JP5251823B2 - Development support program, development support apparatus, and development support method - Google Patents

Description

  The present invention relates to a development support program, a development support apparatus, and a development support method that support development.

  In the conventional software development, the developer is developing mainly assuming the function he wants to realize. In software development, various software development support technologies are disclosed (for example, see Patent Documents 1 to 3 below).

JP 2004-110274 A JP 2008-117066 A JP 2009-134535 A

  However, in the above-described conventional software development, since the developer mainly develops the function that he / she wants to realize, it is difficult to implement the security function considering the behavior that the developer does not assume. In addition, there is a problem that the burden on the developer increases due to such implementation.

  Also, a prototype (mockup) for confirming the operation of the software at the design stage is created once, and after confirming the operation, the development to implement the finished version is often done. It was difficult to implement security functions when they were not completed.

  Furthermore, when re-creating, the security function calling process is re-created, which increases the burden on the developer.

  The present invention provides a development support program, a development support apparatus, and a development support method capable of improving the comprehensiveness of implementation related to security functions and reducing the burden on the developer in order to eliminate the above-described problems caused by the prior art. The purpose is to do.

  In order to solve the above-mentioned problems and achieve the objectives, the disclosed development support program, development support device, and development support method have a use case definition that expresses the functions to be developed, with security attributes for the use cases specified. The development in which the class definition is generated by converting the use case and the security attribute into a class based on the acquired use case definition, and the class in the generated class definition is associated with the object. The sequence definition indicating the target operation is acquired, the object related to the class is converted into a class in the acquired sequence definition, and the security attribute associated with the class is added to insert the program into the program related to the development target It is necessary to generate a source code template .

  According to the above configuration, the security attribute that the software should have in the use case definition and sequence definition created in the upstream development is set, and based on the security attribute, the call processing of the security countermeasure code is embedded at an appropriate location. Source code template "can be generated. The developer performs programming based on the source code template, so that security measures are not lost downstream in the development. That is, according to the development support program, the development support apparatus, and the development support method, there is an effect that it is possible to improve the completeness of implementation related to the security function and reduce the burden on the developer.

It is a system configuration figure of the development support system concerning this embodiment. It is a block diagram which shows the hardware constitutions of the computer used as the development environment and development assistance apparatus concerning embodiment. It is explanatory drawing which shows an example of the memory content of threat and countermeasure DB. It is explanatory drawing which shows an example of the memory content of countermeasure program DB. It is explanatory drawing which shows an example of the use case figure concerning this Embodiment. FIG. 6 is an explanatory diagram (No. 1) showing a use case definition related to the use case diagram shown in FIG. 5. FIG. 7 is an explanatory diagram (part 1) in which the use case definition illustrated in FIG. 6 is expressed in a tabular data structure. FIG. 7 is an explanatory diagram (part 2) in which the use case definition illustrated in FIG. 6 is expressed in a tabular data structure. FIG. 7 is an explanatory diagram (part 3) in which the use case definition illustrated in FIG. 6 is expressed in a tabular data structure. FIG. 7 is an explanatory diagram (part 4) in which the use case definition illustrated in FIG. 6 is expressed in a tabular data structure. It is explanatory drawing which expressed the class definition with the data structure of the table form. FIG. 6 is a sequence diagram corresponding to the upper half of the use case diagram of FIG. 5. It is explanatory drawing which shows the sequence definition regarding the sequence diagram shown in FIG. FIG. 6 is a sequence diagram corresponding to the lower half of the use case diagram of FIG. 5. It is explanatory drawing which shows the sequence definition regarding the sequence diagram shown in FIG. FIG. 16 is an explanatory diagram (part 1) of the sequence definition illustrated in FIGS. 13 and 15 expressed in a tabular data structure. FIG. 16 is an explanatory diagram (part 2) in which the sequence definition illustrated in FIGS. 13 and 15 is expressed in a tabular data structure. It is explanatory drawing which shows an example of a threat and countermeasure definition. It is explanatory drawing which shows an example of a countermeasure program. It is explanatory drawing which shows the other example of a countermeasure program. It is explanatory drawing (the 1) which shows an example of 1 generation of a source code model. It is explanatory drawing (the 2) which shows an example of 1 generation of a source code model. It is explanatory drawing (the 3) which shows one generation example of a source code model. It is explanatory drawing (the 4) which shows an example of 1 generation of a source code model. It is explanatory drawing (the 1) which shows the other example of a source code template. It is explanatory drawing (the 2) which shows the other example of a source code template. It is explanatory drawing (the 3) which shows the other example of a source code template. It is explanatory drawing (the 4) which shows the other example of a production | generation of a source code template. It is a flowchart which shows the class generation process procedure by a class generation part. It is a flowchart which shows the generation process procedure of the threat and countermeasure definition by a threat and countermeasure generation part. It is a flowchart which shows the countermeasure program production | generation procedure by a countermeasure program extraction part. It is a flowchart which shows the source code template production | generation processing procedure by a source code template production | generation part.

  Exemplary embodiments of a development support program, a development support apparatus, and a development support method according to the present invention will be explained below in detail with reference to the accompanying drawings. In the present embodiment, software development is described as an example, but the present invention can be applied not only to software development but also to hardware development.

(System configuration)
FIG. 1 is a system configuration diagram of a development support system according to the present embodiment. In FIG. 1, the development support system 100 includes a development environment 101 and a development support apparatus 102. The development environment 101 is an environment including a drawing tool 103 and an execution environment 104 that have been conventionally used in software development, and is configured by a computer. The development support apparatus 102 is a computer that supports software development in the development environment 101. The development support apparatus 102 can access a threat / countermeasure database (DB) 105 and a countermeasure program DB 106. Note that the computer used in the development environment 101 and the computer used as the development support apparatus 102 may be integrated or may be separate computers.

  First, in the development environment 101, a developer creates a use case definition 111 that functionally represents software to be developed. The use case definition 111 can be displayed as a use case diagram. Note that the use case definition 111 is different from the normal use case definition 111, and security attributes and data assets are added. This point will be described later.

  In addition, the development environment 101 obtains a class definition 112 corresponding to the use case definition 111 from the development support apparatus 102 by giving the use case definition 111 to the development support apparatus 102. The developer uses the class definition 112 to create a sequence definition 113 that represents the operation of the software to be developed. The sequence definition 113 can be displayed as a sequence diagram.

  The development environment 101 obtains a class definition corresponding to the sequence definition 113 from the development support apparatus 102 by giving the sequence definition 113 to the development support apparatus 102. Security attributes, which are attributes relating to security that the software to be developed should have, are specified for classes (objects of the sequence definition 113) and methods (messages of the sequence definition 113) in the class definition. Such a class definition is referred to as a “source code template” in the present embodiment.

  Since the source code template 114 describes which security attribute is specified for which class and which method, the developer refers to the source code template 114 and develops the development target program 115 (first, Prototype 115a) is created. The development environment 101 gives the prototype 115 a to the execution environment 104. The execution environment 104 executes the prototype 115a.

  If there is a problem with the prototype 115a, the developer repeatedly corrects it and applies it to the execution environment 104, and finally creates a finished product 115b. Then, the finished product 115b is given to the execution environment 104. The execution environment 104 executes the finished product 115b.

  In the present embodiment, since software development is performed using aspect-oriented programming (AOP), a countermeasure program 126 obtained from the development support apparatus 102 when the execution environment 104 is executed. It is inserted into the development target program 115.

  In the implementation of aspect-oriented programming, one concern is realized in particular across multiple interests (such as AspectJ). These implementations use the concept of dependency injection, which reverses the relationship between normal programs and subroutines.

  In this embodiment, the dependency on the function of the security program is reduced by introducing aspect-oriented programming. This eliminates the need to describe the call to the countermeasure program 126 in the prototype 115a. That is, since the countermeasure program 126 is inserted from the development support apparatus 102 due to the reversal of the dependency, the features necessary for inserting the countermeasure program 126 are maintained even if the code changes from the development target program of the prototype 115a to the implementation. Therefore, the countermeasure program 126 can be inserted similarly.

  Further, the development support apparatus 102 can access the threat / countermeasure DB 105 and the countermeasure program DB 106, and includes a class generation unit 121, a source code template generation unit 122, a threat / countermeasure generation unit 123, and a countermeasure program extraction unit 125. And having.

  The threat / countermeasure DB 105 is a database that stores a threat indicating a security attack and information related to the countermeasure for each security attribute. The countermeasure program DB 106 is a database that stores a countermeasure program 126 for realizing the countermeasure.

  The class generation unit 121 generates a class definition 112 from the use case definition 111. Specifically, the use case definition 111 is converted into a class definition 112 and the class definition 112 is returned. The source code template generation unit 122 generates a source code template 114 from the sequence definition 113. Specifically, the sequence definition 113 is converted into the class definition 112, and the source code template 114 specifying the security attribute is returned.

  The threat / countermeasure generation unit 123 refers to the threat / countermeasure DB 105 to generate a threat / countermeasure definition 124 from the use case definition 111. Specifically, the threat / countermeasure definition 124 is generated by reading from the threat / countermeasure DB 105 threats corresponding to the security attributes included in the use case definition 111 and information related to the countermeasures.

  The countermeasure program extraction unit 125 extracts the corresponding countermeasure program 126 from the countermeasure program DB 106 using the threat / countermeasure definition 124 as a key. In the countermeasure program 126, in addition to a program code indicating an actual countermeasure such as an authentication process or an encryption process, an annotation (annotation) for designating an insertion position of the development target program is designated according to the threat / countermeasure definition 124. . The countermeasure program 126 is inserted and executed when the development target program executes the corresponding position.

(Computer hardware configuration)
FIG. 2 is a block diagram of a hardware configuration of a computer that becomes the development environment 101 and the development support apparatus 102 according to the embodiment. In FIG. 2, the computer includes a CPU (Central Processing Unit) 201, a ROM (Read-Only Memory) 202, a RAM (Random Access Memory) 203, a magnetic disk drive 204, a magnetic disk 205, and an optical disk drive 206. An optical disk 207, a display 208, an I / F (Interface) 209, a keyboard 210, a mouse 211, a scanner 212, and a printer 213. Each component is connected by a bus 200.

  Here, the CPU 201 governs overall control of the development support apparatus 102. The ROM 202 stores a program such as a boot program. The RAM 203 is used as a work area for the CPU 201. The magnetic disk drive 204 controls reading / writing of data with respect to the magnetic disk 205 according to the control of the CPU 201. The magnetic disk 205 stores data written under the control of the magnetic disk drive 204.

  The optical disk drive 206 controls reading / writing of data with respect to the optical disk 207 according to the control of the CPU 201. The optical disk 207 stores data written under the control of the optical disk drive 206, or causes the computer to read data stored on the optical disk 207.

  The display 208 displays data such as a document, an image, and function information as well as a cursor, an icon, or a tool box. As the display 208, for example, a CRT, a TFT liquid crystal display, a plasma display, or the like can be adopted.

  An interface (hereinafter abbreviated as “I / F”) 209 is connected to a network 214 such as a LAN (Local Area Network), a WAN (Wide Area Network), and the Internet through a communication line. Connected to other devices. The I / F 209 controls an internal interface with the network 214 and controls data input / output from an external device. For example, a modem or a LAN adapter may be employed as the I / F 209.

  The keyboard 210 includes keys for inputting characters, numbers, various instructions, and the like, and inputs data. Moreover, a touch panel type input pad or a numeric keypad may be used. The mouse 211 performs cursor movement, range selection, window movement, size change, and the like. A trackball or a joystick may be used as long as they have the same function as a pointing device.

  The scanner 212 optically reads an image and takes in the image data into the computer. The scanner 212 may have an OCR (Optical Character Reader) function. The printer 213 prints image data and document data. As the printer 213, for example, a laser printer or an ink jet printer can be employed.

  Specifically, the threat / countermeasure DB 105 and the countermeasure program DB 106 shown in FIG. 1 realize their functions by a storage device such as the ROM 202, the RAM 203, the magnetic disk 205, and the optical disc 207 shown in FIG. Specifically, the class generation unit 121, the source code template generation unit 122, the threat / countermeasure generation unit 123, and the countermeasure program extraction unit 125 are, for example, the ROM 202, the RAM 203, the magnetic disk 205, and the like shown in FIG. The function is realized by causing the CPU 201 to execute a program stored in a storage device such as the optical disk 207.

(Description of database)
FIG. 3 is an explanatory diagram showing an example of the contents stored in the threat / countermeasure DB 105. The threat / countermeasure DB 105 is a data structure having security attribute items, threat items, flow directions, and countermeasure items. The security attribute item defines security attributes. A security attribute is information that identifies the type of security. Specifically, for example, availability (Availability), confidentiality (Confidentiality), integrity (integrity), etc. are mentioned. Threats, flow directions, and countermeasures are defined for each security attribute.

  The threat item defines a threat by a threat identifier item and a threat name. The threat identifier is an identifier unique to the threat, and the threat name is a name of a threat indicating a security attack. The flow direction item defines a flow direction indicating a data flow.

  Since the data flow is not defined in the relation used in the use case definition 111 (use case diagram), the data flow corresponding to the security attribute is defined as the flow direction. The flow direction item defines three types of flow directions: input (→), output (←), and input / output (← →).

  “Input (→)” indicates data input to the use case targeted by the threat, and output (←) indicates data output from the use case targeted by the threat, and input / output (← →) indicates the input / output of data of the use case that is the target of the threat.

  Countermeasure items specify countermeasures by countermeasure identifier and countermeasure name. The countermeasure identifier is an identifier unique to the countermeasure, and the countermeasure name is the name of the countermeasure for protecting the software from the threat of the same record.

  FIG. 4 is an explanatory diagram showing an example of the contents stored in the countermeasure program DB 106. The countermeasure program DB 106 has countermeasure items and countermeasure program items. Countermeasure items specify countermeasures by countermeasure identifier and countermeasure name. The countermeasure identifier is an identifier unique to the countermeasure, and the countermeasure name is the name of the countermeasure for protecting the software from the threat. The countermeasure program 126 is a program code for protecting software from threats.

(Explanation of various data)
FIG. 5 is an explanatory diagram showing an example of a use case diagram 500 according to this embodiment. In FIG. 5, a use case diagram 500 is created by the drawing tool 103 in the development environment 101. In the upper half of the use case diagram 500 in FIG. 5, the actor a0 (user) and the use case u0 (user function) are connected by the association c0. Use case u0 is associated with security attribute: availability. A data asset d0 (function relation 0) is associated with the relation c0. The data asset d0 here is associated with “input / output (← →)” as the flow direction.

  In the lower half of the use case diagram 500 in FIG. 5, the actor a1 (administrator) and the use case u1 (function for manager) are connected by the association c1. Use case u1 is associated with security attribute: availability. A data asset d1 (function relation 1) is associated with the relation c1. The data asset d1 is associated with “input / output (← →)” as the flow direction. Further, security attributes: availability and integrity are associated with the data asset d1.

  FIG. 6 is an explanatory diagram showing the use case definition 111 related to the use case diagram 500 shown in FIG. Here, it is described in XML (Extensible Markup Language) as an example.

  7 to 10 are explanatory diagrams expressing the use case definition 111 shown in FIG. 6 in a tabular data structure. 7 shows an actor, FIG. 8 shows a use case, FIG. 9 shows a relationship, and FIG. 10 shows a data structure of a data asset.

  FIG. 11 is an explanatory diagram representing the class definition 112 in a tabular data structure. The class definition 112 is generated by the class generation unit 121. Specifically, the class generation unit 121 generates a class for each use case and data asset with reference to the data structures of FIGS. 8 and 10, adds security attributes associated therewith, and class Give an identifier. As a result, the class definition 112 is generated.

  FIG. 12 is a sequence diagram corresponding to the upper half of the use case diagram 500 of FIG. In the sequence diagram 1200 of FIG. 12, an object 1201 is a client corresponding to an actor a0 (user), and an object 1202 corresponds to a class CL0 that is a function for users. Messages 1210 to 1213 indicate communication between the client 1201 and the object 1202. The developer associates the created sequence definition 113 (sequence diagram) with the class definition 112 in the development environment 101. Specifically, for example, the object 1202 in FIG. 12 is associated with the class CL1 of the class definition 112.

  FIG. 13 is an explanatory diagram showing a sequence definition 113 related to the sequence diagram 1200 shown in FIG. The sequence definition 1300 in FIG. 13 is described in XML (Extensible Markup Language) as an example.

  FIG. 14 is a sequence diagram corresponding to the lower half of the use case diagram 500 of FIG. In the sequence diagram 1400 of FIG. 14, an object 1401 is a client corresponding to an actor a1 (administrator), and an object 1402 corresponds to a class CL1 that is a function for administrators. Messages 1410 to 1413 indicate communication between the object 1401 and the object 1402.

  The developer associates the created sequence definition 113 with the class definition 112 in the development environment 101. Specifically, for example, the object 1402 in FIG. 14 is associated with the class CL2 of the class definition 112. Furthermore, for the messages 1411 and 1412 in FIG. 14, the class CL3 (function related) that is a data asset between the object 1401 (actor a1) and the object 1402 (use case u1) is used as an argument of access11 () and access12 (). Give 1).

  FIG. 15 is an explanatory diagram showing the sequence definition 113 related to the sequence diagram 1400 shown in FIG. The sequence definition 1500 in FIG. 15 is described in XML as an example.

  FIGS. 16 and 17 are explanatory diagrams expressing the sequence definition 113 shown in FIGS. 13 and 15 in a tabular data structure. 16 shows an object, and FIG. 17 shows a message data structure.

  FIG. 18 is an explanatory diagram showing an example of the threat / countermeasure definition 124. The threat / countermeasure definition 124 is information generated by the threat / countermeasure generation unit 123. Specifically, for example, when there is a use case with security attribute: availability in the use case diagram 500, a threat (threat identifier and threat name) related to security attribute: availability is extracted from the threat / measure DB 105. Then, the use case identifier of the use case that is the threat target is associated with the extracted threat. Similarly, measures (measure identifier and measure name) corresponding to the extracted threat are extracted from the threat / measure DB 105. Then, the use case identifier of the use case targeted for the countermeasure is associated with the extraction countermeasure.

  When there is a data asset with security attributes: confidentiality and integrity in the use case diagram 500, threats (threat identifier and threat name) related to security attributes: confidentiality and integrity are extracted from the threat / measure DB 105. Then, the data asset identifier of the data asset that is the threat target is associated with the extracted threat. Similarly, measures (measure identifier and measure name) corresponding to the extracted threat are extracted from the threat / measure DB 105. Then, the data asset identifier of the data asset targeted for the countermeasure is associated with the extraction countermeasure.

  19 and 20 are explanatory diagrams illustrating an example of the countermeasure program 126. FIG. The countermeasure programs 1900 and 2000 shown in FIG. 19 and FIG. 20 show description examples using AspectJ. The countermeasure program 126 in FIG. 19 is a countermeasure program 126 (identification authentication program) corresponding to the upper half of the use case diagram 500, and the countermeasure program 126 in FIG. 20 is a countermeasure corresponding to the lower half of the use case diagram 500. This is a program 126 (encryption program).

  In FIG. 19, an upper half part 1901 is a description that defines security attributes, and a lower half part 1902 is a description that defines the program code of the countermeasure program 126 to be inserted. In the upper half portion 1901, reference numeral 1903 indicated by an underline is a description for designating an insertion location. The description 1903 specifies an arbitrary method call in the class to which the security attribute: availability is given.

  In the lower half 1902, a reference numeral 1904 indicated by an underline is a description for designating where to insert the method. Specifically, before execution of the method (Before), during execution (Around (replacement)), and after execution (After) are described. Which is described is set in advance by the program code of the countermeasure program 126, for example, “Before” when the countermeasure is “identification / authentication”.

  Reference numeral 1905 indicated by an underline is a program code of the countermeasure program 126. The program code of the countermeasure program 126 extracted from the countermeasure program DB 106 is described at a position 1905.

  In FIG. 20, as in FIG. 19, the upper half 2001 is a description that defines the security attribute, and the lower half 2002 is a description that defines the program code of the countermeasure program 126 to be inserted. In the upper half 2001, reference numeral 2003 indicated by an underline is a description for designating an insertion location. The description 2003 specifies an arbitrary method call in the class to which the security attribute: integrity is given.

  Further, in the lower half 2002, a reference numeral 2004 indicated by an underline is a description that designates where to insert the method, like the description 1904. Reference numeral 2005 indicated by an underline is a program code of the countermeasure program 126. In the example of FIG. 20, since the security attribute: integrity is defined, the corresponding “encrypted” program code is described.

(Example of generating the source code template 114)
FIGS. 21 to 24 and FIGS. 25 to 28 are explanatory diagrams showing examples of generating the source code template 114. 21 to 24 show examples of generating the source code template 114 corresponding to the sequence definition 1300, and FIGS. 25 to 28 show examples of generating the source code template 114 corresponding to the sequence definition 1500. Yes. Hereinafter, for ease of understanding, description will be given using sequence diagrams 1200 and 1400.

  FIG. 21 shows a state in which objects 1201 and 1202 are extracted from the sequence diagram 1200, and classes (“Client” and “functions for users”) corresponding to the extracted objects 1201 and 1202 are generated.

  22 extracts the messages 1210 to 1213 from the sequence diagram 1200, and extracts the methods corresponding to the messages 1210 to 1213 (“function for do user ()”, “access01 () to access03) for each of the extracted objects 1201 and 1202. () ") Indicates a generated state.

  FIG. 23 shows a state in which messages 1210 to 1213 are extracted from the sequence diagram 1200 and a process to be a template in the method of FIG. 22 is generated. Specifically, a message generated by the client is generated. The generation process from FIGS. 21 to 23 can be realized by an existing class generation process.

  FIG. 24 shows a source code template 2400 generated by generating an annotation (mark like a comment that does not affect processing, “@” in FIG. 24) corresponding to the security attribute of the class or method, and adding it to the declaration part. Show. FIG. 24 is a generation example of the source code template 2400 corresponding to the sequence diagram 1200. Therefore, the security attribute is available for the class (corresponding to the object (corresponding to the function for the user)) and the method (corresponding to Message (corresponding to function-related 0)) is a description without confidentiality and integrity.

  FIG. 25 shows a state in which objects 1401 and 1402 are extracted from the sequence diagram 1400 and classes (“Client” and “function for manager”) corresponding to the extracted objects 1401 and 1402 are generated.

  26 extracts the messages 1410 to 1413 from the sequence diagram 1400 and extracts the methods (“do manager function ()”, “access11 () to access13) corresponding to the messages 1410 to 1413 for each of the extracted objects 1401 and 1402. () ") Indicates a generated state.

  FIG. 27 shows a state in which messages 1410 to 1413 are extracted from the sequence diagram 1400, and a process that becomes a template in the method of FIG. 26 is generated. Specifically, a message generated by the client is generated. The generation processing from FIGS. 25 to 27 can be realized by existing class generation processing.

  FIG. 28 shows a source code template 2800 generated by generating an annotation (a mark like a comment that does not affect processing, “@” in FIG. 28) corresponding to the security attribute of the class or method and adding it to the declaration part. Show. FIG. 28 is a generation example of the source code template 2800 corresponding to the sequence diagram 1400. Therefore, the security attribute is available for the class (corresponding to the object (corresponding to the function for the administrator)) and the method (corresponding to Message (corresponding to function-related 1) is not confidential and complete.

(Development support procedure)
Next, a development support processing procedure by the development support apparatus 102 according to the present embodiment will be described.

  FIG. 29 is a flowchart showing a class generation processing procedure by the class generation unit 121. First, the class generation unit 121 reads the use case definition 111 (step S2901), and extracts the use case from the use case definition 111 (step S2902). Then, the class generation unit 121 generates a class corresponding to the extracted use case, and assigns a class identifier (step S2903). In addition, the class generation unit 121 assigns a use case name as a class name (step S2904). If the extracted use case has a security attribute (availability), it is assigned to the security attribute of the class (step S2905). Thereby, the class definition 112 for one record shown in FIG. 10 is generated.

  Thereafter, the class generation unit 121 determines whether there is an unextracted use case (step S2906), and when there is an unextracted use case (step S2906: Yes), the process returns to step S2902. On the other hand, when there is no unextracted use case (step S2906: No), the class generation unit 121 extracts a data asset from the use case definition 111 (step S2907). Then, the class generation unit 121 generates a corresponding class for the extracted data asset and assigns a class identifier (step S2908).

  In addition, the class generation unit 121 assigns a data asset name as a class name (step S2909). If the extracted data asset has a security attribute (confidentiality, integrity), the class generation unit 121 assigns it to the security attribute of the class (step S2910). Thereby, the class definition 112 for one record shown in FIG. 10 is generated.

  Thereafter, the class generation unit 121 determines whether or not there is an unextracted data asset (step S2911). If there is an unextracted data asset (step S2911: Yes), the process returns to step S2907. On the other hand, when there is no unextracted data asset (step S2911: No), the class definition 112 shown in FIG. 10 is written (step S2912). Thereby, a series of class generation processing is completed.

  FIG. 30 is a flowchart showing a processing procedure for generating the threat / countermeasure definition 124 by the threat / countermeasure generating unit 123. First, the threat / measure generation unit 123 reads the use case definition 111 (step S3001), extracts a use case from the use case definition 111 (step S3002), and extracts a security attribute (step S3003). Thereafter, the threat / countermeasure generation unit 123 extracts all threats corresponding to the extracted security attributes from the threat / countermeasure DB 105 (step S3004). Then, the use case identifier of the extracted use case is registered as the target of the extracted threat (step S3005).

  Next, the threat / countermeasure generation unit 123 extracts all the countermeasures corresponding to the extracted threat from the threat / countermeasure DB 105 (step S3006). Then, the threat / countermeasure generating unit 123 registers the use case identifier of the extracted use case as an extraction countermeasure target (step S3007). Thereby, one availability record is generated.

  Thereafter, the threat / countermeasure generating unit 123 determines whether or not there is an unextracted use case (step S3008). If there is an unextracted use case (step S3008: Yes), the process returns to step S3002. On the other hand, when there is no unextracted use case (step S3008: No), the threat / measure generation unit 123 extracts a data asset (data asset identifier and data asset name) from the use case definition 111 (step S3009), Security attributes and flow directions are extracted (step S3010).

  Thereafter, the threat / countermeasure generation unit 123 extracts all threats having the same extracted security attribute and flow direction from the threat / countermeasure DB 105 (step S3011). Then, the threat / countermeasure generating unit 123 registers the data asset identifier of the extracted data asset as the target of the extracted threat (step S3012). Next, the threat / countermeasure generation unit 123 extracts a countermeasure corresponding to the extracted threat from the threat / countermeasure DB 105 (step S3013). Then, the data asset identifier of the extracted data asset is registered as an extraction countermeasure target (step S3014). As a result, records for one security attribute (confidentiality, integrity) are generated.

  Thereafter, the threat / measure generation unit 123 determines whether or not there is an unextracted data asset (step S3015). If there is an unextracted data asset (step S3015: Yes), the process returns to step S3009. On the other hand, when there is no unextracted data asset (step S3015: No), the threat / countermeasure generation unit 123 writes out the threat / countermeasure definition 124 (step S3016). As a result, the generation processing of the series of threat / countermeasure definition 124 ends.

  FIG. 31 is a flowchart showing a procedure for generating the countermeasure program 126 by the countermeasure program extracting unit 125. First, the countermeasure program extraction unit 125 reads the threat / countermeasure definition 124 (step S3101), and extracts a countermeasure in the threat / countermeasure definition 124 (step S3102). Then, the countermeasure program extraction unit 125 extracts the countermeasure program 126 corresponding to the countermeasure name in the threat / countermeasure definition 124 from the countermeasure program DB 106 (step S3103). For example, when the countermeasure name is “identification / authentication”, the countermeasure program 126 shown in FIG. 19 is extracted, and when the countermeasure name is “encrypted”, the countermeasure program 126 shown in FIG. 20 is extracted.

  Thereafter, the countermeasure program extraction unit 125 determines whether there is an unextracted countermeasure (step S3104). If there is an unextracted countermeasure (step S3104: Yes), the process returns to step S3102. On the other hand, when there is no unextracted countermeasure (step S3104: No), the countermeasure program extraction unit 125 writes the extracted countermeasure program 126 (step S3105). As a result, the series of countermeasure program 126 extraction processing ends.

  FIG. 32 is a flowchart showing a source code template generation processing procedure by the source code template generation unit 122. First, the sequence definition 113 is read (step S3201), and a class corresponding to each object is generated as shown in FIGS. 21 and 25 (step S3202). Also, as shown in FIGS. 22 and 26, a method corresponding to the message in each object is generated (step S3203).

  Thereafter, as shown in FIGS. 23 and 27, a process that becomes a template in the method is generated (step S3204). The process so far is a process executed by the existing technology. Then, as shown in FIGS. 24 and 28, annotations corresponding to the security attributes of the class and method corresponding to each object are generated and added to the declaration unit (step S3205). Thereafter, the generated class definition 112 is written out as a source code template 114 (step S3206). Thus, the generation process of the series of source code templates 114 is completed.

  As described above, in this embodiment, a source code template having a description for specifying an insertion point (a fixed class, only having a method declaration, and not otherwise described) and an annotation in the development target program are provided. A countermeasure program 126 is provided that detects and inserts security processing there. As a result, not only functions expected by the developer, but also countermeasures against inputs not intended by the developer can be automatically generated in the design process. Therefore, it is possible to improve the completeness of the implementation related to the security function.

  Further, it is possible to implement specific security that is not assumed by the developer at the stage where coding is not completed, and the degree of freedom of coding downstream can be increased. Further, when prototyping is performed, if the developer creates both the development target program of the prototype 115a and the development target program of the finished product 115b from the source code template 114 provided by the present embodiment, the same security processing is performed on both. Can be realized.

  The development support method described in this embodiment can be realized by executing a program prepared in advance on a computer such as a personal computer or a workstation. The development support program is recorded on a computer-readable recording medium such as a hard disk, a flexible disk, a CD-ROM, an MO, and a DVD, and is executed by being read from the recording medium by the computer. The development support program may be distributed through a network such as the Internet.

100 Development Support System 101 Development Environment 102 Development Support Device 105 Threat / Countermeasure DB
106 Countermeasure program DB
121 Class generator 122 Source code template generator 123 Threat / countermeasure generator 125 Countermeasure program extractor

Claims (7)

A first acquisition step of acquiring a use case definition expressing a function to be developed, in which security attributes for the use case are defined;
A class generation step for generating a class definition by converting the use case and the security attribute into a class based on the use case definition acquired by the first acquisition step;
A second acquisition step of acquiring a sequence definition indicating an operation of the development target in which the class in the class definition generated by the class generation step is associated with an object;
Source code inserted into the program related to the development object by class-converting the object related to the class in the sequence definition acquired in the second acquisition step and adding the security attribute associated with the class A source code template generation process for generating a template;
Development support program characterized by causing a computer to execute. A first acquisition step of acquiring a use case definition expressing a function to be developed, in which a flow direction specifying a data direction for the use case and a security attribute for the data are defined;
A class generation step of generating a class definition by converting the data and the security attribute into a class based on the use case definition acquired by the first acquisition step;
A second acquisition step of acquiring a sequence definition indicating an operation of the development target in which the class in the class definition generated by the class generation step is associated with a message;
Source code inserted into the program related to the development object by method-converting the message related to the class in the sequence definition acquired by the second acquisition step and adding the security attribute associated with the class A source code template generation process for generating a template;
Development support program characterized by causing a computer to execute. The first security attribute for the use case, the flow direction specifying the direction of data for the use case, and the second security attribute for the data are specified, and the use case definition representing the function to be developed is acquired. 1 acquisition process;
Based on the use case definition acquired by the first acquisition step, the use case and the first security attribute are converted into a first class, and the data and the second security attribute are converted to a second class. A class generation process that generates a class definition by converting to a class,
A second acquisition step of acquiring a sequence definition indicating an operation of the development target in which the first class is associated with an object and the second class is associated with a message among the class definitions generated by the class generation step; ,
Of the sequence definition acquired by the second acquisition step, class-converts an object related to the first class, converts a message related to the second class, and associates it with the first class. A source code template generation step of generating a source code template to be inserted into the program related to the development object by adding the first security attribute and the second security attribute associated with the second class When,
Development support program characterized by causing a computer to execute.   Extracting countermeasure programs corresponding to the security attributes included in the use case definition from the database storing for each countermeasure countermeasure programs that execute countermeasures against threats indicating security attacks according to the types of the security attributes The development support program according to any one of claims 1 to 3, wherein the computer is caused to execute an extraction step to be performed.   An execution step of executing the countermeasure program having a security attribute that matches a security attribute defined in the source code template when executing the processing in which the source code template is inserted in the program related to the development target; The development support program according to claim 4, which is executed by a computer. A first acquisition means for acquiring a use case definition expressing a function to be developed, in which security attributes for the use case are defined;
Class generation means for generating a class definition by converting the use case and the security attribute into a class based on the use case definition acquired by the first acquisition means;
Second acquisition means for acquiring a sequence definition indicating an operation of the development target in which the class in the class definition generated by the class generation means is associated with an object;
Source code inserted into the program related to the development target by class-converting the object related to the class in the sequence definition acquired by the second acquisition means and adding the security attribute associated with the class A source code template generation means for generating a template;
A development support apparatus comprising: A computer comprising first acquisition means, class generation means, second acquisition means, and source code template generation means,
A first acquisition step of acquiring a use case definition expressing a function to be developed, wherein security attributes for the use case are defined by the first acquisition unit;
A class generation step of generating a class definition by converting the use case and the security attribute into a class based on the use case definition acquired by the first acquisition step by the class generation unit;
A second acquisition step of acquiring, by the second acquisition means, a sequence definition indicating an operation of the development target in which the class in the class definition generated by the class generation step is associated with an object;
The source code template generation means performs class conversion on an object related to the class in the sequence definition acquired in the second acquisition step, and adds the security attribute associated with the class, thereby developing the development. A source code template generation process for generating a source code template to be inserted into a program related to a target;
A development support method characterized by executing

Images