Automating Risk Analysis of Software Design Models-Reference-Cited by-同舟云学术

Automating Risk Analysis of Software Design Models

Published:2014 Issue: Volume:2014 Page:1-12
ISSN:2356-6140
Container-title:The Scientific World Journal
language:en
Short-container-title:The Scientific World Journal

Author:

Frydman Maxime¹^ORCID,Ruiz Guifré²,Heymann Elisa¹,César Eduardo¹,Miller Barton P.³

Affiliation:

1. Computer Architecture and Operating Systems Department, Universitat Autònoma de Barcelona, Campus UAB, Edifici Q, Bellaterra, 08193 Barcelona, Spain

2. The Open Web Application Security Project (OWASP), 1200-C Agora Drive, No. 232, Bel Air, MD 21014, USA

3. Computer Sciences Department, University of Wisconsin, 1210 West Dayton Street, Madison, WI 53706-1685, USA

Abstract

The growth of the internet and networked systems has exposed software to an increased amount of security threats. One of the responses from software developers to these threats is the introduction of security activities in the software development lifecycle. This paper describes an approach to reduce the need for costly human expertise to perform risk analysis in software, which is common in secure development methodologies, by automating threat modeling. Reducing the dependency on security experts aims at reducing the cost of secure development by allowing non-security-aware developers to apply secure development with little to no additional cost, making secure development more accessible. To automate threat modeling two data structures are introduced, identification trees and mitigation trees, to identify threats in software designs and advise mitigation techniques, while taking into account specification requirements and cost concerns. These are the components of our model for automated threat modeling, AutSEC. We validated AutSEC by implementing it in a tool based on data flow diagrams, from the Microsoft security development methodology, and applying it to VOMS, a grid middleware component, to evaluate our model's performance.

Funder

MINECO

Publisher

Hindawi Limited

Subject

General Environmental Science,General Biochemistry, Genetics and Molecular Biology,General Medicine

Link

http://downloads.hindawi.com/journals/tswj/2014/805856.pdf

Reference11 articles.

1. On the secure software development process: CLASP, SDL and Touchpoints compared

Cited by 23 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. MEDICALHARM: A threat modeling designed for modern medical devices and a comprehensive study on effectiveness, user satisfaction, and security perspectives;International Journal of Information Security;2024-03-29

2. Automated Knowledge-Based Cybersecurity Risk Assessment of Cyber-Physical Systems;IEEE Access;2024

3. Attack Model for Generic Intelligent Systems;Journal of Applied Security Research;2023-11-20

4. MEDICALHARM - A Threat Modeling designed for Modern Medical Devices;2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom);2023-11-01

5. AndrAS: Automated Attack Surface Extraction for Android Applications;2023 IEEE 23rd International Conference on Software Quality, Reliability, and Security (QRS);2023-10-22