Abstract
Nowadays, developers should incorporate software security best practices from the early stages of the software development lifecycle to build more robust software against software security attacks. However, incorporating security practices at the early stages of the SDLC is difficult for novice software developers that do not have a systematic approach to address security issues. In this paper, we proposed a preliminary method to derive abuse cases, one of software security best practices, based on use case description and attack patterns and then evaluate the method in a user study. We investigated the effectiveness of the proposed method to help novices develop abuse cases and gained insights on how a novice of software security would select keywords from use case descriptions, and select relevant attack patterns for developing abuse cases. Our main findings were (1) the approaches participants used to select the keywords and the attack patterns as they related to the use cases; (2) the approach used to select relevant attack patterns; (3) the relationship between the keywords and the attack patterns; and (4) use case based on the textual content showed the method can be effective in assisting non-experts to create abuse cases. Finally, we suggest possible approaches to select keywords more effectively and the implication of using an inference engine to build relationships between use cases and attack patterns.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Blackboard Learn, is a virtual learning environment and course management system developed by Blackboard Inc.
- 2.
References
Wei C. Sia: “misuse cases and abuse cases in eliciting security requirements”. System security: COMPSCI, vol 725
McDermott J, Fox C (1999) Using abuse case models for security requirements analysis. In: Proceedings of 15th annual computer security applications conference, 1999 (ACSAC’99), pp 55–64
McGraw G (2006) Software security: building security, vol 1. Addison-Wesley Professional
Hope P, McGraw G, Antón AI (2004) Misuse and abuse cases: getting past the positive. IEEE Secur Priv 2:90–92
CAPEC (2014) Classification (CAPEC)
Sindre G, Opdahl AL (2000) Eliciting security requirements by misuse cases. In: Proceedings 37th international conference on technology of object-oriented languages and systems, 2000 (TOOLS-Pacific 2000), pp 120–131
Alexander I (2002) Initial industrial experience of misuse cases in trade-off analysis. In: Proceedings of IEEE joint international conference on requirements engineering, 2002, pp 61–68
Pauli JJ, Engebretson PH (2008) Hierarchy-driven approach for attack patterns in software security education. In: Fifth international conference on information technology: new generations, 2008 (ITNG 2008), pp 1156–1157
Kaiya H, Kono S, Ogata S, Okubo T, Yoshioka N, Washizaki H et al (2014) Security requirements analysis using knowledge in capec. In: International conference on advanced information systems engineering, 2014, pp 343–348
Yuan X, Nuakoh EB, Beal JS, Yu H (2014) Retrieving relevant CAPEC attack patterns for secure software development. In: Proceedings of the 9th annual cyber and information security research conference. Oak Ridge, Tennessee, USA.
Yuan X, Nuakoh EB, Williams I, Yu H (2015) Developing abuse cases based on threat modeling and attack patterns. JSW 10:491–498
Microsoft threat modeling tool (2014) https://www.microsoft.com/en-us/download/details.aspx?id=42518. Accessed 28 Feb 2018
Owasp threat risk modeling. https://www.owasp.org/index.php/Threat_Risk_Modeling. Accessed 28 Feb 2018
Castañeda V, Ballejos L, Caliusco ML, Galli MR (2010) The use of ontologies in requirements engineering. Glob J Res Eng 10:2–8
Acknowledgements
This work is partially supported by National Science Foundation under the grant HRD-1332504 Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Williams, I., Yuan, X. (2019). A User Study: Abuse Cases Derived from Use Case Description and CAPEC Attack Patterns. In: Kim, K., Baek, N. (eds) Information Science and Applications 2018. ICISA 2018. Lecture Notes in Electrical Engineering, vol 514. Springer, Singapore. https://doi.org/10.1007/978-981-13-1056-0_25
Download citation
DOI: https://doi.org/10.1007/978-981-13-1056-0_25
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-1055-3
Online ISBN: 978-981-13-1056-0
eBook Packages: EngineeringEngineering (R0)