论文信息 - On Security Development Lifecycle: Conceptual Description of Vulnerabilities, Risks, and Threats

On Security Development Lifecycle: Conceptual Description of Vulnerabilities, Risks, and Threats

Security Development Lifecycle (SDL) is a software assurance methodology that aims at assisting software developers in improving the security of software production. Typically SDL is described in terms of phases that include requirements and design phases. The Requirements phase embraces consideration of security and privacy at a foundational level. This consideration comprises several activities in security requirements, security risk assessment, and threat modeling. The problem is that basic notions at this level are categorized and conceptualized as arbitrary collections of assets, operations, techniques, etc. with no systematic connection between them. This paper is part of an effort that aims at building a uniform foundation for notions in SDL. It focuses on requirements phase analysis, where we analyze conceptual aspects that involve the notions of threats, risks, and vulnerabilities. We work on two aspects: 1. The notions of threats, risks, and vulnerabilities are conceptualized utilizing a new approach based on the notion of flow. 2. The flow-based methodology is presented as an alternative description to using data flow diagrams as a first step in modeling threats. In both cases the analysis is performed utilizing sample cases.

Sabah Al-Fedaghi | Abdulrahman Alkandari

[1] Keith Brown. The .NET Developer's Guide to Windows Security (Microsoft Net Development Series) , 2004 .

[2] Sabah AlFedaghi,et al. Evolution of Data into an Information Hierarchy , 2011 .

[3] Edward D. Lazowska,et al. Cyber Security: A Crisis of Prioritization , 2005 .

[4] Somesh Jha,et al. Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[5] Salama A. Mostafa,et al. Implementing Case-Based Reasoning Technique to Software Requirements Specifications Quality Analysis , 2011 .

[6] Sabah Al-Fedaghi. A Conceptual Foundation for Data Loss Prevention , 2011 .

[7] Jan Jürjens,et al. Developing Secure Systems with UMLsec — From Business Processes to Implementation , 2001 .

[8] Axel van Lamsweerde,et al. Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[9] Frank Swiderski,et al. Threat Modeling , 2018, Hacking Connected Cars.

[10] Marwan Abi-Antoun,et al. Checking threat modeling data flow diagrams for implementation conformance and security , 2007, ASE.

[11] Gao Yang,et al. Evaluating Vulnerabilities Quantitatively Based On the Rank of Web Services Confidentiality , 2011 .