Skip to main content
SpringerLink
Log in

Towards Security Threats that Matter

  • Conference paper
  • First Online:
Computer Security (SECPRE 2017, CyberICPS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10683))

Abstract

Architectural threat analysis is a pillar of security by design and is routinely performed in companies. STRIDE is a well-known technique that is predominantly used to this aim. This technique aims towards maximizing completeness of discovered threats and leads to discovering a large number of threats. Many of them are eventually ranked with the lowest importance during the prioritization process, which takes place after the threat elicitation. While low-priority threats are often ignored later on, the analyst has spent significant time in eliciting them, which is highly inefficient. Experience in large companies shows that there is a shortage of security experts, which have limited time when analyzing architectural designs. Therefore, there is a need for a more efficient use of the allocated resources. This paper attempts to mitigate the problem by introducing a novel approach consisting of a risk-first, end-to-end asset analysis. Our approach enriches the architectural model used during the threat analysis, with a particular focus on representing security assumptions and constraints about the solution space. This richer set of information is leveraged during the architectural threat analysis in order to apply the necessary abstractions, which result in a lower number of significant threats. We illustrate our approach by applying it on an architecture originating from the automotive industry.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    According to STRIDE, a data flow is subject to three types of threats: tampering (T), information disclosure (I), and denial of service (D).

References

  1. Connected vehicle reference implementation architecture. http://local.iteris.com/cvria/. Accessed 25 Aug 2017

  2. E-safety vehicle intrusion protected applications. http://www.evita-project.org/index.html. Accessed 25 Nov 2016

  3. Heavens: Healing vulnerabilities to enhance software security and safety. http://www.vinnova.se/sv/Resultat/Projekt/Effekta/HEAVENS-HEAling-Vulnerabilities-to-ENhance-Software-Security-and-Safety/. Accessed 25 Nov 2016

  4. Holisec: Holistiskt angreppssätt att förbättra datasäkerhet. http://www2.vinnova.se/sv/Resultat/Projekt/Effekta/2009-02186/HoliSec-Holistiskt-angreppssatt-att-forbattra-datasakerhet/. Accessed 14 June 2017

  5. Almorsy, M., Grundy, J., Ibrahim, A.S.: Automated software architecture security risk analysis using formalized signatures. In: Proceedings of the 2013 International Conference on Software Engineering, pp. 662–671. IEEE Press (2013)

    Google Scholar 

  6. Berger, B.J., Sohr, K., Koschke, R.: Automatically extracting threats from extended data flow diagrams. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 56–71. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30806-7_4

    Chapter  Google Scholar 

  7. Howard, M., Lipner, S.: The Security Development Lifecycle, vol. 8. Microsoft Press, Redmond (2006)

    Google Scholar 

  8. van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: Proceedings of the 26th International Conference on Software Engineering, ICSE 2004, pp. 148–157. IEEE Computer Society, Washington, DC (2004). http://dl.acm.org/citation.cfm?id=998675.999421

  9. Lin, L., Nuseibeh, B., Ince, D., Jackson, M.: Using abuse frames to bound the scope of security problems. In: Proceedings 12th IEEE International Requirements Engineering Conference, pp. 354–355. IEEE (2004)

    Google Scholar 

  10. Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer Science & Business Media, Heidelberg (2010)

    MATH  Google Scholar 

  11. Macher, G., Armengaud, E., Brenner, E., Kreiner, C.: A Review of threat analysis and risk assessment methods in the automotive context. In: Skavhaug, A., Guiochet, J., Bitsch, F. (eds.) SAFECOMP 2016. LNCS, vol. 9922, pp. 130–141. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45477-1_11

    Chapter  Google Scholar 

  12. Macher, G., Sporer, H., Berlach, R., Armengaud, E., Kreiner, C.: Sahara: a security-aware hazard and risk analysis method. In: 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE), pp. 621–624. IEEE (2015)

    Google Scholar 

  13. McDermott, J., Fox, C.: Using abuse case models for security requirements analysis. In: Proceedings 15th Annual Computer Security Applications Conference, (ACSAC 1999), pp. 55–64. IEEE (1999)

    Google Scholar 

  14. Rauter, T., Kajtazovic, N., Kreiner, C.: Asset-centric security risk assessment of software components. In: 2nd International Workshop on MILS: Architecture and Assurance for Secure Systems (2016)

    Google Scholar 

  15. Saini, V., Duan, Q., Paruchuri, V.: Threat modeling using attack trees. J. Comput. Sci. Coll. 23(4), 124–131 (2008)

    Google Scholar 

  16. Saitta, P., Larcom, B., Eddington, M.: Trike v. 1 methodology document [draft] (2005). http://dymaxion.org/trike/Trike_v1_Methodology_Documentdraft.pdf

  17. Scandariato, R., Walden, J., Joosen, W.: Static analysis versus penetration testing: a controlled experiment. In: 2013 IEEE 24th International Symposium on Software Reliability Engineering (ISSRE), pp. 451–460. IEEE (2013)

    Google Scholar 

  18. Scandariato, R., Wuyts, K., Joosen, W.: A descriptive study of Microsoft’s threat modeling technique. Requir. Eng. 20, 163–180 (2015)

    Article  Google Scholar 

  19. Schneier, B.: Attack trees. Dr. Dobb’s J. 24(12) (1999)

    Google Scholar 

  20. Shostack, A.: Threat Modeling: Designing for Security. Wiley, Indianapolis (2014)

    Google Scholar 

  21. Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requir. Eng. 10(1), 34–44 (2005). https://doi.org/10.1007/s00766-004-0194-4

    Article  Google Scholar 

  22. Tøndel, I.A., Jensen, J., Røstad, L.: Combining misuse cases with attack trees and security activity models. In: International Conference on Availability, Reliability, and Security, ARES 2010, pp. 438–445. IEEE (2010)

    Google Scholar 

  23. UcedaVelez, T., Morana, M.M.: Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis. Wiley, Hoboken (2015)

    Book  Google Scholar 

  24. Van Lamsweerde, A.: Requirements Engineering: From System Goals to UML Models to Software, vol. 10. Wiley, Chichester (2009)

    Google Scholar 

  25. Wuyts, K., Scandariato, R., Joosen, W.: Empirical evaluation of a privacy-focused threat modeling methodology. J. Syst. Softw. 96, 122–138 (2014)

    Article  Google Scholar 

  26. Yu, H., Lin, C.W.: Security concerns for automotive communication and software architecture. In: 2016 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 600–603. IEEE (2016)

    Google Scholar 

Download references

Acknowledgments

This research was partially supported by the Swedish VINNOVA FFI project “HoliSec: Holistic Approach to Improve Data Security”.

Author information

Authors and Affiliations

  1. University of Gothenburg, Gothenburg, Sweden

    Katja Tuma & Riccardo Scandariato

  2. Wireless Car, Gothenburg, Sweden

    Mathias Widman

  3. Volvo AB, Gothenburg, Sweden

    Christian Sandberg

Authors
  1. Katja Tuma
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Riccardo Scandariato
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mathias Widman
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Christian Sandberg
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Katja Tuma .

Editor information

Editors and Affiliations

  1. Norwegian University of Science and Technology, Gjøvik, Norway

    Sokratis K. Katsikas

  2. IMT Atlantique, Brest, France

    Frédéric Cuppens

  3. IMT Atlantique, Brest, France

    Nora Cuppens

  4. University of Piraeus, Piraeus, Greece

    Costas Lambrinoudakis

  5. University of the Aegean, Mytilene, Greece

    Christos Kalloniatis

  6. University of Toronto, Toronto, Ontario, Canada

    John Mylopoulos

  7. Georgia Institute of Technology, Atlanta, Georgia, USA

    Annie Antón

  8. University of the Aegean, Karlovassi, Greece

    Stefanos Gritzalis

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Tuma, K., Scandariato, R., Widman, M., Sandberg, C. (2018). Towards Security Threats that Matter. In: Katsikas, S., et al. Computer Security. SECPRE CyberICPS 2017 2017. Lecture Notes in Computer Science(), vol 10683. Springer, Cham. https://doi.org/10.1007/978-3-319-72817-9_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-72817-9_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-72816-2

  • Online ISBN: 978-3-319-72817-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation