Security must be a first class citizen in the design of large scale, interacting, software applications, at early and all stages of the lifecycle, for accurate and precise policy definition, authorization, authentication, enforcement, and assurance. One of the dominant players in software design is the unified modeling language, UML, a language for specifying, visualizing, constructing and documenting software artifacts. In UML, diagrams provide alternate perspectives for different stakeholders, e.g.: use case diagrams for the interaction of users with system components, class diagrams for the static classes and relationships among them, and sequence diagrams for the dynamic behavior of instances of the class diagram. However, UML's support for the definition of security requirements for these diagrams and their constituent elements (e.g., actors, systems, use cases, classes, instances, include/extend/generalize relationships, methods, data, etc.) is lacking. In this paper, we address this issue by incorporating mandatory access control (MAC) into use case, class, and sequence diagrams, providing support for the definition of clearances and classifications for relevant UML elements. In addition, we provide a framework for security assurance as users are defining and evolving use case, class, and sequence diagrams, bridging the gap between software engineers and an organization's security personnel in support of secure software design. To demonstrate the feasibility and utility of our work on secure software design, our MAC enhancements for UML have been integrated into Borland's Together Control Center Environment.
