Abstract
Gathering security-related requirements and designing dependable software is difficult. Even though software security has become one of the main challenge of software development and security issues are taken increasingly into account in software companies, the security viewpoint is typically loosely integrated in developers routines and development processes. This paper presents results from an experiment where use case, misuse case and mitigation use case descriptions were used to generate test cases for the system. This helps integrating the security characteristics into the product already in the first phases of development. By defining the misuse cases and planning corresponding mitigations help developers to build the security characteristics right into the product, because security is addressed throughout the development from the requirements phase to the testing phase. We suggest some enhancements to the misuse case approach to help developers identify security requirements more carefully. Furthermore, we present a procedure for generating test cases from the mitigations in order to ensure that security targets have been achieved. Results from our experiments indicate that the approach improves the process of producing relevant test cases.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Alexander, I.: Misuse Cases: Use Cases With Hostile Intent. IEEE Software 20(1), 58–66 (2003)
Avizienis, A., Laprie, J.C., Randell, B.: Fundamental Concepts of Dependability. In: Okamoto, E., Pieprzyk, J.P., Seberry, J. (eds.) ISW 2000. LNCS, vol. 1975, pp. 1–6. Springer, Heidelberg (2000)
Basili, V., Donzelli, P., Asgari, S.: A Unified Model of Dependability: Capturing Dependability in Context. IEEE Software 21(6), 19–25 (2004)
Baskerville, R.: The Developmental Duality of Information Systems Security. Journal of Management Systems 4(1), 1–12 (1992)
Baskerville, R.: Information Systems Security Design Methods: Implications for Information Systems Development. ACM Computing Surveys 25(4), 375–414 (1993)
Berger, B.: The Dangers of Use Cases Employed as Test Cases. In: STAR West Conference (2001), http://www.testassured.com/docs/Dangers.htm (referenced 23.11.2007)
Best, B., Jürjens, J.: Model-based Security Engineering of Distributed Information Systems using UMLsec. In: Proceedings of the 29th International Conference on Software Engineering, pp. 581–590 (2007)
Common Vulnerabilities and Exposures. The Standard for Information Security Vulnerability Names (2007), http://cve.mitre.org/ (referenced 12.9.2007).
Hafiz, M., Adamczyk, P., Johnson, R.E.: Organizing Security Patterns. IEEE Software, 52–60 (July/August 2007)
Hall, E.M.: Managing Risk: Methods for Software Systems Development. Addison-Wesley, Reading (1998)
Heumann, J.: Generating Test Cases from Use Cases. Journal of Software Testing Professionals 3(2) (2002)
Hope, P., McGraw, G., Anton, A.I.: Misuse and Abuse Cases: Getting Past the Positive. IEEE Security & Privacy 2(3), 90–92 (2004)
Jürjens, J.: Using UMLsec and Goal Trees for Secure Systems Development. In: Proceedings of the 2002 ACM Symposium on Applied Computing (SAC), pp. 1026–1030 (2002)
Jürjens, J.: Sound Methods and Effective Tools for Model-based Security Engineering with UML. In: Proceedings of the 27th International Conference on Software Engineering, pp. 322–331 (2005)
Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security? In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)
McDermott, J., Fox, C.: Using Abuse Case Models for Security Requirements Analysis. Proceedings of the 15th Annual Computer Security Applications Conference, 55–64 (1999)
Mead, N.R.: Identifying Security Requirements Using the Security Quality Requirements Engineering (SQUARE) Method. In: Mouraditis, H., Giorgine, P. (eds.) Integrating Security and Software Engineering: Advances and Future Visions. IDEA Group Publishing, London (2007)
Mouraditis, H., Giorgine, P.: Integrating Security and Software Engineering: An Introduction. In: Mouraditis, H., Giorgine, P. (eds.) Integrating Security and Software Engineering: Advances and Future Visions. IDEA Group Publishing, London (2007)
Opdahl, A.L., Sindre, G.: Experimental comparison of attack trees and misuse cases for security threat identification. Journal of Information and Software Technology 10(1), 916–932 (2009)
Pauli, J., Xu, D.: Integrating Functional and Security Requirements with Use Case Decomposition. In: Proceedings of the 11th International Conference on Engineering of Complex Computer Systems, pp. 57–66 (2006)
Potter, B., McGraw, G.: Software Security Testing. IEEE Security & Privacy 2(5), 81–85 (2004)
Sindre, G., Opdahl, A.L.: Eliciting Security Requirements by Misuse Cases. In: Proceedings of 37th International Conference Technology of Object-Oriented Languages and Systems, pp. 120–131 (2000)
Siponen, M., Heikka, J.: Do Secure Information System Design Methods Provide Adequate Modeling Support? Information and Software Technology 50(9-10), 1035–1053 (2008)
Tøndel, I., Jaatun, M., Meland, P.: Security Requirements for the Rest of Us: A Survey. IEEE Software 25(1), 20–27 (2008)
Viega, J., McGraw, G.: Building Secure Software - How to avoid security problems the right way. Addison-Wesley, Boston (2004)
Villarroel, R., Fernández-Medina, E., Piattini, M.: Secure information systems development - a survey and comparison. Journal of Computers & Security 24(4), 308–321 (2005)
Weiss, M.: Modelling Security Patterns using NFR Analysis. In: Mouraditis, H., Giorgine, P. (eds.) Integrating Security and Software Engineering: Advances and Future Visions, IDEA Group Publishing, London (2007)
Wood, D., Reis, J.: Use Case Derived Test Cases. Harris Corporation. In: STAREAST on Software Quality Engineering Conference (1999)
Wysopal, C., Nelson, L., Dai Zovi, D., Dustin, E.: The Art of Software Security Testing. Addison-Wesley, Reading (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Harjumaa, L., Tervonen, I. (2010). Introducing Mitigation Use Cases to Enhance the Scope of Test Cases. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds) Advances in Information and Computer Security. IWSEC 2010. Lecture Notes in Computer Science, vol 6434. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16825-3_23
Download citation
DOI: https://doi.org/10.1007/978-3-642-16825-3_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-16824-6
Online ISBN: 978-3-642-16825-3
eBook Packages: Computer ScienceComputer Science (R0)