Assignment

Related objectives from the unit outline:

- Demonstrate best practice in software processes and in the quality of the developed software by applying appropriate concepts, strategies and techniques in the various phases of software engineering.
- Develop appropriate artefacts/deliverables for each phase involved in the engineering of software.

Task: Modelling Security Requirements

The Unified Modelling Language or UML is considered to be the de-facto standard for modelling information systems today. Despite this, there have been several extensions to the UML. One such extension involves what are called Misuse Case Diagrams, a security-oriented extension to the standard Use Case Diagrams. Security is a major concern for many mission-critical applications. If software were designed correctly the first time, vulnerabilities would not exist. Misuse Case Diagrams are an attempt to solve this problem
Your task is to read the case study below, draw a use case diagram of the case study, and then draw a Misuse Case Diagram of the same problem.

Before attempting the task, you should read Sindre and Opdahl (2001) to find out about misuse cases, then read Johnstone (2011) to find out how to generate a misuse case diagram with a STRIDE matrix.
You should ask questions on the unit discussion board about the assignment in order to clarify ambiguities.

In your Word document include:
- A Use Case Diagram of the Case Study described below;
- A Misuse Case Diagram derived from the above, using the method specified in Johnstone (2011);
- A STRIDE matrix
- A list of misuse cases derived from the above; and
- A list of security use cases derived from the above.

You must:
- Provide a zip file containing your assignment as a Word document. No other compression formats accepted. No other document formats accepted.
- In the zip file include separately the UML diagrams that you have drawn. You are expected to draw two-a use case diagram and a misuse case diagram. Use Visio to draw your UML diagram(s). Visio is available free for you to use - search for MSDNAA on the ECU web site. Submissions without two included
.vsd files readable by Visio 2010 will not be accepted or assessed.
- Separately (not in the zip file), provide the MD5 hash value of your assignment (Word) document. Submissions without a hash value will not be accepted or assessed.

Document Style

- Your document must be in MS-Word format (.doc/.docx), body text 12 point Arial font, double spaced, fully justified and include page numbers.

- The document should include a title page and table of contents with page number one (1) starting after the table of contents.

- No executive summary or abstract required.

- The title page should not be numbered but the pages between the title page and the main body of the document should be numbered with lower case roman numerals.
Marks will be deducted if you do not adhere to this style.

PCN Case Study

Palladium Chain Nursing (PCN) wish to build a tablet-based app that allows health care professionals (HCPs) to sign up patients on-site. They have commissioned you, as an experienced security requirements engineer, to provide some initial models for their app. On start-up, the tablet performs a self-check to ascertain whether its operating system or the app have been tampered with. If the computed check sum does not match the checksum stored on a smart device that is connected to the tablet prior to start-up, then the tablet powers down again. The app must let an HCP authenticate to the PCN Health Server, where the patient records are also stored. Following authentication, an HCP can be authorised to create, modify or delete a patient record (with an appropriate audit trail). To create a record, the HCP asks the patient salient details and inputs the details into a form generated by the app. Following the creation of a patient record, an HCP can use the app to create a service contract between PCN and the patient. As part of the service contract, the patient's health insurance fund may be optionally contacted by the app to confirm that the patient has the correct level of health insurance cover to allow him/her to be able to cover the cost of the service contract. To finalise the contract, the patient signs the form on the tablet in the appropriate place on the form. At that point the service contract is considered active once the data captured on the app is sent to the PCN Health Server.