A System for Managing Security Knowledge using Case Based Reasoning and Misuse Cases

Making secure a software system is a very critical purpose, especially because it is very hard to consolidate an exhaustive body of knowledge about security risks and related countermeasures. To define a technological infrastructure for exploiting this knowledge poses many challenges. This paper introduces a system to capture, share and reuse software security knowledge within a Software Organization. The system collects knowledge in the form of misuse cases and makes use of Case Based Reasoning for implementing knowledge management processes.

[1]  Hidehiko Tanaka,et al.  Identifying Security Aspects in Early Development Stages , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[2]  Xiaohong Li,et al.  A Unified Threat Model for Assessing Threat in Web Applications , 2008, 2008 International Conference on Information Security and Assurance (isa 2008).

[3]  Nahid Shahmehri,et al.  Design of a Process for Software Security , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[4]  Gary McGraw,et al.  Knowledge for Software Security , 2005, IEEE Secur. Priv..

[5]  Charlie Lai Java Insecurity: Accounting for Subtleties That Can Compromise Code , 2008, IEEE Software.

[6]  Dianxiang Xu,et al.  Integrating functional and security requirements with use case decomposition , 2006, 11th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'06).

[7]  Gero Miesenböck,et al.  New technologies , 2005, Current Opinion in Neurobiology.

[8]  Christopher K. Riesbeck,et al.  Inside Case-Based Reasoning , 1989 .

[9]  Jeffrey A. Ingalsbe,et al.  Threat Modeling: Diving into the Deep End , 2008, IEEE Software.

[10]  David McKinney Vulnerability Bazaar , 2007, IEEE Security & Privacy.

[11]  Dianxiang Xu,et al.  A Threat Model Driven Approach for Security Testing , 2007, Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007).

[12]  Andreas L. Opdahl,et al.  Generalization/specialization as a structuring mechanism for misuse cases , 2002 .

[13]  John Steven,et al.  Defining Misuse within the Development Process , 2006, IEEE Security & Privacy.

[14]  Nicolas Mayer,et al.  Alignment of Misuse Cases with Security Risk Management , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[15]  Armin Stahl,et al.  Using Evolution Programs to Learn Local Similarity Measures , 2003, ICCBR.

[16]  Dianxiang Xu,et al.  Threat-driven modeling and verification of secure software using aspect-oriented Petri nets , 2006, IEEE Transactions on Software Engineering.

[17]  Zengliang Liu,et al.  Evaluating Method of Security Threat Based on Attacking-Path Graph Model , 2008, 2008 International Conference on Computer Science and Software Engineering.

[18]  A. Raman,et al.  An integrated approach to security in software development methodologies , 2008, 2008 Canadian Conference on Electrical and Computer Engineering.

[19]  Liu Xue Zhong,et al.  Evaluating Method of Security Threat Based on Attacking-Path Graph Model , 2008, CSSE 2008.

[20]  Erwin K. Welsch,et al.  New technologies , 1990 .

[21]  K. Saleh,et al.  The Security Requirements Behavior Model for Trustworthy Software , 2008, 2008 International MCETECH Conference on e-Technologies (mcetech 2008).

[22]  M. Eric Johnson,et al.  Embedding Information Security into the Organization , 2007, IEEE Security & Privacy.

[23]  Muhammad Younus Javed,et al.  Threat Modeling in Pervasive Computing Paradigm , 2008, 2008 New Technologies, Mobility and Security.