物件導向軟體之架構(Object-Oriented Software Construction)探討

Aspect] is a simple and practical aspect-oriented extension to Java With just a few new constructs, AspectJ provides support for modular implementation of a range of crosscutting concerns. In AspectJ's dynamic join point model, join points are well-defined points in the execution of the program; pointcuts are collections of join points; advice are special method-like constructs that can be attached to pointcuts; and aspects are modular units of crosscutting implementation, comprising pointcuts, advice, and ordinary Java member declarations. AspectJ code is compiled into standard Java bytecode. Simple extensions to existing Java development environments make it possible to browse the crosscutting structure of aspects in the same kind of way as one browses the inheritance structure of classes. Several examples show that AspectJ is powerful, and that programs written using it are easy to understand.

An overview of AspectJ

Information practices that use personal, financial, and health-related information are governed by US laws and regulations to prevent unauthorized use and disclosure. To ensure compliance under the law, the security and privacy requirements of relevant software systems must properly be aligned with these regulations. However, these regulations describe stakeholder rules, called rights and obligations, in complex and sometimes ambiguous legal language. These "rules" are often precursors to software requirements that must undergo considerable refinement and analysis before they become implementable. To support the software engineering effort to derive security requirements from regulations, we present a methodology for directly extracting access rights and obligations from regulation texts. The methodology provides statement-level coverage for an entire regulatory document to consistently identify and infer six types of data access constraints, handle complex cross references, resolve ambiguities, and assign required priorities between access rights and obligations to avoid unlawful information disclosures. We present results from applying this methodology to the entire regulation text of the US Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

/pdf/analyzing-regulatory-rules-for-privacy-and-security-zb21wihruy.pdf

Analyzing Regulatory Rules for Privacy and Security Requirements

When using Aspect Oriented Programming in the development of software components, a developer must understand the program units actually changed by weaving, how they behave, and possibly correct the aspects used. Support for rapid AOP prototyping and debugging is therefore crucial in such situations. Rapid prototyping is difficult with current aspect weaving tools because they do not support dynamic changes. This paper describes PROSE (PROgrammable extenSions of sErvices), a platform based on Java which addresses dynamic AOP. Aspects are expressed in the same source language as the application (Java), and PROSE allows aspects to be woven, unwoven, or replaced at run-time.

https://www.lst.ethz.ch/research/publications/AOSD_2002/AOSD_2002.pdf

Dynamic weaving for aspect-oriented programming

This paper summarizes the current state of the art and recent trends in software engineering economics. It provides an overview of economic analysis techniques and their applicability to software engineering and management. It surveys the field of software cost estimation, including the major estimation techniques available, the state of the art in algorithmic cost models, and the outstanding research issues in software cost estimation.

Software engineering economics

Development processes for software construction are common knowledge and mainstream practice in most development organizations. Unfortunately, these processes offer little support in order to meet security requirements. Over the years, research efforts have been invested in specific methodologies and techniques for secure software engineering, yet dedicated processes have been proposed only recently. In this paper, three high-profile processes for the development of secure software, namely OWASP's CLASP, Microsoft's SDL and McGraw's Touchpoints, are evaluated and compared in detail. The paper identifies the commonalities, discusses the specificity of each approach, and proposes suggestions for improvement.

On the secure software development process: CLASP, SDL and Touchpoints compared

The separation-of-concerns principle is one of the essential principles in software engineering It says that software should be decomposed in such a way that different “concerns” or aspects of the problem at hand are solved in well-separated modules or parts of the software Yet, many security experts feel uneasy about trying to isolate security-related concerns, because security is such a pervasive property of a piece of software And in fact, separating security-related concerns such as access control, or defensive input checking, is indeed very hard to achieve with current software engineering techniques While the authors fully agree with the observation that security is a pervasive property, they argue in this position paper that attempts to separate security aspects from other aspects of an application (even though in many cases not completely successful) are a necessary means to raise the security level of most applications The two main arguments are: increased flexibility of the security mechanisms (leading to easier adaptation to unanticipated or evolving risks), and better-focused efforts of the few security experts in the development team, leading to fewer security design and implementation errors

On the importance of the separation-of-concerns principle in secure software engineering

Aspect-Oriented Programming represents a (if not the most) promising approach to improve the software development process in cases where application requirements that seem to be well-separated result in software behavior that crosscuts the basic decomposition of the application. The domain of software security is an excellent real-world concern that requires sophisticated solutions to this well-known challenge of separation of concerns. In this paper, we report upon our experiences in using AspectJ to secure application software in a manageable way. Our case studies illustrate the effectiveness of AOP technology and show encouraging results, though we also highlight some challenges to be addressed in the further development of aspect-oriented software development technology.

Developing secure applications through aspect-oriented programming

https://link.springer.com/content/pdf/10.1007%2F0-306-46958-8_9.pdf

Security Through Aspect-Oriented Programming

Development processes for software construction are common knowledge and mainstream practice in most development organizations. Unfortunately, these processes offer little support in order to meet security requirements. Over the years, research efforts have been invested in specific methodologies and techniques for secure software engineering, yet complete, dedicated processes have been proposed only recently. In this paper, two high-profile processes for the development of secure software, namely OWASP's CLASP and Microsoft's SDL, are evaluated and compared in detail. The paper identifies the commonalities, discusses the specificity of each approach, and proposes suggestions for improvement.

Bart De Win

Papers

On the secure software development process: CLASP, SDL and Touchpoints compared

On the importance of the separation-of-concerns principle in secure software engineering

Developing secure applications through aspect-oriented programming

Security Through Aspect-Oriented Programming

On the Secure Software Development Process: CLASP and SDL Compared