On security development Lifecycle: Conceptual description of vulnerabilities, risks, and threats

International Journal of Digital Content Technology and its Applications

Volumn 5, Issue 5, 2011, Pages 296-306

  Al Fedaghi, Sabah ^a   Alkandari, Abdulrahman ^a  

^a KUWAIT UNIVERSITY   (Kuwait)

Author keywords

Conceptual model; Risks; Security development lifecycle; Threats; Vulnerabilities

Indexed keywords

CONCEPTUAL MODEL; DATA FLOW DIAGRAMS; DESIGN PHASIS; REQUIREMENTS PHASE; SDL; SECURITY AND PRIVACY; SECURITY DEVELOPMENT LIFECYCLE; SECURITY REQUIREMENTS; SECURITY RISK ASSESSMENTS; SOFTWARE ASSURANCE; SOFTWARE DEVELOPER; SOFTWARE PRODUCTION; THREAT MODELING; THREATS; VULNERABILITIES;

DATA FLOW ANALYSIS; LIFE CYCLE; REQUIREMENTS ENGINEERING;

RISK ASSESSMENT;

EID: 79958056378     PISSN: 19759339     EISSN: None     Source Type: Journal    
DOI: 10.4156/jdcta.vol5.issue5.32     Document Type: Article

References (23)

1. PITAC, "Cyber Security: A Crisis of Prioritization", The President's Information Technology Advisory Committee, February 2005. http://www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf
2. FORTIFY, "Optimizing the Microsoft SDL for Secure Development", Whitepaper, Fortify Solutions to Strengthen and Streamline a Microsoft Security Development Lifecycle Implementation, 2010. http://www.fortify.com/servlet/download/public/Optimizing_the_Microsoft_SDL_for_Secure_Development.pdf
3. Hajar Mat Jani, Salama A. Mostafa, "Implementing Case-Based Reasoning Technique to Software Requirements Specifications Quality Analysis", IJACT: International Journal of Advancements in Computing Technology, vol. 3, no. 1, pp. 23-31, 2011.
4. Microsoft, Version 5.0, "The Microsoft Security Development Lifecycle (SDL)", 2010. http://msdn.microsoft.com/en-us/security/cc448177.aspx
5. M. Abi-Antoun, D. Wang, P. Torr, "Checking Threat Modeling Data Flow Diagrams for Implementation Conformance and Security", ASE'07, Atlanta, Georgia, 5-9 November, pp. 393-396, 2007. http://www.cs.cmu.edu/~mabianto/papers/07_ase.pdf
6. M. Abi-Antoun, J. M. Barne, "STRIDE-based Security Model in Acme", Technical Report CMUISR-10-106, Carnegie Mellon Univ., 2010. http://reportsarchive.adm.cs.cmu.edu/anon/isr2010/CMU-ISR-10-106.pdf
7. Richard Bejtlich, "Threat Model vs. Attack Model", TaoSecurity: Richard Bejtlich's blog on digital security and the practices of network security monitoring, incident response, and forensics, 12 June 2007. http://taosecurity.blogspot.com/2007/06/threat-model-vs-attack-model.html
8. Sabah Al-Fedaghi, "Some Aspects of Personal Information Theory", 7th Annual IEEE Information Assurance Workshop (IEEE-IAW 2006), United States Military Academy, West Point, NY, pp 155-162, 2006. http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=01652066
9. Sabah Al-Fedaghi, "States and Conceptualization of Software Systems", International Review on Computers and Software (IRECOS), Vo. 4, No. 6, pp. 718-727, 2009. http://www.praiseworthyprize.com/IRECOS_latest.html#States_and_Conceptual_Modeling_of_Software_Systems
10. Sabah Al-Fedaghi, "Conceptualization of Business Processes", IEEE Asia-Pacific Services Computing Conference (IEEE APSCC 2009), Biopolis, Singapore, pp. 75-79 (hardcopy proceedings), December 2009.
11. Sabah Al-Fedaghi, F. Al-Azmi, "Evolution of Data into an Information Hierarchy", Journal of Convergence Information Technology (JCIT), vol. 6, no. 2, pp. 9-21, 2011. http://www.aicit.org/JCIT/ppl/02-FASTJCIT4-965174.pdf
12. Sabah Al-Fedaghi, "A Conceptual Foundation for Data Loss Prevention", International Journal of Digital Content Technology and its Applications (JDCTA), vol. 5, no. 3, pp. 293-303, 2011.
13. Keith Brown, "The NET Developer's Guide to Windows Security", Addison-Wesley, Professional, 2004. http://alt.pluralsight.com/wiki/default.aspx/Keith.GuideBook/HomePage.html
14. Duan Youxiang, Gao Yang, "Evaluating Vulnerabilities Quantitatively Based On the Rank of Web Services Confidentiality", Journal of Next Generation Information Technology (JNIT), vol. 2, no. 1, pp. 81-87, 2011.
15. J. D. Meier, A. Mackman, B. Wastell, "Threat Modeling Web Applications", Microsoft Corporation, May 2005. http://msdn.microsoft.com/en-us/library/ff648006.aspx
16. Qualys, "Severities KnowledgeBase", 2010. http://browsercheck.qualys.com/research/rnd/knowledge/severity/
17. CORAS, http://coras.sourceforge.net, 2006.
18. Frank Swiderski, Window Snyder, "Threat Modeling (Microsoft Professional)", Microsoft Press. http://www.agilemodeling.com/artifacts/securityThreatModel.htm.
19. Frank Swiderski, "Threat Modeling Tool", Microsoft, June 2004. www.microsoft.com/downloads
20. O. Sheyner, J. Haines, S. Jha, R. Lippmann, J. M. Wing, "Automated Generation and Analysis of Attack Graphs", IEEE Symposium on Security and Privacy, pp. 273-284, 2002.
21. A. Van Lamsweerde, "Elaborating security requirements by construction of intentional antimodels", International Conference on Software Engineering (ICSE), pp. 148-157, 2004.
22. Jan Jurjens, "Developing Secure Systems with UMLsec-From Business Processes to Implementation", In A. Pfitzmann, D. Fox, M. Kohntopp (eds.), Proc. Verl assliche IT-Systeme 2001-Sicherheit in komplexen IT-Infrastrukturen, Kiel, Germany. Vieweg Verlag, 2001.
23. The Open Web Application Security Project (OWASP), "Application Threat Modeling", 4 May 2009. http://www.owasp.org/index.php?title=Application_Threat_Modeling&setlang=en