Modelling misuse cases as a means of capturing security requirements

Use cases as part of requirements engineering are often seen as an essential part of systems development in many methodologies. Given that modern, security-oriented software development methods such as SDL , SQUARE and CLASP place security at the forefront of product initiation, design and implementation, the focus of requirements elicitation must now move to capturing security requirements so as not to replicate past errors. Misuse cases can be an effective tool to model security requirements. This paper uses a case study to investigate the generation of successful misuse cases by employing the STRIDE framework as used in the SDL.

[1]  Wouter Joosen,et al.  On the secure software development process: CLASP, SDL and Touchpoints compared , 2009, Inf. Softw. Technol..

[2]  Robert W. Shirey,et al.  Internet Security Glossary , 2000, RFC.

[3]  Meledath Damodaran,et al.  SECURE SOFTWARE DEVELOPMENT USING USE CASES AND MISUSE CASES , 2006 .

[4]  Andreas L. Opdahl,et al.  Capturing Security Requirements through Misuse Cases , 2001 .

[5]  Sindre Guttorm,et al.  Misuse Cases for Identifying System Dependability Threats , 2008 .

[6]  Ivar Jacobson,et al.  Object-Oriented Software Engineering , 1991, TOOLS.

[7]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[8]  Annie I. Antón,et al.  Misuse and Abuse Cases : Getting Past the Positive , 2022 .

[9]  Elfriede Dustin,et al.  The Art of Software Security Testing: Identifying Software Security Flaws , 2006 .

[10]  Ivar Jacobson,et al.  The Unified Modeling Language User Guide , 1998, J. Database Manag..

[11]  L OpdahlAndreas,et al.  Eliciting security requirements with misuse cases , 2005 .

[12]  Michael Howard,et al.  The security development lifecycle : SDL, a process for developing demonstrably more secure software , 2006 .

[13]  Adam Shostack,et al.  The New School of Information Security , 2008 .

[14]  Lillian. Rostad An extended misuse case notation: Including vulnerabilities and the insider threat , 2006 .

[15]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[16]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[17]  Michael N. Johnstone,et al.  Security requirements engineering-the reluctant oxymoron , 2009 .

[18]  Ian F. Alexander,et al.  Misuse Cases: Use Cases with Hostile Intent , 2003, IEEE Softw..

[19]  M. Bouaziz,et al.  An Introduction to Computer Security , 2012 .

[20]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.