Security Risk Assessment of Software Architecture

Abstract — Computer Emergency Readiness Team Coordination Security risk assessment is considered a significant and indispensible process in all phases of software development lifecycles, and most importantly at the early phases. Estimating the security risk should be integrated with the other product developments parts and this will help developers and engineers determine the risky elements in the software system, and reduce the failure consequences in that software. This is done by building models based on the data collected at the early development cycles. These models will help identify the high security risk elements. In this paper, we introduce a new methodology used at the early phases based on the Unified Modeling Language (UML), Attack graph, and other factors. We estimate the probability term of effort and cost and severity of security failure for each element in software architecture based on UML, attack graph, data sensitivity analysis, access rights, and reachability matrix. Then risk factors are computed. An e

[1]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[2]  Artur Hecker,et al.  On System Security Metrics and the Definition Approaches , 2008, 2008 Second International Conference on Emerging Security Information, Systems and Technologies.

[3]  Hao Wang,et al.  Security metrics for software systems , 2009, ACM-SE 47.

[4]  Michael Howard,et al.  Measuring Relative Attack Surfaces , 2005 .

[5]  Ketil Stølen,et al.  Model-based risk assessment to improve enterprise security , 2002, Proceedings. Sixth International Enterprise Distributed Object Computing.

[6]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[7]  Kishor S. Trivedi,et al.  Architecture based analysis of performance, reliability and security of software systems , 2005, WOSP '05.

[8]  S.T. Redwine,et al.  Processes for producing secure software , 2004, IEEE Security & Privacy Magazine.

[9]  Shari Lawrence Pfleeger,et al.  Security in Computing, 4th Edition , 2006 .

[10]  Gary McGraw Software Security , 2012, Datenschutz und Datensicherheit - DuD.

[11]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[12]  J.B. Bowles,et al.  Threat effects analysis: Applying FMEA to model computer system threats , 2008, 2008 Annual Reliability and Maintainability Symposium.

[13]  Chen Feng,et al.  A Flexible Approach to Measuring Network Security Using Attack Graphs , 2008, 2008 International Symposium on Electronic Commerce and Security.

[14]  Roger S. Pressman,et al.  Software Engineering: A Practitioner's Approach , 1982 .