How can the developer benefit from security modeling?

Ardi, Shanai; Byers, David; Meland, Per Håkon; Tøndel, Inger Anne; Shahmehri, Nahid

doi:10.1109/ares.2007.96

Cited by 18 publications

(15 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…More practical experience is needed in order to confirm whether this is achieved with our suggested approach, though we believe the practical recommendations will improve security testing in most projects and enable teams and organisations as a whole to learn from past mistakes. To be able to utilise the full potential of the vulnerability repository it is however necessary to integrate the use of the repository into working routines, and even better, to integrate the repository with development tools so that relevant information is available when needed [27].…”

Section: Discussionmentioning

confidence: 99%

“…For describing risk it is possible to utilise the Common Vulnerability Scoring System [32]. By representing the vulnerabilities in a standard way it will be easier to share vulnerability information in an anonymised and generalised form, so that they can be integrated in a public or federated repository, as suggested by Ardi et al [27].…”

Section: What To Recordmentioning

confidence: 99%

“…Common Vulnerabilities and Exposures 10 (CVE), hosted by the MITRE Corporation, provides common identifiers for vulnerabilities and exposures. For a more thorough treatment of public vulnerability repositories and mailing lists, see Ardi et al [27].…”

Section: Existing Databasesmentioning

confidence: 99%

See 2 more Smart Citations

Learning from Software Security Testing

Tøndel¹,

Jaatun

Jensen

2008

2008 IEEE International Conference on Software Testing Verification and Validation Workshop

View full text Add to dashboard Cite

Section: Discussionmentioning

confidence: 99%

Section: What To Recordmentioning

confidence: 99%

See 1 more Smart Citation

Learning from Software Security Testing

Tøndel¹,

Jaatun

Jensen

2008

2008 IEEE International Conference on Software Testing Verification and Validation Workshop

View full text Add to dashboard Cite

“…Information on known vulnerabilities is available in several online repositories, but in general they are more directed towards system administrators than developers [5].…”

Section: Introductionmentioning

confidence: 99%

An Architectural Foundation for Security Model Sharing and Reuse

Meland

Ardi

Jensen

et al. 2009

2009 International Conference on Availability, Reliability and Security

Self Cite

View full text Add to dashboard Cite

Within the field of software security we have yet to find efficient ways on how to learn from past mistakes and integrate security as a natural part of software development. This situation can be improved by using an online repository, the SHIELDS SVRS, that facilitates fast and easy interchange of security artefacts between security experts, software developers and their assisting tools. Such security artefacts are embedded in or represented as security models containing the needed information to detect, remove and prevent vulnerabilities in software, independent of the applied development process. The purpose of this paper is to explain the main reference architecture description of the repository and the more general tool stereotypes that can communicate with it.

show abstract

“…To develop secure software that are robust to defend exploits and attacks, security needs to be built into the Software Development Life Cycle (SDLC) [1]- [3]. Software engineers need to have the mindset of attackers, and understand threats that might affect the product [4], [5]. One of the software security best practices that can help software developers to think like an attacker is to create abuse cases.…”

Section: Introductionmentioning

confidence: 99%

A Method for Developing Abuse Cases and Its Evaluation

Williams¹,

Yuan²,

McDonald³

et al. 2016

JSW

View full text Add to dashboard Cite

Abstract:To develop secure software, software engineers need to have the mindset of attackers. Developing abuse cases can help software engineers to think more like attackers. This paper describes a method for developing abuse cases based on threat modeling, attack patterns, and Common Weakness Enumeration. The method also includes ranking the abuse cases according to their risks. This method intends to help non-experts create abuse cases following a specific process, and leveraging the knowledge bases of threat modeling, attack patterns, and Common Weakness Enumeration. The proposed method was evaluated through two evaluation studies conducted in two secure software engineering courses at two different universities. Evaluation studies show that the proposed method was easier to follow by non-experts in generating abuse cases than brainstorming, and could reduce the time needed for creating abuse cases. Other findings from the evaluation studies are also discussed in the paper.

show abstract

How can the developer benefit from security modeling?

Cited by 18 publications

References 11 publications

Learning from Software Security Testing

Learning from Software Security Testing

An Architectural Foundation for Security Model Sharing and Reuse

A Method for Developing Abuse Cases and Its Evaluation

Contact Info

Product

Resources

About