Automating Risk Analysis of Software Design Models

The growth of the internet and networked systems has exposed software to an increased amount of security threats. One of the responses from software developers to these threats is the introduction of security activities in the software development lifecycle. This paper describes an approach to reduc...

Descripción completa

Detalles Bibliográficos
Autores principales: Frydman, Maxime, Ruiz, Guifré, Heymann, Elisa, César, Eduardo, Miller, Barton P.
Formato: Online Artículo Texto
Lenguaje:English
Publicado: Hindawi Publishing Corporation 2014
Materias:
Research Article
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4090456/
https://www.ncbi.nlm.nih.gov/pubmed/25136688
http://dx.doi.org/10.1155/2014/805856
_version_ 1782480636428156928
author Frydman, Maxime
Ruiz, Guifré
Heymann, Elisa
César, Eduardo
Miller, Barton P.
author_facet Frydman, Maxime
Ruiz, Guifré
Heymann, Elisa
César, Eduardo
Miller, Barton P.
author_sort Frydman, Maxime
collection PubMed
description The growth of the internet and networked systems has exposed software to an increased amount of security threats. One of the responses from software developers to these threats is the introduction of security activities in the software development lifecycle. This paper describes an approach to reduce the need for costly human expertise to perform risk analysis in software, which is common in secure development methodologies, by automating threat modeling. Reducing the dependency on security experts aims at reducing the cost of secure development by allowing non-security-aware developers to apply secure development with little to no additional cost, making secure development more accessible. To automate threat modeling two data structures are introduced, identification trees and mitigation trees, to identify threats in software designs and advise mitigation techniques, while taking into account specification requirements and cost concerns. These are the components of our model for automated threat modeling, AutSEC. We validated AutSEC by implementing it in a tool based on data flow diagrams, from the Microsoft security development methodology, and applying it to VOMS, a grid middleware component, to evaluate our model's performance.
format Online
Article
Text
id pubmed-4090456
institution National Center for Biotechnology Information
language English
publishDate 2014
publisher Hindawi Publishing Corporation
record_format MEDLINE/PubMed
spelling pubmed-40904562014-08-18 Automating Risk Analysis of Software Design Models Frydman, Maxime Ruiz, Guifré Heymann, Elisa César, Eduardo Miller, Barton P. ScientificWorldJournal Research Article The growth of the internet and networked systems has exposed software to an increased amount of security threats. One of the responses from software developers to these threats is the introduction of security activities in the software development lifecycle. This paper describes an approach to reduce the need for costly human expertise to perform risk analysis in software, which is common in secure development methodologies, by automating threat modeling. Reducing the dependency on security experts aims at reducing the cost of secure development by allowing non-security-aware developers to apply secure development with little to no additional cost, making secure development more accessible. To automate threat modeling two data structures are introduced, identification trees and mitigation trees, to identify threats in software designs and advise mitigation techniques, while taking into account specification requirements and cost concerns. These are the components of our model for automated threat modeling, AutSEC. We validated AutSEC by implementing it in a tool based on data flow diagrams, from the Microsoft security development methodology, and applying it to VOMS, a grid middleware component, to evaluate our model's performance. Hindawi Publishing Corporation 2014 2014-06-18 /pmc/articles/PMC4090456/ /pubmed/25136688 http://dx.doi.org/10.1155/2014/805856 Text en Copyright © 2014 Maxime Frydman et al. https://creativecommons.org/licenses/by/3.0/ This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
spellingShingle Research Article
Frydman, Maxime
Ruiz, Guifré
Heymann, Elisa
César, Eduardo
Miller, Barton P.
Automating Risk Analysis of Software Design Models
title Automating Risk Analysis of Software Design Models
title_full Automating Risk Analysis of Software Design Models
title_fullStr Automating Risk Analysis of Software Design Models
title_full_unstemmed Automating Risk Analysis of Software Design Models
title_short Automating Risk Analysis of Software Design Models
title_sort automating risk analysis of software design models
topic Research Article
url https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4090456/
https://www.ncbi.nlm.nih.gov/pubmed/25136688
http://dx.doi.org/10.1155/2014/805856
work_keys_str_mv AT frydmanmaxime automatingriskanalysisofsoftwaredesignmodels
AT ruizguifre automatingriskanalysisofsoftwaredesignmodels
AT heymannelisa automatingriskanalysisofsoftwaredesignmodels
AT cesareduardo automatingriskanalysisofsoftwaredesignmodels
AT millerbartonp automatingriskanalysisofsoftwaredesignmodels

Ejemplares similares