{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,25]],"date-time":"2025-09-25T14:40:29Z","timestamp":1758811229767},"reference-count":26,"publisher":"IGI Global","issue":"3","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2011,7]]},"abstract":"<jats:p>This paper describes results and reflects on the experience of engineering a secure web based system for the pre-employment screening domain. In particular, the paper presents results from a Knowledge Transfer Partnership (KTP) project between the School of Computing, IT and Engineering at the University of East London and the London-based award winning pre-employment company Powerchex Ltd. The Secure Tropos methodology, which is based on the principle of secure by design, has been applied to the project to guide the development of a web based system to support employment reference and background checking specifically for the financial services industry. Findings indicate the potential of the methodology for the development of secure web based systems, and support the argument of incorporating security considerations from the early stages of the software development process, i.e., the idea of secure by design. The developed system was tested by a third, independent to the project, party using a well known method of security testing, i.e., penetration testing, and the results provided did not indicate the presence of any major security problems. The experience and lessons learned by the application of the methodology to an industrial setting are also discussed in the paper.<\/jats:p>","DOI":"10.4018\/jsse.2011070102","type":"journal-article","created":{"date-parts":[[2011,10,19]],"date-time":"2011-10-19T16:46:28Z","timestamp":1319042788000},"page":"23-41","source":"Crossref","is-referenced-by-count":7,"title":["Secure by Design"],"prefix":"10.4018","volume":"2","author":[{"given":"Haralambos","family":"Mouratidis","sequence":"first","affiliation":[{"name":"University of East London, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Miao","family":"Kang","sequence":"additional","affiliation":[{"name":"Powerchex Ltd., UK"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"2432","reference":[{"key":"jsse.2011070102-0","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2003.1159030"},{"key":"jsse.2011070102-1","doi-asserted-by":"publisher","DOI":"10.1007\/s00766-003-0183-z"},{"key":"jsse.2011070102-2","doi-asserted-by":"crossref","unstructured":"Basin, D., Doser, J., & Lodderstedt, T. (2003). Model driven security for process oriented systems. In Proceedings of the 8th ACM Symposium on Access Control Models and Technologies, Como, Italy.","DOI":"10.1145\/775412.775425"},{"issue":"2","key":"jsse.2011070102-3","article-title":"A systematic approach for analysis and design of secure health information systems.","volume":"62","author":"B.Blobel","year":"2001","journal-title":"International Journal of Medical Informatics"},{"key":"jsse.2011070102-4","doi-asserted-by":"publisher","DOI":"10.1023\/B:AGNT.0000018806.20944.ef"},{"key":"jsse.2011070102-5","doi-asserted-by":"crossref","unstructured":"Crook, R., Ince, D., Lin, L., & Nuseibeh, B. (2002). Security requirements engineering: When anti-requirements hit the fan. In Proceedings of the 10th International Requirements Engineering Conference (pp. 203-205).","DOI":"10.1109\/ICRE.2002.1048527"},{"key":"jsse.2011070102-6","doi-asserted-by":"crossref","unstructured":"Devanbu, P., & Stubblebine, S. (2000). Software engineering for security: A roadmap. In Proceedings of the International Conference on the Future of Software Engineering (pp. 201-211).","DOI":"10.1145\/336512.336559"},{"key":"jsse.2011070102-7","doi-asserted-by":"publisher","DOI":"10.4018\/978-1-59904-147-6.ch002"},{"key":"jsse.2011070102-8","doi-asserted-by":"crossref","first-page":"89","DOI":"10.1080\/10864415.1999.11518343","article-title":"Viewing business-process security from different perspectives.","volume":"3","author":"G.Hermann","year":"1999","journal-title":"International Journal of Electronic Commerce"},{"key":"jsse.2011070102-9","author":"J.J\u00fcrjens","year":"2004","journal-title":"Secure systems development with UML"},{"key":"jsse.2011070102-10","doi-asserted-by":"crossref","unstructured":"J\u00fcrjens, J., Schreck, J., & Bartmann, P. (2008). Model-based security analysis for mobile communications. In Proceedings of the International Conference on Software Engineering (pp. 683-692).","DOI":"10.1145\/1368088.1368186"},{"key":"jsse.2011070102-11","doi-asserted-by":"publisher","DOI":"10.1109\/32.879820"},{"key":"jsse.2011070102-12","doi-asserted-by":"crossref","unstructured":"Lin, L., Nuseibeh, B., Ince, D., Jackson, M., & Moffett, J. (2003). Introducing abuse frames for analysing security requirements. In Proceedings of the 11th IEEE International Requirements Engineering Conference, Monterey, CA (pp. 371-372).","DOI":"10.1109\/ICRE.2003.1232791"},{"key":"jsse.2011070102-13","doi-asserted-by":"crossref","unstructured":"Liu, L., Yu, E., & Mylopoulos, J. (2003). Security and privacy requirements analysis within a social setting. In Proceedings of the 11th International Requirements Engineering Conference (pp. 151-161).","DOI":"10.1109\/ICRE.2003.1232746"},{"key":"jsse.2011070102-14","doi-asserted-by":"crossref","unstructured":"Lodderstedt, T., Basin, D., & Doser, J. (2002). SecureUML: A UML-based modelling language for model-driven security. In J.-M. J\u00e9z\u00e9quel, H. Hussmann, & S. Cook (Eds.), Proceedings of the 5th International Conference on the Unified Modeling Language (LNCS 2460, pp. 426-441).","DOI":"10.1007\/3-540-45800-X_33"},{"key":"jsse.2011070102-15","doi-asserted-by":"crossref","unstructured":"McDermott, J., & Fox, C. (1999). Using abuse case models for security requirements analysis. In Proceedings of the 15th Annual Computer Security Applications Conference (pp. 55-64).","DOI":"10.1109\/CSAC.1999.816013"},{"key":"jsse.2011070102-16","first-page":"44","article-title":"Identifying security requirements using the security quality requirements engineering (SQUARE) method","author":"N. R.Mead","year":"2006","journal-title":"Integrating security and software engineering"},{"key":"jsse.2011070102-17","unstructured":"Mouratidis, H. (2004). A security oriented approach in the development of multiagent systems: Applied to the management of the health and social care needs of older people in England. Unpublished doctoral dissertation, University of Sheffield, South Yorkshire, UK."},{"key":"jsse.2011070102-18","doi-asserted-by":"publisher","DOI":"10.4018\/978-1-59904-147-6"},{"key":"jsse.2011070102-19","doi-asserted-by":"publisher","DOI":"10.1016\/j.is.2007.03.002"},{"key":"jsse.2011070102-20","doi-asserted-by":"crossref","unstructured":"Mouratidis, H., J\u00fcrjens, J., & Fox, J. (2006). Towards a comprehensive framework for secure systems development. In E. Dubois & K. Pohl (Eds.), Proceedings of the 18th International Conference on Advanced Information Systems Engineering (LNCS 4001, pp. 48-62).","DOI":"10.1007\/11767138_5"},{"key":"jsse.2011070102-21","unstructured":"Schumacher, M., & Roedig, U. (2001). Security engineering with patterns. In Proceedings of the 8th Conference on Pattern Languages for Programs, Chicago, IL."},{"key":"jsse.2011070102-22","doi-asserted-by":"publisher","DOI":"10.1007\/s00766-004-0194-4"},{"key":"jsse.2011070102-23","author":"W.Stallings","year":"1999","journal-title":"Cryptography and network security: Principles and practice"},{"key":"jsse.2011070102-24","author":"T.Wilhelm","year":"2009","journal-title":"Professional penetration testing: Creating and operating a formal hacking lab"},{"key":"jsse.2011070102-25","unstructured":"Yu, E. (1995). Modelling strategic relationships for process reengineering. Unpublished doctoral dissertation, University of Toronto, Toronto, ON, Canada."}],"container-title":["International Journal of Secure Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=58506","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,2,8]],"date-time":"2019-02-08T06:39:17Z","timestamp":1549607957000},"score":1,"resource":{"primary":{"URL":"http:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/jsse.2011070102"}},"subtitle":["Developing Secure Software Systems from the Ground Up"],"short-title":[],"issued":{"date-parts":[[2011,7]]},"references-count":26,"journal-issue":{"issue":"3"},"URL":"https:\/\/doi.org\/10.4018\/jsse.2011070102","relation":{},"ISSN":["1947-3036","1947-3044"],"issn-type":[{"value":"1947-3036","type":"print"},{"value":"1947-3044","type":"electronic"}],"subject":[],"published":{"date-parts":[[2011,7]]}}}