Threat-Driven Design and Analysis of Secure Software Architectures

Computer software is a major source of security risks in information systems. To deal with software security issues in the early stages of software development, this paper presents a threatdriven approach to the architectural design and analysis of secure software. Based on the identification and mitigation of security threats as misuse use cases, we leverage use cases, misuse cases, and mitigation use cases to design architectural components and their connections for candidate architectures. We then analyze whether or not candidate architectures are resistant to the identified security threats and what constraints must be imposed on the choices of system implementation. This provides a smooth transition from requirements specification to high-level design and greatly improves the traceability of security concerns in high assurance software systems. We demonstrate our approach through two case studies; one on a hospital information system and one on a payroll information system.

[1]  Dianxiang Xu,et al.  Threat-Driven Architectural Design of Secure Information Systems , 2018, ICEIS.

[2]  Dianxiang Xu,et al.  A threat-driven approach to modeling and verifying secure software , 2005, ASE.

[3]  Dianxiang Xu,et al.  Misuse case-based design and analysis of secure software architecture , 2005, International Conference on Information Technology: Coding and Computing (ITCC'05) - Volume II.

[4]  Dianxiang Xu,et al.  Trade-off Analysis of Misuse Case-based Secure Software Architectures: A Case Study , 2005, MSVVEIS.

[5]  Axel van Lamsweerde,et al.  Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[6]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[7]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[8]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.

[9]  Bashar Nuseibeh,et al.  Introducing abuse frames for analysing security requirements , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[10]  Ian F. Alexander,et al.  Misuse Cases: Use Cases with Hostile Intent , 2003, IEEE Softw..

[11]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[12]  Ian F. Alexander,et al.  Initial industrial experience of misuse cases in trade-off analysis , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[13]  Kurt Bittner,et al.  Use Case Modeling , 2002 .

[14]  Ken Frazer,et al.  Building secure software: how to avoid security problems the right way , 2002, SOEN.

[15]  John P. McDermott,et al.  Abuse-case-based assurance arguments , 2001, Seventeenth Annual Computer Security Applications Conference.

[16]  Andreas L. Opdahl,et al.  Templates for Misuse Case Description , 2001 .

[17]  Axel van Lamsweerde,et al.  Handling Obstacles in Goal-Oriented Requirements Engineering , 2000, IEEE Trans. Software Eng..

[18]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[19]  Paul Clements,et al.  Software architecture in practice , 1999, SEI series in software engineering.

[20]  Leonard J. Bass,et al.  Scenario-Based Analysis of Software Architecture , 1996, IEEE Softw..

[21]  Volkmar Lotz,et al.  Threat Scenarios as a Means to Formally Develop Secure Systems , 1996, J. Comput. Secur..

[22]  Ivar Jacobson,et al.  Object-oriented software engineering - a use case driven approach , 1993, TOOLS.

[23]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).