Abstract
This paper describes a unified modeling technique applied after threat identification step of threat modeling process, for ranking the causes of a threat which is then used for threat mitigation and testing. The paper presents a unique approach that starts with enumeration of causes for each possible threat over the system with construction of threat cause model that diagrammatically describes the causes and sub-causes responsible for the occurrence of a threat. The paper suggests an approach for the ranking of both threats and their causes for effective mitigation. After applying threat cause mitigation strategy, testing of system towards a threat is verified by checking the security at the perimeter of the cause model for that threat. This unique technique assures that ensuring all sub-causes at lowest level of abstraction impossible will make the system safe towards a particular threat. Unlike other techniques this technique is unified as it starts with a threat model for each individual threat, that enumerates causes of their occurrence and then the same is used for mitigation and testing. Hence this strategy can ensure security when applied to all threats over the system.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Shostack, A.: Experiences Threat Modeling at Microsoft (2008), http://www.homeport.org/~adam/modsec08/Shostack-ModSec08-Experiences-Threat-Modeling-At-Microsoft.pdf
Howard, M., Leblane, D.: Threat Modeling: Writing Secure Code, 2nd edn., vol. ch. 4. Microsoft Press (2002)
Meier, J.D., Mackman, A., Wastell, B.: Threat Modeling Web Applications. Microsoft Patterns & Practices, Microsoft Corporation (2005), http://msdn.microsoft.com/en-us/library/ff648006.aspx
Meier, J.D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., Murukan, A.: Threat Modeling: Improving Web Application Security:-Threats and Countermeasures. Microsoft patterns & practices, Microsoft Corporation, ch. 3, file:///F:/threat%20modeling/Threat%20Modeling.htm
Abi-Antoun, M., Wang, D., Torr, P.: Checking Threat Modeling Data Flow Diagrams for Implementation Conformance and Security. In: ASE 2007, November 7 (2007) ; short paper program
Threat Modeling: A Process to Ensure Application Security.: SANS Institute InfoSec Reading Room, http://www.sans.org/reading_room/whitepapers/securecode/threat-modeling-process-ensure-application-security_1646
Ambler, S.W.: Introduction to Security Threat Modeling, http://www.agilemodeling.com/artifacts/securityThreatModel.htm
Abdullah, S., Hussain, T., Khan, G.F.: Enhancing C4I Security using Threat Modeling. In: 12th International Conference on Computer Modelling and Simulation (2010)
Chen, Y., Boehm, B., Sheppard, L.: Value Driven Security Threat Modeling Based on Attack Path Analysis. In: Proceedings of the 40th Hawaii International Conference on System Sciences (2007)
Ebenezer, A., Oladimeji., S.S., Lawrence, C.: Security Threat Modeling and Analysis: A Goal-Oriented Approach. In: 10th IASTED International Conference on Software Engineering and Applications (SEA 2006), Dallas, Texas, USA (2006)
The Importance of Threat Modeling White Paper: Information Risk Management. In: IRM PLC (December 2007)
Threat Model Analysis. Microsoft Corporation , http://msdn.microsoft.com/en-us/library/aa561499v=bts.70.aspx
SDL Process: Introduction 2008. Microsoft Corporation, http://msdn.microsoft.com/en-us/library/cc307406.aspx
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Varshney, G., Joshi, R.C., Sardana, A. (2011). Unified Modeling Technique for Threat Cause Ranking, Mitigation and Testing. In: Aluru, S., et al. Contemporary Computing. IC3 2011. Communications in Computer and Information Science, vol 168. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22606-9_48
Download citation
DOI: https://doi.org/10.1007/978-3-642-22606-9_48
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22605-2
Online ISBN: 978-3-642-22606-9
eBook Packages: Computer ScienceComputer Science (R0)