Managing Security Knowledge through Case based Reasoning

Making secure a software system is a very critical purpose, especially because it is very hard to consolidate an exhaustive body of knowledge about security risks and related countermeasures. To define a technological infrastructure for exploiting this knowledge poses many challenges. This paper introduces a system to capture, share and reuse software security knowledge within a Software Organization. The system collects knowledge in the form of misuse cases and makes use of Case Based Reasoning for implementing knowledge management processes. A reasoned analysis of the system was performed throughout a case study, in order to identify weaknesses and opportunities of improvement.

[1]  Armin Stahl,et al.  Using Evolution Programs to Learn Local Similarity Measures , 2003, ICCBR.

[2]  John Steven,et al.  Defining Misuse within the Development Process , 2006, IEEE Security & Privacy.

[3]  Muhammad Younus Javed,et al.  Threat Modeling in Pervasive Computing Paradigm , 2008, 2008 New Technologies, Mobility and Security.

[4]  A. Raman,et al.  An integrated approach to security in software development methodologies , 2008, 2008 Canadian Conference on Electrical and Computer Engineering.

[5]  Christopher K. Riesbeck,et al.  Inside Case-Based Reasoning , 1989 .

[6]  Mario Piattini,et al.  A Security Requirements Engineering Process in Practice , 2007, IEEE Latin America Transactions.

[7]  Zengliang Liu,et al.  Evaluating Method of Security Threat Based on Attacking-Path Graph Model , 2008, 2008 International Conference on Computer Science and Software Engineering.

[8]  Dianxiang Xu,et al.  Threat-driven modeling and verification of secure software using aspect-oriented Petri nets , 2006, IEEE Transactions on Software Engineering.

[9]  Xiaohong Li,et al.  A Unified Threat Model for Assessing Threat in Web Applications , 2008, 2008 International Conference on Information Security and Assurance (isa 2008).

[10]  Dianxiang Xu,et al.  A Threat Model Driven Approach for Security Testing , 2007, Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007).

[11]  Gary McGraw,et al.  Knowledge for Software Security , 2005, IEEE Secur. Priv..

[12]  Jeffrey A. Ingalsbe,et al.  Threat Modeling: Diving into the Deep End , 2008, IEEE Software.

[13]  Nahid Shahmehri,et al.  Design of a Process for Software Security , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[14]  Charlie Lai Java Insecurity: Accounting for Subtleties That Can Compromise Code , 2008, IEEE Software.

[15]  Andreas L. Opdahl,et al.  Generalization/specialization as a structuring mechanism for misuse cases , 2002 .