A Software Development Methodology for Secure Web Application

Junho Lee, Jungwoong Woo, Cheongan Lee, Kyungsoo Joo


In recent years, there has been a demand for Web applications with complex functions. In addition, most web applications efficiently manage data based on databases. While the key and critical dimension of developing these Web applications is analysis and design, most object-oriented analysis and design methods do not have a consistent view of the database. In addition, Java Enterprise Edition (EE) -based technologies are used in Web application implementations, but they do not provide any correlation with the database. On the other hand, as users' demands for security increase, security becomes more important. To this end, Java EE and database systems provide security solutions. However, it does not provide any correlation with object-oriented analysis and design methodology. As a result, it is difficult to develop secure web applications in a consistent way from analysis to implementation. In this paper, we propose a consistent software development methodology from analysis to implementation of secure web applications. The proposed software development methodology for web application development uses UMLsec, a security-emphasized modeling language, and object-relational (O-R) mapping for relational database design. It also uses Java servlets and SQL to implement analysis and design results based on role-based access control (RBAC). The software development methodology for the secure web application proposed in this paper has been applied to the development of the online banking system, from the design stage of the user's requirements analysis to the implementation of the web application.


web application; development methodology; secure web; secure web application; software development.

Full Text:



Eduardo Fernandez-Medinaa, Juan Trujillob, Rodolfo Villarroelc, and Mario Piattinia., 2007, “Developing secure data warehouses with a UML extension,†Journal Information Systems archive, Vol 32, No 6, pp. 826-856.

G.Popp, J. Jurjens, G.Wimmel, R. Breu., 2003, “Security-Critical System Development with Extended Use Case,†Asia-Pacific Software Engineering Conference, 5-1 self.

Madan, s., 2010, “Security Standards Perspective to Fortify Web Database Applications From Code Injection Attacks,†International Conference on Intelligent Systems, Modelling and Simulation(ISMS), Vol. 10, pp. 226-230.

lqra Basharat, Farooque Anam, Abdul Wahab Muzaffar., 2012, “Database Security and Encryption: A Survey Study,†International Journal of Computer Application, Vol. 47, No. 12, pp28-34.

David Basin, Jürgen Doser, and Torsten Lodderstedt., 2006, “Model Driven Security: from UML Models to Access Control Infrastructures,†ACM Transactions on Software Engineering and Methodology (TOSEM), Vol. 15 No. 1, pp39–91.

Kyung-Soo Joo, Jung-Woong Woo., 2012, “A Development of the Unified Object-Oriented Analysis and Design Methodology for Security-Critical Web Application Based on Object-Relational Database –Focusing on Oracle 11g-“, Korea Society of Internet Information, Vol 17, No 12, pp. 169-177.

Byeong-Seon Jeon., 2005, CBD WHAT&HOW, Wowbooks Publishing Company, Seoul.

Heung-Seok Chae., 2009, Object-oriented CDB Project for UML and Java as learning, Hanbit Media. Seoul.

Mang Su, Fenghua Li, Guozhen Shi, and Li Li, “An Action-Based Access Control Moedl for Multi-level Security,†IJSIA, 6, pp. 359-366 (2012).

Allaoua Maamir, Abdelaziz Fellah, Lina A. Salem, “Fine Granularity Access Rights for Information Flow Control in Object-Oriented Systems,†IJSIA, 2, pp. 81-92 (2008).

Brett D. McLaughlin, Gary Pollice, David West., 2007, Head First Object-Oriented Analysis & Design, habit media, Seoul.

Seung-Yun Bang, Kyung-Soo Joo., 2003, “Design Methodology for XML Schema Application based on UML,†Soonchunhyang Univ, pp.71-75.

Mang Su, Fenghua Li, Guozhen Shi, Li Li., “An Action-Based Access Control Model for Multi-level Security.â€, International Journal of Security and Its Applications, 6(2), 359-366. 2012

Egbunike, Celestine, and S. Rajendran. "The implementation of the negative database as a security technique on a generic database system.", Circuit, Power and Computing Technologies (ICCPCT), 2017 International Conference on. IEEE, 2017.

DOI: http://dx.doi.org/10.18517/ijaseit.9.1.5987


  • There are currently no refbacks.

Published by INSIGHT - Indonesian Society for Knowledge and Human Development