Automating risk analysis of software design models
Frydman, Maxime (Universitat Autònoma de Barcelona. Departament d'Arquitectura de Computadors i Sistemes Operatius)
Ruiz, Guifré (OpenWeb Application Security Project (USA))
Heymann Pignolo, Elisa (Universitat Autònoma de Barcelona. Departament d'Arquitectura de Computadors i Sistemes Operatius)
César Galobardes, Eduardo (Universitat Autònoma de Barcelona. Departament d'Arquitectura de Computadors i Sistemes Operatius)
Miller, Barton P. (University of Wisconsin. Computer Sciences Department)
Fecha: |
2014 |
Resumen: |
The growth of the internet and networked systems has exposed software to an increased amount of security threats. One of the responses from software developers to these threats is the introduction of security activities in the software development lifecycle. This paper describes an approach to reduce the need for costly human expertise to perform risk analysis in software, which is common in secure development methodologies, by automating threat modeling. Reducing the dependency on security experts aims at reducing the cost of secure development by allowing non-security-aware developers to apply secure development with little to no additional cost,making secure development more accessible. To automate threat modeling two data structures are introduced, identification trees and mitigation trees, to identify threats in software designs and advise mitigation techniques, while taking into account specification requirements and cost concerns. These are the components of our model for automated threat modeling, AutSEC. We validated AutSEC by implementing it in a tool based on data flow diagrams, from theMicrosoft security development methodology, and applying it to VOMS, a grid middleware component, to evaluate our model's performance. |
Ayudas: |
Ministerio de Economía y Competitividad TIN2011-24384
|
Derechos: |
Aquest document està subjecte a una llicència d'ús Creative Commons. Es permet la reproducció total o parcial, la distribució, la comunicació pública de l'obra i la creació d'obres derivades, fins i tot amb finalitats comercials, sempre i quan es reconegui l'autoria de l'obra original. |
Lengua: |
Anglès |
Documento: |
Article ; recerca ; Versió publicada |
Materia: |
Computer Security ;
Models Theoretical ;
Risk Assessment ;
Software Design |
Publicado en: |
The Scientific World Journal, Vol. 2014 (June 2014) , art. 805856, ISSN 1537-744X |
DOI: 10.1155/2014/805856
PMID: 25136688
El registro aparece en las colecciones:
Artículos >
Artículos de investigaciónArtículos >
Artículos publicados
Registro creado el 2019-04-24, última modificación el 2022-03-26