A Method for Developing Abuse Cases and Its Evaluation

To develop secure software, software engineers need to have the mindset of attackers. Developing abuse cases can help software engineers to think more like attackers. This paper describes a method for developing abuse cases based on threat modeling, attack patterns, and Common Weakness Enumeration. The method also includes ranking the abuse cases according to their risks. This method intends to help non-experts create abuse cases following a specific process, and leveraging the knowledge bases of threat modeling, attack patterns, and Common Weakness Enumeration. The proposed method was evaluated through two evaluation studies conducted in two secure software engineering courses at two different universities. Evaluation studies show that the proposed method was easier to follow by non-experts in generating abuse cases than brainstorming, and could reduce the time needed for creating abuse cases. Other findings from the evaluation studies are also discussed in the paper.

[1]  Xiaohong Yuan,et al.  Developing Abuse Cases Based on Threat Modeling and Attack Patterns , 2015, J. Softw..

[2]  Xiaohong Yuan,et al.  Retrieving relevant CAPEC attack patterns for secure software development , 2014, CISR '14.

[3]  Common Attack Pattern Enumeration and Classification — CAPEC TM A Community Knowledge Resource for Building Secure Software , 2013 .

[4]  Inger Anne Tøndel,et al.  Combining Misuse Cases with Attack Trees and Security Activity Models , 2010, 2010 International Conference on Availability, Reliability and Security.

[5]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[6]  Ian F. Alexander,et al.  Misuse Cases: Use Cases with Hostile Intent , 2003, IEEE Softw..

[7]  Ken Frazer,et al.  Building secure software: how to avoid security problems the right way , 2002, SOEN.

[8]  Inger Anne Tøndel,et al.  How can the developer benefit from security modeling? , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[9]  Annie I. Antón,et al.  Misuse and Abuse Cases : Getting Past the Positive , 2022 .

[10]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[11]  Michael Howard,et al.  The security development lifecycle : SDL, a process for developing demonstrably more secure software , 2006 .

[12]  Imano Williams Evaluating a Method to Develop and Rank Abuse Cases based on Threat Modeling, Attack Patterns and Common Weakness Enumeration , 2015 .