Effective Security Impact Analysis with Patterns for Software Enhancement

Unlike functional implementations, it is difficult to analyze the impact software enhancements on security. One of the difficulties is identifying the range of effects by new security threats, and the other is developing proper countermeasures. This paper proposes an analysis process that uses two kinds of security pattern: security requirements patterns (SRP) for identifying threats and security design patterns (SDP) for identifying countermeasures at an action class level. With these two patterns and the conventional traceability methodology, developers can estimate and compare the amounts of modifications needed by multiple security countermeasures.

[1]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[2]  David Geer,et al.  Are Companies Actually Using Secure Development Life Cycles? , 2010, Computer.

[3]  Nobukazu Yoshioka,et al.  Misuse Cases + Assets + Security Goals , 2009, 2009 International Conference on Computational Science and Engineering.

[4]  Devendra K. Tayal,et al.  On reverse engineering an object-oriented code into UML class diagrams incorporating extensible mechanisms , 2008, SOEN.

[5]  Guttorm Sindre,et al.  Mal-Activity Diagrams for Capturing Attacks on Business Processes , 2007, REFSQ.

[6]  Acm Sigsoft,et al.  Proceedings of the third International Workshop on Software Engineering for Secure Systems , 2007 .

[7]  Nicolas Anquetil,et al.  JavaCompExt: Extracting Architectural Elements from Java Source Code , 2009, 2009 16th Working Conference on Reverse Engineering.

[8]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[9]  Shinpei Hayashi,et al.  Recovering traceability links between a simple natural language sentence and source code using domain ontologies , 2009, 2009 IEEE International Conference on Software Maintenance.

[10]  Shinji Kusumoto,et al.  Estimating effort by use case points: method, tool and case study , 2004, 10th International Symposium on Software Metrics, 2004. Proceedings..

[11]  Alexander Egyed,et al.  A Scenario-Driven Approach to Trace Dependency Analysis , 2003, IEEE Trans. Software Eng..

[12]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[13]  Axel van Lamsweerde,et al.  Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[14]  Yijun Yu,et al.  Tools for Traceability in Secure Software Development , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[15]  Mordechai Nisenson,et al.  A Traceability Technique for Specifications , 2008, 2008 16th IEEE International Conference on Program Comprehension.

[16]  Thomas Heyman,et al.  An Analysis of the Security Patterns Landscape , 2007, Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007).

[17]  Dewayne E. Perry,et al.  Recovering and using use-case-diagram-to-source-code traceability links , 2007, ESEC-FSE '07.

[18]  Václav Rajlich,et al.  JRipples: a tool for program comprehension during incremental change , 2005, 13th International Workshop on Program Comprehension (IWPC'05).

[19]  Alfred V. Aho,et al.  CERBERUS: Tracing Requirements to Source Code Using Information Retrieval, Dynamic Analysis, and Program Analysis , 2008, 2008 16th IEEE International Conference on Program Comprehension.

[20]  Maritta Heisel,et al.  A comparison of security requirements engineering methods , 2010, Requirements Engineering.

[21]  Jens von Pilgrim,et al.  A survey of traceability in requirements engineering and model-driven development , 2010, Software & Systems Modeling.

[22]  John Viega Building security requirements with CLASP , 2005, SOEN.