Automating Risk Analysis of Software Design Models
The growth of the internet and networked systems has exposed software to an increased amount of security threats. One of the responses from software developers to these threats is the introduction of security activities in the software development lifecycle. This paper describes an approach to reduc...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Wiley
2014-01-01
|
| Series: | The Scientific World Journal |
| Online Access: | http://dx.doi.org/10.1155/2014/805856 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1832558067476070400 |
|---|---|
| author | Maxime Frydman Guifré Ruiz Elisa Heymann Eduardo César Barton P. Miller |
| author_facet | Maxime Frydman Guifré Ruiz Elisa Heymann Eduardo César Barton P. Miller |
| author_sort | Maxime Frydman |
| collection | DOAJ |
| description | The growth of the internet and networked systems has exposed software to an increased amount of security threats. One of the responses from software developers to these threats is the introduction of security activities in the software development lifecycle. This paper describes an approach to reduce the need for costly human expertise to perform risk analysis in software, which is common in secure development methodologies, by automating threat modeling. Reducing the dependency on security experts aims at reducing the cost of secure development by allowing non-security-aware developers to apply secure development with little to no additional cost, making secure development more accessible. To automate threat modeling two data structures are introduced, identification trees and mitigation trees, to identify threats in software designs and advise mitigation techniques, while taking into account specification requirements and cost concerns. These are the components of our model for automated threat modeling, AutSEC. We validated AutSEC by implementing it in a tool based on data flow diagrams, from the Microsoft security development methodology, and applying it to VOMS, a grid middleware component, to evaluate our model's performance. |
| format | Article |
| id | doaj-art-da566762c0694fd6bf3d566929df613d |
| institution | Kabale University |
| issn | 2356-6140 1537-744X |
| language | English |
| publishDate | 2014-01-01 |
| publisher | Wiley |
| record_format | Article |
| series | The Scientific World Journal |
| spelling | doaj-art-da566762c0694fd6bf3d566929df613d2025-02-03T01:33:23ZengWileyThe Scientific World Journal2356-61401537-744X2014-01-01201410.1155/2014/805856805856Automating Risk Analysis of Software Design ModelsMaxime Frydman0Guifré Ruiz1Elisa Heymann2Eduardo César3Barton P. Miller4Computer Architecture and Operating Systems Department, Universitat Autònoma de Barcelona, Campus UAB, Edifici Q, Bellaterra, 08193 Barcelona, SpainThe Open Web Application Security Project (OWASP), 1200-C Agora Drive, No. 232, Bel Air, MD 21014, USAComputer Architecture and Operating Systems Department, Universitat Autònoma de Barcelona, Campus UAB, Edifici Q, Bellaterra, 08193 Barcelona, SpainComputer Architecture and Operating Systems Department, Universitat Autònoma de Barcelona, Campus UAB, Edifici Q, Bellaterra, 08193 Barcelona, SpainComputer Sciences Department, University of Wisconsin, 1210 West Dayton Street, Madison, WI 53706-1685, USAThe growth of the internet and networked systems has exposed software to an increased amount of security threats. One of the responses from software developers to these threats is the introduction of security activities in the software development lifecycle. This paper describes an approach to reduce the need for costly human expertise to perform risk analysis in software, which is common in secure development methodologies, by automating threat modeling. Reducing the dependency on security experts aims at reducing the cost of secure development by allowing non-security-aware developers to apply secure development with little to no additional cost, making secure development more accessible. To automate threat modeling two data structures are introduced, identification trees and mitigation trees, to identify threats in software designs and advise mitigation techniques, while taking into account specification requirements and cost concerns. These are the components of our model for automated threat modeling, AutSEC. We validated AutSEC by implementing it in a tool based on data flow diagrams, from the Microsoft security development methodology, and applying it to VOMS, a grid middleware component, to evaluate our model's performance.http://dx.doi.org/10.1155/2014/805856 |
| spellingShingle | Maxime Frydman Guifré Ruiz Elisa Heymann Eduardo César Barton P. Miller Automating Risk Analysis of Software Design Models The Scientific World Journal |
| title | Automating Risk Analysis of Software Design Models |
| title_full | Automating Risk Analysis of Software Design Models |
| title_fullStr | Automating Risk Analysis of Software Design Models |
| title_full_unstemmed | Automating Risk Analysis of Software Design Models |
| title_short | Automating Risk Analysis of Software Design Models |
| title_sort | automating risk analysis of software design models |
| url | http://dx.doi.org/10.1155/2014/805856 |
| work_keys_str_mv | AT maximefrydman automatingriskanalysisofsoftwaredesignmodels AT guifreruiz automatingriskanalysisofsoftwaredesignmodels AT elisaheymann automatingriskanalysisofsoftwaredesignmodels AT eduardocesar automatingriskanalysisofsoftwaredesignmodels AT bartonpmiller automatingriskanalysisofsoftwaredesignmodels |