Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Security

IWSEC 2010: Advances in Information and Computer Security pp 337–353Cite as

Introducing Mitigation Use Cases to Enhance the Scope of Test Cases

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6434))

Abstract

Gathering security-related requirements and designing dependable software is difficult. Even though software security has become one of the main challenge of software development and security issues are taken increasingly into account in software companies, the security viewpoint is typically loosely integrated in developers routines and development processes. This paper presents results from an experiment where use case, misuse case and mitigation use case descriptions were used to generate test cases for the system. This helps integrating the security characteristics into the product already in the first phases of development. By defining the misuse cases and planning corresponding mitigations help developers to build the security characteristics right into the product, because security is addressed throughout the development from the requirements phase to the testing phase. We suggest some enhancements to the misuse case approach to help developers identify security requirements more carefully. Furthermore, we present a procedure for generating test cases from the mitigations in order to ensure that security targets have been achieved. Results from our experiments indicate that the approach improves the process of producing relevant test cases.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Alexander, I.: Misuse Cases: Use Cases With Hostile Intent. IEEE Software 20(1), 58–66 (2003)

    Article  Google Scholar 

  2. Avizienis, A., Laprie, J.C., Randell, B.: Fundamental Concepts of Dependability. In: Okamoto, E., Pieprzyk, J.P., Seberry, J. (eds.) ISW 2000. LNCS, vol. 1975, pp. 1–6. Springer, Heidelberg (2000)

    Google Scholar 

  3. Basili, V., Donzelli, P., Asgari, S.: A Unified Model of Dependability: Capturing Dependability in Context. IEEE Software 21(6), 19–25 (2004)

    Article  Google Scholar 

  4. Baskerville, R.: The Developmental Duality of Information Systems Security. Journal of Management Systems 4(1), 1–12 (1992)

    Google Scholar 

  5. Baskerville, R.: Information Systems Security Design Methods: Implications for Information Systems Development. ACM Computing Surveys 25(4), 375–414 (1993)

    Article  Google Scholar 

  6. Berger, B.: The Dangers of Use Cases Employed as Test Cases. In: STAR West Conference (2001), http://www.testassured.com/docs/Dangers.htm (referenced 23.11.2007)

  7. Best, B., Jürjens, J.: Model-based Security Engineering of Distributed Information Systems using UMLsec. In: Proceedings of the 29th International Conference on Software Engineering, pp. 581–590 (2007)

    Google Scholar 

  8. Common Vulnerabilities and Exposures. The Standard for Information Security Vulnerability Names (2007), http://cve.mitre.org/ (referenced 12.9.2007).

  9. Hafiz, M., Adamczyk, P., Johnson, R.E.: Organizing Security Patterns. IEEE Software, 52–60 (July/August 2007)

    Google Scholar 

  10. Hall, E.M.: Managing Risk: Methods for Software Systems Development. Addison-Wesley, Reading (1998)

    Google Scholar 

  11. Heumann, J.: Generating Test Cases from Use Cases. Journal of Software Testing Professionals 3(2) (2002)

    Google Scholar 

  12. Hope, P., McGraw, G., Anton, A.I.: Misuse and Abuse Cases: Getting Past the Positive. IEEE Security & Privacy 2(3), 90–92 (2004)

    Article  Google Scholar 

  13. Jürjens, J.: Using UMLsec and Goal Trees for Secure Systems Development. In: Proceedings of the 2002 ACM Symposium on Applied Computing (SAC), pp. 1026–1030 (2002)

    Google Scholar 

  14. Jürjens, J.: Sound Methods and Effective Tools for Model-based Security Engineering with UML. In: Proceedings of the 27th International Conference on Software Engineering, pp. 322–331 (2005)

    Google Scholar 

  15. Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security? In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  16. McDermott, J., Fox, C.: Using Abuse Case Models for Security Requirements Analysis. Proceedings of the 15th Annual Computer Security Applications Conference, 55–64 (1999)

    Google Scholar 

  17. Mead, N.R.: Identifying Security Requirements Using the Security Quality Requirements Engineering (SQUARE) Method. In: Mouraditis, H., Giorgine, P. (eds.) Integrating Security and Software Engineering: Advances and Future Visions. IDEA Group Publishing, London (2007)

    Google Scholar 

  18. Mouraditis, H., Giorgine, P.: Integrating Security and Software Engineering: An Introduction. In: Mouraditis, H., Giorgine, P. (eds.) Integrating Security and Software Engineering: Advances and Future Visions. IDEA Group Publishing, London (2007)

    Chapter  Google Scholar 

  19. Opdahl, A.L., Sindre, G.: Experimental comparison of attack trees and misuse cases for security threat identification. Journal of Information and Software Technology 10(1), 916–932 (2009)

    Article  Google Scholar 

  20. Pauli, J., Xu, D.: Integrating Functional and Security Requirements with Use Case Decomposition. In: Proceedings of the 11th International Conference on Engineering of Complex Computer Systems, pp. 57–66 (2006)

    Google Scholar 

  21. Potter, B., McGraw, G.: Software Security Testing. IEEE Security & Privacy 2(5), 81–85 (2004)

    Article  Google Scholar 

  22. Sindre, G., Opdahl, A.L.: Eliciting Security Requirements by Misuse Cases. In: Proceedings of 37th International Conference Technology of Object-Oriented Languages and Systems, pp. 120–131 (2000)

    Google Scholar 

  23. Siponen, M., Heikka, J.: Do Secure Information System Design Methods Provide Adequate Modeling Support? Information and Software Technology 50(9-10), 1035–1053 (2008)

    Article  Google Scholar 

  24. Tøndel, I., Jaatun, M., Meland, P.: Security Requirements for the Rest of Us: A Survey. IEEE Software 25(1), 20–27 (2008)

    Article  Google Scholar 

  25. Viega, J., McGraw, G.: Building Secure Software - How to avoid security problems the right way. Addison-Wesley, Boston (2004)

    Google Scholar 

  26. Villarroel, R., Fernández-Medina, E., Piattini, M.: Secure information systems development - a survey and comparison. Journal of Computers & Security 24(4), 308–321 (2005)

    Article  Google Scholar 

  27. Weiss, M.: Modelling Security Patterns using NFR Analysis. In: Mouraditis, H., Giorgine, P. (eds.) Integrating Security and Software Engineering: Advances and Future Visions, IDEA Group Publishing, London (2007)

    Google Scholar 

  28. Wood, D., Reis, J.: Use Case Derived Test Cases. Harris Corporation. In: STAREAST on Software Quality Engineering Conference (1999)

    Google Scholar 

  29. Wysopal, C., Nelson, L., Dai Zovi, D., Dustin, E.: The Art of Software Security Testing. Addison-Wesley, Reading (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dept. of Information Processing Science, University of Oulu, Oulu, Finland

    Lasse Harjumaa & Ilkka Tervonen

Authors
  1. Lasse Harjumaa
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ilkka Tervonen
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. National Institute of Informatics, 2-1-2 Hitotsubashi, 101-8430, Chiyoda-ku, Tokyo, Japan

    Isao Echizen

  2. School of Frontier Sciences, Department of Complexity Science and Engineering, University of Tokyo, 5-1-5 Kashiwanoha, Kashiwa-shi, 277-8561, Chiba, Japan

    Noboru Kunihiro

  3. School of Science and Technology for Future Life, Department of Information Systems and Multi Media, Tokyo Denki University, 2-2 Kanda-Nishiki-cho, 101-8457, Chiyoda-ku, Tokyo, Japan

    Ryoichi Sasaki

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Harjumaa, L., Tervonen, I. (2010). Introducing Mitigation Use Cases to Enhance the Scope of Test Cases. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds) Advances in Information and Computer Security. IWSEC 2010. Lecture Notes in Computer Science, vol 6434. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16825-3_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-16825-3_23

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-16824-6

  • Online ISBN: 978-3-642-16825-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation