An Asset-Based Assistance for Secure by Design

Messe, Nan; Belloir, Nicolas; Chiprianov, Vanea; El-Hachem, Jamal; Fleurquin, Régis; Sadou, Salah

doi:10.1109/apsec51365.2020.00026

Cited by 2 publications

(2 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Other approaches such as ALL4TEC -Cyber Architect 9 , EGERIE-SOFTWARE 10 , Risk'n Tic 11 , have tooled risk analysis methods, allowing the automation of some risk analysis steps through the use of online knowledge bases. This leads to a more accurate risk assessment, but the latter is mostly performed by the security teams.…”

Section: Discussion and Lessons Learnedmentioning

confidence: 99%

“…When developing complex systems, the security analysis is conducted upstream or in parallel with the design phase by security engineers and analysts. Even if efforts are made to consider each other's concerns, this activity remains a difficult task [11]. Similar to the approaches used for safety [12], quality [13], and other performance-based projects, cybersecurity should not be viewed as a one-time "project".…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Towards the Integration of Cybersecurity Risk Assessment into Model-based Requirements Engineering

Naouar

Hachem

Voirin

et al. 2021

2021 IEEE 29th International Requirements Engineering Conference (RE)

View full text Add to dashboard Cite

Engineering projects requires to consider the increasingly significant needs and constraints regarding expected behaviors, services, quality and security. These requirements are introduced into system and software engineering projects as functional and non-functional properties. Satisfying such properties implies rigorous processes that steer the project, from the requirements identification and definition to the system deployment and maintenance. Model-Based System Engineering (MBSE) is an effective approach to address security requirements and risk assessment at the early stages of the development life cycle, which enables cost-efficient fixes. The aim of this work is to investigate how cybersecurity risk assessment could be integrated into model-based requirement engineering. We propose a Modelbased Cyberisk Assessment (MBCA) method, that comprises:(1) A semantic alignment between risk assessment concepts and system modeling concepts and (2) A modeling language extension to represent security concepts and metrics throughout the system modeling life cycle. To illustrate our approach, validate its applicability and evaluate its expressiveness, we applied it to an industrial in-flight entertainment system.

show abstract

Section: Discussion and Lessons Learnedmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Towards the Integration of Cybersecurity Risk Assessment into Model-based Requirements Engineering

Naouar

Hachem

Voirin

et al. 2021

2021 IEEE 29th International Requirements Engineering Conference (RE)

View full text Add to dashboard Cite

show abstract

Asset-Oriented Threat Modeling

Messe

Chiprianov

Belloir

et al. 2020

2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)

Self Cite

View full text Add to dashboard Cite

Threat modeling is recognized as one of the most important activities in software security. It helps to address security issues in software development. Several threat modeling processes are widely used in the industry such as the one of Microsoft SDL. In threat modeling, it is essential to first identify assets before enumerating threats, in order to diagnose the threat targets and spot the protection mechanisms. Asset identification and threat enumeration are collaborative activities involving many actors such as security experts and software architects. These activities are traditionally carried out in brainstorming sessions. Due to the lack of guidance, the lack of a sufficiently formalized process, the high dependence on actors' knowledge, and the variety of actors' background, these actors often have difficulties collaborating with each other. Brainstorming sessions are thus often conducted sub-optimally and require significant effort. To address this problem, we aim at structuring the asset identification phase by proposing a systematic asset identification process, which is based on a reference model. This process structures and identifies relevant assets, facilitating the threat enumeration during brainstorming. We illustrate the proposed process with a case study and show the usefulness of our process in supporting threat enumeration and improving existing threat modeling processes such as the Microsoft SDL one.Index Terms-threat modeling (process), asset-based reference model, asset identification, attack pattern

show abstract

An Asset-Based Assistance for Secure by Design

Cited by 2 publications

References 22 publications

Towards the Integration of Cybersecurity Risk Assessment into Model-based Requirements Engineering

Towards the Integration of Cybersecurity Risk Assessment into Model-based Requirements Engineering

Asset-Oriented Threat Modeling

Contact Info

Product

Resources

About