Browse > Article
http://dx.doi.org/10.3745/KIPSTD.2006.13D.1.067

Identifying Security Requirement using Reusable State Transition Diagram at Security Threat Location  

Seo Seong-Chae (전남대학교 전산학과)
You Jin-Ho (전남대학교 대학원 전산학과)
Kim Young-Dae (전남대학교 대학원 전산학과)
Kim Byung-Ki (전남대학교 전자컴퓨터정보통신공학부)
Publication Information
The KIPS Transactions:PartD / v.13D, no.1, 2006 , pp. 67-74 More about this Journal
Abstract
The security requirements identification in the software development has received some attention recently. However, previous methods do not provide clear method and process of security requirements identification. We propose a process that software developers can build application specific security requirements from state transition diagrams at the security threat location. The proposed process consists of building model and identifying application specific security requirements. The state transition diagram is constructed through subprocesses i) the identification of security threat locations using security failure data based on the point that attackers exploit software vulnerabilities and attack system assets, ii) the construction of a state transition diagram which is usable to protect, mitigate, and remove vulnerabilities of security threat locations. The identification Process of application specific security requirements consist of i) the analysis of the functional requirements of the software, which are decomposed into a DFD(Data Flow Diagram; the identification of the security threat location; and the appliance of the corresponding state transition diagram into the security threat locations, ii) the construction of the application specific state transition diagram, iii) the construction of security requirements based on the rule of the identification of security requirements. The proposed method is helpful to identify the security requirements easily at an early phase of software development.
Keywords
Security; Security Requirement; Analysis;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 CC, Common Criteria for Information Technology Security Evaluation, Version 2.1, CCIMB-99-031, Aug., 1999
2 M. Bishop, 'Vulnerabilities Analysis', Web proceedings of the 2nd International Workshop on Recent Advances in Intrusion Detection (RAID'99), 1999
3 B. Boehm, 'Software Engineering Economics', Prentice-Hall, 1981
4 A. Hall and R. Chapman, 'Correctness by Construction', IEEE Software Vol.19, No.1, pp.18-25, 2002   DOI   ScienceOn
5 A. V. Lamsweerde, 'Elaborating Security Requirements by Construction of Intentional Anti-Models', Proceedings of the 26th International Conference on Software Engineering (ICSE'04), pp.148-157, 2004
6 A. P. Moore, R. J. Ellison, R. C. Linger, 'Attack Modeling for Information Security and Survivability', CMU/SEI2001-TN-001, Mar., 2001
7 A. P. Moore, R. J. Ellison, L. Bass, M. Klein, F. Bachmann, 'Security and Survivability Reasoning Frameworks and Architectural Design Tactics', CMU/SEI-2004-TN-022, 2004
8 P. T. Devanbu, S. Stubblebine. 'Software Engineering for Security: A Roadmap', ICSE 2000, pp.227-239, 2000   DOI
9 서정국, 최경희, 정기현, 박승규, 심재홍, '인터넷 보안 시뮬레이션을 위한 공격모델링', 정보처리학회논문지C, 제11-C권 제2호, pp.183-192, 2004   과학기술학회마을   DOI
10 장세진, 최상수, 이강수, 최희봉, '보안 요구사항 도출 및 명세를 위한 CC기반 Misuse Case 모델', 정보과학회 2004년 춘계학술대회 Vol.31, No.1, pp.0277 -0279, 2004   과학기술학회마을
11 J. A. Whittacker and M. Howard, 'Building More Secure Software With Improved Development Processes', IEEE Security & Privacy, Vol.2, Issue 6, pp.63-65 Nov/Dec., 2004   DOI   ScienceOn
12 J. Jurjens, 'UMLsec : Extending UML for secure systems development', In UML 2002, 2002
13 M. Schumacher and U. Roedig, 'Security Engineering with Patterns,' in PLoP Proceedings 2001
14 G. McGraw, B. Potter, 'Software Security Testing', IEEE Security & Privacy, Vol.2, Issue 5, pp.81 -85, Sep/Oct., 2004   DOI   ScienceOn
15 M. Schumacher and U. Roedig, 'Security Engineering with Patterns', In PLoP Proceedings 2001
16 M. Schumacher, 'Security Patterns And Security Standards', in PLoP Proceedings 2001
17 L. M. Cysneiros and J. C. S. P. Leiter, 'Nonfunctional requirements: from elicitation to conceptual models', IEEE Transactions on Software Engineering, Vol.30, No.5, pp.328-350, May, 2004   DOI   ScienceOn
18 M. Howard and D. C. LeBlanc, 'Writing Secure Code', 2nd Ed., Microsoft, 2003
19 J. Viega, G. McGraw, 'Building Secure Software', Addison Wesley, 2004
20 L. Liu, E. yu, J. Mylopoulos. 'Security and Privacy Requirements Analysis within a Social Setting', Proceedings of the 11th IEEE International Requirements Engineering Conference, pp.151-161, 2003
21 J. McDermott, 'Extracting Security Requirements by Misuse Cases', Proc. 27th Technology of Objected-Oriented Languages and Systems(TOOLS-37 Pacific 2000), Sydney, Australia, pp.120-131, 2000
22 L. M. Cysneiros and J. C. S. P. Leiter, 'Integrating Non-Functional Requirements into data modeling', Proceedings of the 4th International Sysmposium on Requirements Engineering, pp.162-171, 1999
23 J. McDermott, C. Fox, 'Using Abuse Case Models for Security Requirements Analysis', Proc. Annual Computer Security Applications Conference (ACSAC'99), pp.55-64, 1999   DOI
24 I. V. Krsul, 'Computer Vulnerability Analysis', PhD thesis, Purdue University, 1998
25 I. Alexander, 'Misuse Cases: Use Cases with Hostile Intent', IEEE Software Jan/Feb, 2003, pp.58-66, 2003   DOI   ScienceOn
26 G. Sindre and A. L. Opdahl, 'Capturing Security Requirements through Misuse Cases', Proc. 14th Norwegian Informatics Conference, Norway, pp.26-28, Nov., 2001
27 G. McGraw, 'Software Security', IEEE Security & Privacy, pp.80-83, Mar/Apr., 2004   DOI   ScienceOn
28 G. Hoglund, G. McGraw, 'Exploiting Software: How to break code', Addison Wesley, 2004
29 D. G. Firesmith, 'Specifying Reusable Security Requirements', Journal of Object Technology(JOT), Vol.3, No.1, 2004   DOI
30 D. G. Firesmith, 'Security Use Case', Journal of Object Technoly(JOT), Vol.2, No.3, pp.53-64, May/Jun, 2003   DOI
31 L. Chung, B. Nixon, E. Yu, and J. Mylopoulos, 'Non-Functional Requirements in Software Engineering', Kluwer Academic Publishers, 1999
32 L. M. Cysneiros, J. C. S. P. Leiter and J. S. M. Neto, 'A Framework for Integrating Non-Functional Requirements into Conceptual Models', Requirements Engineering Journal, Vol.6, Issue2, pp.97-115, Apr., 2001   DOI
33 L. M. Cysneiros and J. C. S. P. Leiter, 'Using UML to Reflect Non-Functional Requirements', Proceedigns of the 11 CASCON, IBM Canada, Toronto Nov 2001, pp.202-216, 2001