Ho, Sarah Smith, Background on UML, Eclipse UML, and Use Case Diagrams, Use case, [Online] 2005, http://agile.csc.ncsu.edu/SEMaterials/tutorials/use_case_diagram/, (Accessed: 4 March 2013) D. Firesmith, “Security Use Cases”, Journal of Object Technology, http://www.jot.fm/issues/issue_2003_05/column6 ,May-June 2003, vol. 2, no.3, pp. 53-64. POSmatic, What is Point of Sale (POS)?, Point of Sale (POS) | What is it?,[Online] 2013, http://www.posmatic.com/point-ofsale/what-is-point-of-sale.php (Accessed: 4 March 2013) Point of sale- Wikipedia, the free encyclopedia [Online] 2013. [Online], http://en.wikipedia.org/wiki/Point_of_sale (Accessed: 4 March 2013) Point of Sell Software - Login Panel, POS, [Online] 2013, http://softdemo.net/pos (Accessed: 24 May 2013)

www.iosrjournals.org

82 | Page


L01167582