Abstract
This tutorial provides an overview of the best industrial practices in IT security analysis followed by a sketch of recent research results in this area, especially results providing formal foundations and more powerful tools for security analysis. The conclusion suggests directions for further work to fill the gaps between formal methods and industrial practices.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Alberts, C., Dorofee, A., Stevens, J., Woody, C.: Introduction to the OCTAVE approach. Carnegie Mellon, SEI (2003)
Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the 9th ACM conference on Computer and Communications Security CCS 2002 (2002)
Besson, F., Jensen, T., Le Métayer, D., Thorn, T.: Model checking security properties of control flow graphs. Journal of Computer Security 9 (2001)
Common Criteria for Information Technology Security evaluation, http://www.commoncriteriaportal.org/
Conrad, J.R.: Analyzing the risks of information security investments with Monte-Carlo simulations. In: IEEE Workshop on the Economics of Information Society (2005)
Howard, M., LeBlanc, D.: Writing secure code. Microsoft Press, Redmond (2003)
Jha, S., Sheyner, O., Wing, J.: Two formal analyses of attack graphs. In: Proceedings of the 15th Computer Security Foundations Workshop, IEEE Computer Society, Los Alamitos (2002)
Le Métayer, D., Loiseaux, C.: ASTRA: a security analysis method based on systematic asset tracking (to appear)
Maw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, Springer, Heidelberg (2006)
McGraw, G.: Software security: building security in. Addison Wesley Professional, Reading (2006)
Peltier, T.R.: Information Security Risk Analysis. Auerbach Publications (2005)
Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of the 1998 Workshop on New Security Paradigms, ACM Press, New York (1998)
Ramakrishan, C.R., Sekar, R.: Model-based vulnerability analysis of computer systems. In: Second International Workshop on Verification, Model Checking and Abstract Interpretation (VMCAI 1998) (1998)
Schechter, S.E.: Computer security strengths and risks: a quantitative approach. PhD Thesis, Harvard University (2004)
Schneier, B.: Attack trees, modeling security threats. Dr Dobbs Journal (1999)
Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems. NIST Special Publication, pp. 800–830 (2002)
Swiderski, F., Snyder, W.: Threat modeling. Microsoft Press, Redmond (2004)
Tidwell, T., Larson, R., Fitch, K., Hale, J.: Modeling internet attacks. In: Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, IEEE Computer Society Press, Los Alamitos (2001)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Le Métayer, D. (2007). IT Security Analysis Best Practices and Formal Approaches. In: Aldini, A., Gorrieri, R. (eds) Foundations of Security Analysis and Design IV. FOSAD FOSAD 2007 2006. Lecture Notes in Computer Science, vol 4677. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74810-6_3
Download citation
DOI: https://doi.org/10.1007/978-3-540-74810-6_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-74809-0
Online ISBN: 978-3-540-74810-6
eBook Packages: Computer ScienceComputer Science (R0)