Eliciting Security Requirements through Misuse Activities

Eliciting Security Requirements through Misuse Activities

In previous work we introduced an approach for finding security requirements based on misuse activities (actions). This method starts from the activity diagram of a use case (or a sequence of use cases). Each activity is analyzed to see how it could be subverted to produce a misuse of information. T...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Braz, F.A., Fernandez, E.B., VanHilst, M.
Format: Tagungsbericht
Sprache:eng
Schlagworte:
Authorization
Availability
Business
Computer science
Organizations
Security
security patterns
security requirements
Software
software engineering
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:In previous work we introduced an approach for finding security requirements based on misuse activities (actions). This method starts from the activity diagram of a use case (or a sequence of use cases). Each activity is analyzed to see how it could be subverted to produce a misuse of information. This analysis results in a set of threats. We then consider which policies can stop or mitigate these threats. We now extend that approach to consider in the analysis the type of misuse (confidentiality, integrity ...) that can happen in each activity, the role of the attacker, and the context for the threat. This extended analysis results in a finer and more systematic way to find threats and we can identify now more threats. We also improve the way to find the policies to control these threats and we consider how to map the corresponding policies to security patterns. The information in each pattern helps in the selection of an optimal (or good) set of policies. Our extended approach can be conveniently incorporated in a methodology to build secure systems.
ISSN:1529-4188
2378-3915
DOI:10.1109/DEXA.2008.101