论文信息 - Identifying Potential Security Flaws using Loophole Analysis and the SECREt

Identifying Potential Security Flaws using Loophole Analysis and the SECREt

In contemporary software development there are a number of methods that attempt to ensure the security of a system. Many of these methods are however introduced in the latter stages of development or try to address the issues of securing a software system by envisioning possible threats to that system, knowledge that is usually both subjective and esoteric. In this paper we introduce the concept of path fixation and discuss how contradictory paths or loopholes, discovered during requirements engineering and using only a requirements specification document, can lead to potential security flaws in a proposed system. The SECREt is a proof-of-concept prototype tool developed to demonstrate the effectiveness of loophole analysis. We discuss how the tool performs a loophole analysis and present the results of tests conducted on an actual specification document. We conclude that loophole analysis is an effective, objective method for the discovery of potential vulnerabilitites that exist in proposed systems and that the SECREt can be successfully incorporated into the requirements engineering process.

Curtis Busby-Earle | Ezra Mugisa

[1] Konstantin Beznosov,et al. Security for the Rest of Us: An Industry Perspective on the Secure-Software Challenge , 2008, IEEE Software.

[2] Axel van Lamsweerde,et al. Reasoning about confidentiality at requirements engineering time , 2005, ESEC/FSE-13.

[3] John Mylopoulos,et al. Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[4] Andreas L. Opdahl,et al. Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[5] Jan Jürjens,et al. UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[6] Nancy R. Mead. Identifying Security Requirements Using the Security Quality Requirements Engineering (SQUARE) Method , 2007 .

[7] John P. McDermott,et al. Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[8] Betty H. C. Cheng,et al. Research Directions in Requirements Engineering , 2007, Future of Software Engineering (FOSE '07).