Developing Abuse Cases Based on Threat Modeling and Attack Patterns

Yuan, Xiaohong; Nuakoh, Emmanuel; Williams, Imano; Yu, Huiming

doi:10.17706/jsw.10.4.491-498

Cited by 15 publications

(4 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…9) Rank the abuse cases according to their risks. In this method, the new elements that were introduced into the previous work [11] include steps 7 and 9. In this method, the abuse cases generated are ranked according to their risks.…”

Section: Journal Of Softwarementioning

confidence: 99%

“…McGraw [8] suggested that abuse cases be developed based on a set of requirements and standard use cases, and a list of attack patterns. Our previous work proposed a specific process for developing abuse cases based on threat modeling and attack patterns [11]. Such a method intends to allow software developers who do not have high expertise and experience in security to be able to develop meaningful abuse cases.…”

Section: Introductionmentioning

confidence: 99%

“…Though an example was used to illustrate the use of this method, the effectiveness of this method was not evaluated. This paper describes a method for developing abuse cases that extends the proposed method in [11], and the evaluation of the extended method. This method extends the previous method in the following ways: (a) This method includes ranking the risks of the abuse cases; (2) It incorporates information from Common Weakness Enumeration (CWE) [12] for mitigating the risks of the abuse cases.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A Method for Developing Abuse Cases and Its Evaluation

Williams¹,

Yuan²,

McDonald³

et al. 2016

JSW

Self Cite

View full text Add to dashboard Cite

Abstract:To develop secure software, software engineers need to have the mindset of attackers. Developing abuse cases can help software engineers to think more like attackers. This paper describes a method for developing abuse cases based on threat modeling, attack patterns, and Common Weakness Enumeration. The method also includes ranking the abuse cases according to their risks. This method intends to help non-experts create abuse cases following a specific process, and leveraging the knowledge bases of threat modeling, attack patterns, and Common Weakness Enumeration. The proposed method was evaluated through two evaluation studies conducted in two secure software engineering courses at two different universities. Evaluation studies show that the proposed method was easier to follow by non-experts in generating abuse cases than brainstorming, and could reduce the time needed for creating abuse cases. Other findings from the evaluation studies are also discussed in the paper.

show abstract

Section: Journal Of Softwarementioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Method for Developing Abuse Cases and Its Evaluation

Williams¹,

Yuan²,

McDonald³

et al. 2016

JSW

Self Cite

View full text Add to dashboard Cite

show abstract

“…For instance, STRIDE considers that the main attacks could be Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. The framework can be used to develop abuse stories by identifying potential threats and vulnerabilities in the software system [25].…”

mentioning

confidence: 99%

An Exploratory Study Gathering Security Requirements for the Software Development Process

Andrade,

Torres,

Ortiz-Garcés

et al. 2023

Electronics

View full text Add to dashboard Cite

Software development stands out as one of the most rapidly expanding markets due to its pivotal role in crafting applications across diverse sectors like healthcare, transportation, and finance. Nevertheless, the sphere of cybersecurity has also undergone substantial growth, underscoring the escalating significance of software security. Despite the existence of different secure development frameworks, the persistence of vulnerabilities or software errors remains, providing potential exploitation opportunities for malicious actors. One pivotal contributor to subpar security quality within software lies in the neglect of cybersecurity requirements during the initial phases of software development. In this context, the focal aim of this study is to analyze the importance of integrating security modeling by software developers into the elicitation processes facilitated through the utilization of abuse stories. To this end, the study endeavors to introduce a comprehensive and generic model for a secure software development process. This model inherently encompasses critical elements such as new technologies, human factors, and the management of security for the formulation of abuse stories and their integration within Agile methodological processes.

show abstract

A User Study: Abuse Cases Derived from Use Case Description and CAPEC Attack Patterns

Williams

Yuan

2018

Information Science and Applications 2018

View full text Add to dashboard Cite

Developing Abuse Cases Based on Threat Modeling and Attack Patterns

Cited by 15 publications

References 7 publications

A Method for Developing Abuse Cases and Its Evaluation

A Method for Developing Abuse Cases and Its Evaluation

An Exploratory Study Gathering Security Requirements for the Software Development Process

A User Study: Abuse Cases Derived from Use Case Description and CAPEC Attack Patterns

Contact Info

Product

Resources

About