UML Design with Security Integration as First Class Citizen

Security for software applications involves de fining what needs to be protected (security policy), autho rizing privileges of the application to users, authenticat ing application users, and providing a high degree of security assurance in regards to the access of user s to the application. To address security during softwar e design/development, our previous work has proposed a model to incorporate role-based access control (RBAC) and mandatory access control (MAC) into the unified modeling language (UML) to support the definition of security for software applications. Included in thi s work is a series of design-time checks that insure that the defined RBAC/MAC security is always consistent as a UML design with security properties is created and modified. In this paper, we extend this effort by proposing a formal model that combines typed logic with active database language concepts in order to support the checking of constraints during design-t ime (as UML diagrams are created and modified) and post- design (for the entire UML design that represents a version) towards the attainment of security assuran ce. To demonstrate the feasibility and utility of our w ork on secure software design, our RBAC/MAC enhancements and the constraint checking has been integrated int o Borland's UML tool Together Control Center.