Integrating security design into the software development process for e-commerce systems

Development of Web-based e-commerce systems has posed challenges in different dimensions of the software development process including design, maintenance and performance. Non-functional requirements such as performance added to the system as an after thought would lead to extremely high cost and undesirable effects. Security, rarely regarded in the past as one of the non-functional requirements, has to be integrated into the software development process due to its impact on e-commerce systems. In this paper, a design methodology based on systems security engineering capability maturity model (SSE-CMM) is proposed to specify design details for the three defined processes: risk, engineering and assurance. By means of an object-oriented security design pattern, security design covering impact, threats, risks and countermeasures for different parts of an e-commerce system can be examined systematically in the risk process. The proposed software development process for secured systems (SDPSS), representing the engineering process, consists of four steps: object and collaboration modeling, tier identification, component identification and deployment specification. Selected unified modeling language notations and diagrams are used to support the SDPSS. Using a simplified supply-chain e-commerce system as an example, integration of security design into the software development process is shown with discussions of possible security assurance activities that can be performed on a design.