114

Int. J Sup. Chain. Mgt Vol. 5, No. 4, December 2016

A Secured e-Tendering Model Based on Rational (RUP) Approach: Inception and Elaboration Phases

Haslina Mohd #1 , Fauziah Baharom #2, Norida Muhd Darus #3 , Mohamed Ali Saip #4 , Zaharin Marzuki #5, Azman Yasin #6 , Muhammad Afdhal Muhammad Robie *7

# School of Computing, Universiti Utara Malaysia, 06010 Sintok, Kedah, Malaysia.

*Human Centred Computing Research Lab, School of Computing, Universiti Utara Malaysia, 06010 Sintok, Kedah, Malaysia,

[email protected];[email protected];[email protected];[email protected];5zaharin @uum.edu.my;[email protected];[email protected]

Abstract — Due to the rapid rise in the e-Tendering 1. Introduction transaction over the internet and the increasing use of e-Tendering solution by large organizations, there is a need to construct a secured e-Tendering model to E-Tendering is an electronic processing of the ensure some security mechanisms such as tender document via internet and allow tenderer to confidentiality, integrity, and accessibility of the publish, communicate, access, receive and submit document are embedded in the e-tendering model. all tender related information and documentation This to ensure the e-tendering transaction is secured via internet (Australian Standard Code of and the most important is to gain trust from the e- Tendering, 1994)[1]. As competition on the internet Tendering stakeholder. Therefore, there is a need to grows, tenderer seeks to obtain as much develop a secured e-Tendering model as a guideline to information as possible from tender competitors by e-tendering developers in developing the system. The using various methods that threaten data security (RUP) is the most appropriate system development methodology that and help them gain an unfair advantage can guide researchers in generating secured . [4].Therefore, concerns over the security of the e- Therefore, this study aims to construct a secured e- tendering transaction need to be addressed in order tendering artifacts based on RUP. The Unified to allow principle organizations to continually Modeling Language (UML) is used to generate the improvise their tendering performance and secured e-tendering artifacts. This paper discusses the maintain competitive advantage [2-5]. generation of , misuse case and class diagrams Therefore is a crucial to construct a secured e- based on security mechanism that need to be tendering model to become a guideline for the e- embedded in the e-Tendering model. This study also tendering developers. This to ensure a secured e- found that, the RUP is one of the best system development methodology that can be used as one of tendering system is developed and implemented, the research methodology in the Software thus to avoid some security threats such as Integrity Engineering domain, especially related to secured violation, confidential violation, Impersonate and design of any observed application. This methodology so forth, during the tender document transaction in has been tested in various studies, such as in the electronic environment [2-6]. Simulation-based Decision Support, Security Requirement Engineering, Business Modeling and 2. Literature Review Secure System Requirement, and so forth. . This study may contribute to the software industries in developing a secured system application in the future, In order to construct a secured e-Tendering model, and also to the secured system modeling domain. an appropriate system development methodology that can guide researchers in delivering a secured Keywords — e-Tendering; Rational Unified Process; artifact for the secured e-tendering model must be Inception; elaboration, secured artefact; Use Case Diagram; identified. Based on previous studies, Rational Misuse Case Diagram; Incremen Unified Process (RUP) is one of a good system development methodology that can assist researchers in delivering a secured artefact of the ______secured e-tendering model [7-9]. International Journal of Supply Chain Management The Rational Unified Process (RUP) is one IJSCM, ISSN: 2050-7399 (Online), 2051-3771 (Print) such life cycle approach that enables to produce Copyright©ExcelingTech Pub,UK (http://excelingtech.co.uk/) quality software. As Figure 1.0 illustrates, RUP consists of the following four phases: Inception:

115

Int. J Sup. Chain. Mgt Vol. 5, No. 4, December 2016

Establish the basic scope of the project, on the and delivered the artifacts as required in the RUP other hand, Elaboration: Define the architecture of process flows. Therefore this study aims to the system in order to provide a stable basis for the construct a secured e-Tendering model based on design and implementation effort in the RUP approach specifically focusing on Inception Construction phase. and Elaboration phases. RUP provides a disciplined approach on how to assign tasks and responsibilities within the 3. Methodology software development process. It consists of nine process workflows (business modeling, requirements, analysis and design, implementation, This study comprises of four phases as describe test, deployment, configuration management, below: project management, and environment). Correlated 1.1. Phase 1: Initial Study within each process workflow is a set of artifacts and activities, for example business model, use The aim of this phase is to explore the existing case model, and so forth. RUP provides a generic problems and solutions being address related to process framework, which can be customized to fit implementation of e-Tendering system. This initial many different projects, different types of phase involves the core , namely theoretical organizations, different levels of competence and study. Apart from that, a preliminary study has different project sizes [10]. Therefore, it can be been conducted to get an initial idea on e- concluded that the RUP has a strength and ability Tendering system. The threats and secure practices to assist researchers in generating artifacts of e-tendering system have been identified to systematically and produce required documents in construct matrix with counter measures. The the inception and elaboration phase. This is because research outcomes of this phase are list of threats, the characteristics of RUP itself that can guide list of secured practices and a matrix of secure researchers in creating a centralized architecture, practices and threats of e-Tendering process with iterative and additional process. counter measures. This phase answered the sub The scope of this study is only focusing on Inception and Elaboration phases as step to develop objective one of this study. the model and perform only three of nine workflows (business modeling, requirements, 1.1.1. Identify threats and identify secure analysis and design). The UML notation and the practices software program, StarUML, are used to support this work. Threats and secure practices of e-tendering system The RUP is the most regularly used by have been identified from the literature review. software developers in software development The suitable threats and secure practices are listed processes especially in the industry. Currently the to construct a matrix. The matrix of the threats and RUP is recognized as one of the methodology that possible security practices is discussed in the next enhances and streamlining the process of section. identifying requirement as compared to conventional approaches [10]. Conventional software development process models comprise of 1.2. Phase 2: Modelling four core process steps: analysis, design, implementation and test. These processes guarantee The main aim of this phase is to construct a secure the correct analysis of requirements and their valid e-tendering model. Findings from the phase 1 are implementation, but not necessarily support quality used to construct the model. The model is based on attributes like usability or security [11]. RUP a generic of e-tendering and secure delivers artifacts that can easily understand by requirements. The generic component of e- software development and client [12]. It has a tendering requirements has been facilitated as a structured framework that consists of phases and basis for eliciting the functional user requirements. workflows that easy to understand and facilitates While the security-focused requirements has been [13]. facilitated as non-functional requirements which its The RUP processes include measures of description are usually specified as supplementary quality assurance, minimum of requirements specifications. The secure practices of e-tendering engineering and software development iterations. are mapped into Rational Unified Process (RUP) All this must involve testing, configuration phases. Only the first two phases of RUP which management, and collaboration with customers are Inception and Elaboration involved. The details during project development. In addition, extra activities for each phase are described in the next assessment is required to ensure the continuous section. In each phase, a set of related UML model monitoring of project development quality has been developed to illustrate the process of assurance [14]. secure e-tendering system. The final activity in this Based on the advantages of RUP for industry, phase is constructed secure e-tendering model therefore this study is adapted the RUP approach in activity in order to produce a secure e-tendering identifying the requirements of secure e-Tendering

116

Int. J Sup. Chain. Mgt Vol. 5, No. 4, December 2016

model using UML. This phase answered the sub objective two and three of this study. 1.3. Phase 3: Validation Table 1. Inception Phase

The final phase of this study is named as validation Business Requirement Analysis phase. This phase answered the sub objective four Modeling and Design of this study. The secure e-tendering requirement model constructed in phase 2 has been validated in Establish a Capture threats of the e- None this phase. The purpose of this activity is to ensure business case Tendering that the requirements for the e-Tendering process and project and security practices have been clearly identified scope Capture generic security and validated. The experts review approach is used Requirements to validate the requirement model. There are two experts from each perspective have reviewed the model in separated session. Feedback from the Capture secure e-Tendering validation is used as input for enhancement and Establish requirement improvement of the proposed model and also can Project Plan be used to enhance the secure e-Tendering architecture in the future. Outcome: 4. RUP and E-tendering modelling Outcome: a) List of Requirements Use case (Table 4.2): This study adapting two phases of the RUP: 1) diagram • Functional Inception, and 2) Elaboration phases. The brief Requirements: descriptions of the activities are presented in Table Domain 1. Verify Pre- 1.0. Class Qualification Diagram Requirements 2. Registration New 2.1. First phase RUP: Inception Tendered 3. Public invitation In this phase of RUP below tasks most placed in 4. Submit Tender the priority of project teams: 5. Open tender • Identify scope of the project 6. Close tender • Identify current business status 7. Evaluation Tender

• Identify actors of the organization and 8. Award tender 9. Archive Tender their requirement and expectations • Identify goals and requirements of the project  Non-Functional • Model the organization's strategic Requirements: planning using UML in Domain Class Security requirements: Diagram • Establishing a team to identifying current 1. Confidentiality way of performing processes and model 2. Integrity 3. Availability them using UML in Use case and Activity b) Matrix of threats and Diagram. possible security solutions (refer Table 5). This study started with a review of tender process, security mechanism, possible threats and security solution. Then the requirements of e-tendering is documented and modeled in the form of domain Main focus in this phase is on requirement class and use case diagrams, followed by the matrix discipline and analysis and design discipline. of threats and security solution. Table 1 show the Requirements have been updated and briefly list of requirements for the tender process which documented in a use case specification. Use case composed of nine functional requirements in the diagram has been reviewed to collaborate with the Inception Phase. security mechanism. Next, has been modeled to visualize the tendering process. Domain class diagram is refined to produce detailed class diagram.

117

Int. J Sup. Chain. Mgt Vol. 5, No. 4, December 2016

4. Open tender Principal open tender

Table 2. Elaboration Phase View Tender Document View Tenderer Qualification Business Requirement Analysis and modeling Design 5. Tender submission Tenderer registration for tender a project None Iteration 1: Iteration 1: Download tender document Iteratively update the Analyze the requirements problem domain. Adendum distributed by principal Associate security Tenderer submit tender Outcome: requirements document into e-Tendering Brief specification model 6. Close tender Officially Close tender requirements of e- tendering (refer Tender Guarantee Appendix specification Outcome: 7. Tender evaluation Tender evaluation process requirement) Misuse case 8. Award of tender Request for information diagram Award tender or acceptance Iteration 2: Activity of tender Diagram Refined matrix of Signing the formal threats and possible Detailed Class agreement security solutions. Diagram 9. Archiving Retention of the document

Outcomes: Based on the above requirements, the use case Details matrix of diagram is constructed as presented in Figure 2.0. threats and possible

security solution public invitation generate tender verify pre-qualification specification requirements

open tender Outcomes:

Details matrix of threats and possible security close tender solution. Principal register new tenderer The main and refined requirements of the e- Tenderer Tendering system are presented in Table 3. submit tender Financial Committee

Table 3. Main Requirements of the e-Tendering evaluate tender System Technical Committee Tender Board award tender Main Refined Requirements Requirements archive tender Administrator 1. Prequalification and Pre -qualification registration registration Issue username and Figure 2 e-Tendering Use case Diagram password The use case diagram composed of 10 use cases: 2. Generate Tender Establishment Project Public Invitation, Generate tender specification, Requirement Strategy/Specification Open tender, Close tender, Register New Tenderer, Submit tender, Evaluate Tender, Archive Tender, 3. Public invitation Tender advertisement and Verify pre-qualification requirements. The use Tenderers view tender case diagram shows the main modules of the e- advertisement and notice Tendering system. After the use case diagram is constructed, the detail for each usecase 118

Int. J Sup. Chain. Mgt Vol. 5, No. 4, December 2016

specification is described. However it is not presented in this paper. Next is to construct the e-Tendering class diagram. Figure 2.0 shows the e-Tendering class diagram model that composed of 13 classes: Tender Document together with the Legal Term class. This class has a relationship with tenderer class that Table 4. Security mechanism of the e-Tendering composed of tenderer information. Tenderer class also need to has a relationship with Tenderer Security Practices Proposal class and to the Shortlisted Tenderer class. Mechanism Shortlisted Tenderer class has a relationship with Secure Sockets  Provide integrity and Evaluation Committee class because the evaluation Layer (SSL) confidentiality in communication. committee may decide and shortlisted the eligible  Use RSA or DSA with a key tenderer for the project. The following class length of at least 2048 bits as diagram shows all relationships of the classes in the asymmetric algorithm, and AES e-Tendering system. or triple DES for symmetric encryption (Betts et al, 2006).  Protect the confidentiality of the tender data being downloaded.  Protect information while in TenderDocSpec refer Tenderer transit. Digital  Used to verify the authenticity get Signature and integrity of a message or TenderAward ShortListedTender LegalTerm document.

propose  Used Digital Signature Algorithm issue Contract shortlisted (DSA), El Gamal and Elliptic issue Curve DSA (ECDSA) (Gregory, appoint Principle EvaluationCommittee TenderProposal 2010). evaluate Digital  Common form of a digital create refer Certificate certificate is X.509, an ITU

TenderDocEvaluationCriteria TenderBoard TechnicalCommittee FinancialCommittee (International Telecommunication Union) standard (Gregory, 2010). Biometric  Fingerprint reader.

Figure 3 . Class Diagram of the E-Tendering Time Stamping  Hash function. System Service (TSS)  Digital signature.

3.2.1 Security Mechanism of the e-Tendering 4.2.2 Tendering threat and secure practices

The security mechanism of the e-Tendering system The threats and secure practices are listed to is listed in Table 4.0. The security mechanism is construct a matrix in Table 5.0 Threats and secure important to ensure it is taken into consideration in practices of e-tendering system are identified from designing a secured e-Tendering system. the literature review. After completing the first phase of RUP, the documents and models are reviewed and aligned with the needs, and

expectations of the secure e-tendering system.

119

Int. J Sup. Chain. Mgt Vol. 5, No. 4, December 2016

Table 5. Matrix of Threats and Possible Secure Solution Tender Process Process Tender violation Timeintegrity violation Integrity violation Confidential Impersonation evidence Non-verifiable services of Denial Repudiation

Phase 1 1 Phase Specifying security mechanism such as confidentiality, integrity, and availability, and legal term and condition related to secure e-tendering system Secure Sockets Sockets Secure Layer (SSL) (SSL) Layer and and Qualification Pre- registration registration SSL SSL Signature Digital Certificate Digital

- Certificate - - Signature Signature Digital Digital Digital Phase 2 2 Phase

invitation invitation Public - SSL SSL Biometrics Certificate Digital - - submission submission Tender Access Based Time SSL SSL Certificate Digital Signature Digital - Access Based Time Stamping Time Signature Digital tender tender Close Access Based Time Stamping Time Biometrics (STS) Server Time Secure Biometrics - Access Based Time Stamping Time evaluation evaluation Tender - Biometrics SSL - Certificates Digital - Phase 3 3 Phase

tender tender of Award - SSL SSL Biometrics Signature Digital - Stamping Time

ng Archivi - ics Biometr SSL ics Biometr SSL - - - -

5. Discussion of security solution also being identified and are formulated in a form of matrix of threats and This study has achieved the main objective to possible security solutions. The elaboration phase, design the e-Tendering system using Rational focused on analysis and design of the e-Tendering Unified Process (RUP) approach. However, only requirements using Star UML. The basic two phases involve in constructing the design of a requirements are designed using Use Case secured e-Tendering system that are Inception and diagrams and Class Diagram. Then a secured e- Elaboration phases. Inception focusing on Tendering requirement is designed using misuse identifying the scope of the project, current case approach which has been discussed in business status, actors of the organization and their previous paper [6]. This study shows that the RUP requirement and expectations, the goals and is one of the best system development requirements of the actors functions in from the methodologies that can be used as one of the project, modelling the organization's strategic research methodology in Software Engineering planning In Inception phase the details domain related to secured design of any observed requirements of the secure e-Tendering system are application. This methodology has been tested in identified as presented in Table 5, the requirement various studies in certain domain, such as in

120

Int. J Sup. Chain. Mgt Vol. 5, No. 4, December 2016

Simulation-based Decision Support [8], Security Protocol for E-tendering, Australian Computer Requirement Engineering [9], Business Modeling Society , 155-164, 2006. and Secure System Requirment [11], and so forth [6] Haslina,M.Muhammad Afdhal M. R., Fauziah, B., Norida, M. D., Mohamed Ali S., and 6. Conclusion Azman, Y., Secure e-Tendering Modeling using Misuse Case Approach. Online As a conclusion, this study has achieved the main Proceeding of International Soft Science objective of the study in constructing a secured e- Conference, 2016. Tendering model. This study also showed that the [7] Belani, H., Car, Z., and Carie, A., RUP-Based RUP successfully assisted researchers in delivering Process Model for Security Requirements a secured e-Tendering artifact such as use case Engineering in Value-Added Service diagram, misuse case diagram, and a initial class Development. International Conference in diagram for a secured e-Tendering model. These Software Engineering (ICSE’09) Workshop on artifacts can be used as a guideline to the e- IEEE , 54-60, 2009. Tendering developers in developing a secured e- [8] Paikari, E., Ruhe, G., and Southekel, P. H. Tendering system, thus this may gain stakeholders’ 2012. Simulation-Based Decision Support for trust to use the system for tendering process via Bringing a Project back on Track: The Ce of electronic environment. In addition, this study also RUP-Based Software Construction. ICSSP found that the RUP is one of a good research 2012, IEEE. 13-21. methodology that can be adapted in Software [9] Jaferian, P. Elahi G.,Shirazi, M. R. A. ,and Engineering (SE) research domain that required a Sadeghian, B., RUPSec: Extending Business few artifacts to be generated such as use case Modeling and Requirements Disciplines of modeling, misuse case modeling, activity diagram, RUP for devlodevelopingre Systems. and initial class diagram from a list of requirements Conference on Software Engineering and as identified earlier by the SE researchers. Advanced Applications (EUROMICRO-SEAA ’05), 2005. [10] Booch, G. Rumbaugh,J. and Jacobson,I., The Acknowledgments Unified Modeling Language User Guide . Adison-Wesley, 1999. This research was funded by the Ministry of [11] Belani, H. Z. and Car, A., RUP-based process Education (MOE), Malaysia under the model for security requirements engineering in Fundamental Research Grant Scheme (FRGS). Value-added Service Development. Caric Special thanks to all researchers in the Software Proceedings of the 2009 ICSE Workshop on Technology Research Group (SOFTECH), Software Engineering for Secure Systems May University Utara Malaysia for their commitment in 2009 IWSESS '09. (2009). completing this research. [12] Zuser, W. Heil, S., and Grecheng, T., Software Quality Development and assurance in RUP, References MSF, and XP. Software Engineering Notes: May 2005 ACM SIGSOFT, 30 (4), (2005). [1] AS 4120 1994. Standard Australia Committee ACM Digital Library. on Construction Industry Practices. Code of [13] Meckem, S. and Lee Carson, J., Using Rapid Tendering, Australia Standard. Standards Experimentation of inform Customer Service Association of Australia, 1 the Crescent, Experience Design, Extended Abstracts on Homebush, NSW 2140, 28 October 1994. Human Factors in Computing Systems (CHI [2] Betts, D., Black, P., Christensen, S., Dawson, '10) April 10. ACM Digital Library , 2010. E., Du, R., and Duncan, W., towards secure [14] Jawhar, I. And Lazarova-Molnar, S., and legal e-tendering. Journal of Information Middleware Requirements for Collaborative and Technology in Construction , XI , 89-102, Unmanned Aerial Vehicles. In Unmanned 2006. Aircraft Systems (ICUAS), 2013 International [3] Du, R., Foo, E., Boyd, C., and Raymond, K. Conference on IEEE . 1051-106, 2013 C., Formal Analysis of Secure Contracting Protocol for E-tendering, Australian Computer Society , 155-164,2006. [4] Hui, W. S., Othman, R., Omar, N. H., Abdul Rahman, R., andHaron, N. H., Procurement Issues in Malaysia. International Journal of Public Sector Management , 24(6), 567-593, 2011. [5] Du, R., Foo, E., Boyd, C., and Raymond, K. C., Formal Analysis of Secure Contracting