How can the developer benefit from security modeling?

Proceedings - Second International Conference on Availability, Reliability and Security, ARES 2007

Volumn , Issue , 2007, Pages 1017-1025

  Ardi, Shanai ^a   Byers, David ^a   Meland, Per Håkon ^b   Tøndel, Inger Anne ^b   Shahmehri, Nahid ^a  

^a LINKÖPING UNIVERSITY   (Sweden)

^b SINTEF ICT   (Norway)

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTER AIDED SOFTWARE ENGINEERING; COMPUTER CRIME; MATHEMATICAL MODELS; PROBLEM SOLVING; USER INTERFACES;

MALICIOUS USERS; SECURE SOFTWARE DEVELOPMENT; SECURITY MODELING; SOFTWARE DEVELOPMENT PROJECT;

NETWORK SECURITY;

EID: 34548177309     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ARES.2007.96     Document Type: Conference Paper

References (48)

1. S. Ardi, D. Byers, C. Duma, and N. Shahmehri. A causebased approach to preventing software vulnerabilities, (submitted).
2. S. Ardi, D. Byers, and N. Shahmehri. Towards a structured unified process for software security. In Procedeengs of the ICSE 2006 Workshop on Software Engineering for Secure Software (SESS06, Shanghai, China, 2006.
3. D. Byers, S. Ardi, N. Shahmehri, and C. Duma. Modeling software vulnerabilities with vulnerability cause graphs. In Procedeengs of the International Conference on Software Maintenance, Philadelphia, PA, USA, 2006.
4. CERIAS. Coop VDB - the public vulnerability database, https://cirdb.cerias.purdue.edu/coopvdb/public/ (accessed December 8 2006).
5. CERT/CC statistics 1988-2006. http://wv7w.cert.org/stats/ (accessed December 14 2006).
6. Computer Associates. Vulnerability Information Center, http://www3.ca.com/securityadvisor/vulninfo/ (accessed December 8 2006).
7. Coverity. Prevent, http://www.coverity.com/(accessed December 12 2006).
8. D. G. Firesmith. Security use cases. Journal of Object Technology, 2(3):53-64, 2003.
9. Fortify Software. Fortify SCA. http://www.fortifysoftware.com/products/ sca/ (accessed December 12 2006).
10. M. Howard. Building more secure software with improved development process. IEEE Security & Privacy, 2(6):63-65, 2004.
11. Klocwork. K7. http://www.klocwork.com/ (accessed December 12 2006).
12. C. E. Landwehr, B. C. Gabrielson, and J. D. Humphrey. Requirements and approaches for a computer vulnerability data archive. In Invitational Workshop on Computer Vulnerability Data Sharing, Gaithersburg, MD, 1996.
13. S. B. Lipner. The trustwothy computing security development lifecycle. In Procedeeings of the 20th Annual Computer Security Applications Conference, pages 2-13, Tucson, AZ, USA, 2004.
14. J. McDermott and C. Fox. Using abuse case models for security requirements analysis. In ACSAC '99: Proceedings of the 15th Annual Computer Security Applications Conference, page 55, Washington, DC, USA, 1999. IEEE Computer Society.
15. G. McGraw. From the ground up: The DIMACS software security workshop. IEEE Security & Privacy, 1(2):59-66, March-April 2003.
16. G. McGraw and A. K. Ghosh. Developing expertise in software security:an outsider's perspective. In Invitational Workshop on Computer Vulnerability Data Sharing, Gaithersburg, MD, 1996.
17. MITRE. Common vulnerabilities and exposures (CVE). http://cve.mitre.org/ (accessed December 8 2006).
18. A. P. Moore, R. J. Ellison, and R. C. Linger. Attack modeling for information security and survivability. In Dependable Systems and Networks Conference, Gothenburg, Sweden, 2001.
19. NIST. The national vulnerability database, http://nvd.nist.gov/ (accessed December 8 2006).
20. NIST. Source code analyzers, http://samate.nist.gov/index.php/ Source_Code_Analyzers (accessed December 12 2006).
21. OMG. Meta-object facility (MOF™), version 1.4. http://www.omg.org/ technology/documents/formal/mof.htm (accessed December 13 2006).
22. OMG. MOF 2.0/XMI mapping specification, version 2.1. http://www.omg.org/ technology/documents/formal/xmi.htm(accessed December 13 2006).
23. OMG. Unified modeling language, version 2.0. http://www.omg.org/ technology/documents/formal/uml.htm (accessed December 13 2006).
24. OSVDB. The open source vulnerability database, http://osvdb.org/ (accessed December 8 2006).
25. Ounce Labs. Ounce, http://www.ouncelabs.com/(accessed December 12 2006).
26. OWASP. LAPSE: Web application security scanner for java. http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project (accessed December 12 2006).
27. Packet Storm Advisories. http://packetstormsecurity.org (accessed December 8 2006).
28. S. Polepeddi. Software vulnerability taxonomy consolidation. Technical Report UCRL-TH-208822, Lawrence Livermore National Laboratory, 2005.
29. D. Pozza, R. Sisto, L. Durante, and A. Valenzano. Comparing lexical analysis tools for buffer overflow detection in network software. In Proceedings of First International Conference on Communication System Software and Middleware (Comsware06), Bangalore, India, 2006.
30. S. T. Redwine and N. Davis. Processes to Produce Secure Software. Task Force on Security Across the Software development Lifecycle, 2004. Appendix B.
31. Root cause analysis guidance document. U.S.Department of Energy Guideline DOE-NE-STD-1004-92, 1992.
32. L. Røstad. An extended misuse case notation: Including vulnerabilities and the insider threat. In Proceedings of The Twelfth Working Conference on Requirements Engineering: Foundation for Software Quality (REFSQ'06), Luxembourg, 2006.
33. B. Schneier. Attack trees: Modeling security threats. Dr. Dobb's Journal, December 1999.
34. Secunia. Secunia vulnerability archive. http://secunia.com/ (accessed December 8 2006).
35. Secure Software. CodeAssure. http://www.securesof tware.com/ (accessed December 12 2006).
36. Secure Software, Inc. The CLASP application security process, http://www.securesoftware.com/ (accessed April 2006).
37. Secure Software, Inc. Secure software, rough auditing tool for security, http://www.securesoftware.com/ (accessed November 2006).
38. SecurityFocus. The SecurityFocus vulnerability database. http://www.securityfocus.com/ (accessed December 8 2006).
39. G. Sindre and L. Opdahl. Eliciting security requirements with misuse cases. Requirements Engineering, 10(1):34-44, 2005.
40. splint.org. Splint - annotation-assisted lightweight static checking, http://splint.org/ (accessed December 12 2006).
41. F. Swiderski and W. Snyder. Threat Modeling. Microsoft Professional, 2004.
42. The Open Web Application Security Project. OWASP Category:Vulnerability. http://www.owasp.org/index.php/Category:Vulnerability (accessed December 8 2006).
43. H. H. Thompson and J. A. Whittaker. Rethinking software security. Dr. Dobb's Journal, (January 7), 2004.
44. P. Torr. Demystifying the threat-modeling process. IEEE Security & Privacy, 3(5):66-70, 2005.
45. J. Viega, J. T. Bloch, Y. Kohno, and G. McGraw. Its4: A static vulnerability scanner for c and c++ code. In Procedeeings of the 16th Annual Computer Security Applications Conference, pages 257-271, New Orleans, LA, USA, 2000.
46. D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Proceedings of Network and Distributed Systems Security Symposium, pages 3-17, San Diego, CA, USA, 2000.
47. D.A.Wheeler. Flawfinder. http://www.dwheeler.com/flawfinder/ (accessed December 12 2006).
48. Internet Security Systems X-Force Alerts and Advisories. http://xforce.iss.net/ (accessed December 8 2006).