Browse > Article
http://dx.doi.org/10.7472/jksii.2022.23.1.49

Study on security requirements for the web based operation system of a shipping company  

Chung, Up (School of Cybersecurity, Korea University)
Moon, Jongsub (School of Cybersecurity, Korea University)
Publication Information
Journal of Internet Computing and Services / v.23, no.1, 2022 , pp. 49-68 More about this Journal
Abstract
The operation system of a shipping company is still maintaining the mainframe based terminal access environment or the client/server based environment. Nowadays shipping companies that try to migrate it into a web-based environment are increasing. However, in the transition, if the design is processed by the old configuration and knowledge without considering the characteristics of the web-based environment and shipping business, various security vulnerabilities will be revealed at the actual system operation stage, and system maintenance costs to fix them will increase significantly. Therefore, in the transition to a web-based environment, a security design must be carried out from the design stage to ensure system safety and to reduce security-related maintenance costs in the future. This paper examines the characteristics of various threat modeling techniques, selects suitable modeling technique for the operation system of a shipping company, applies data flow diagram and STRIDE threat modeling technique to shipping business, derives possible security threats from each component of the data flow diagram in the attacker's point of view, validates the derived threats by mapping them with attack library items, represents the attack tree having various attack scenarios that attackers can attempt to achieve their final goals, organizes into the checklist that has security check items, associated threats and security requirements, and finally presents 23 security requirements that can respond to threats. Unlike the existing general security requirements, the security requirements presented in this paper reflect the characteristics of shipping business because they are derived by analyzing the actual business of a shipping company and applying threat modeling technique. Therefore, I think that the presented security requirements will be of great help in the security design of shipping companies that are trying to proceed with the transition to a web-based environment in the future.
Keywords
Shipping company; Threat modeling; STRIDE; Security requirement;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Shostack, Adam, "Threat Modeling: Designing for Security", John Wiley & Sons, 2014.
2 Su-an Chung, Young-seok Cha, "The Current Status and Issues of safety & security systems in Shipping and Logistics", Korean Institute Of Industrial Engineers, pp. 524-528, Oct, 2009. https://www.dbpia.co.kr/journal/articleDetail?nodeId=NODE01987429
3 Young-seok Cha, Jin-su Kim, "A study on the Improvement of the Competitiveness Through supply chain security systems", Korean Institute Of Industrial Engineers, pp. 148-153, Nov, 2010. https://www.dbpia.co.kr/journal/articleDetail?nodeId=NODE01960468
4 WASC, "The WASC Threat Classification v2.0 ", Jun, 2011. http://projects.webappsec.org/w/page/13246978/Threat%20Classification
5 CVE, "Common Vulnerabilities and Exposures", Jul, 2021. https://cve.mitre.org
6 KISA, "Software Security Vulnerability Diagnostic Guide", June, 2019. https://www.mois.go.kr/frt/bbs/type001/commonSelectBoardArticle.do?bbsId=BBSMSTR_000000000012&nttId=73813#none
7 NIST, "Cybersecurity Framework", April, 2018. https://www.nist.gov/cyberframework/framework
8 Selin, Juuso, "Evaluation of Threat Modeling Methodologies", JAMK University of Applied Sciences, May, 2019. https://www.theseus.fi/bitstream/handle/10024/220967/Selin_Juuso.pdf?isAllowed=y&sequence=2
9 SEI Blog, "Threat Modeling: 12 Available Methods", Dec, 2018. https://insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/
10 WIKIPEDIA, "Web application firewall", June 2021. https://en.wikipedia.org/wiki/Web_application_firewall
11 FIRST, "Threat Modeling", Nov, 2021. https://www.first.org/global/sigs/cti/curriculum/threat-modelling
12 OWASP, "OWASP Top Ten", 2021. https://owasp.org/www-project-top-ten
13 NIST, "Guide to Intrusion Detection and Prevention Systems (IDPS)", Feb, 2007. https://csrc.nist.gov/publications/detail/sp/800-94/final
14 Michael Howard and Steve Lipner, "THE SECURITY DEVELOPMENT LIFECYCLE", Microsoft Press, 2006. https://download.microsoft.com/download/8/1/6/816C597A-5592-4867-A0A6-A0181703CD59/Microsoft_Press_eBook_TheSecurityDevelopmentLifecycle_PDF.pdf
15 Kim Wuyts and Wouter Joosen, "LINDDUN privacy threat modeling: a tutorial", Technical Report (CW Reports), volume CW685, Department of Computer Science, KU Leuven, July 2015. https://www.linddun.org/_files/ugd/cc602e_f98d9a92e4804e6a9631104c02261e1f.pdf
16 Paul Saitta, Brenda Larcom, and Michael Eddington, "Trike v.1 Methodology Document [Draft]", July 13th, 2005. https://www.octotrike.org/papers/Trike_v1_Methodology_Document-draft.pdf
17 Tony UcedaVelez, "Real World Threat Modeling Using the PASTA Methodology", 2012. https://owasp.org/www-pdf-archive/AppSecEU2012_PASTA.pdf
18 Young-seok Cha, Su-an Chung, "A study on the Improvement of the Productivity Through supply chain safety & security systems", The Korean Operations Research and Management Science Society, pp. 561-565, Oct, 2009. https://www.dbpia.co.kr/journal/articleDetail?nodeId=NODE01687798
19 MITRE, "ATT&CK", Apr, 2021. https://attack.mitre.org
20 WIKIPEDIA, "Firewall (computing)", July, 2021. https://en.wikipedia.org/wiki/Firewall_(computing)
21 Richard A. Caralli, James F. Stevens, Lisa R. Young, William R. Wilson, "Introducing OCTAVE Allegro", May 2007. https://apps.dtic.mil/sti/pdfs/ADA470450.pdf
22 WIKIPEDIA, "Unified threat management", June, 2021. https://en.wikipedia.org/wiki/Unified_threat_management
23 Gyu-Sung CHO, "Improvements of Security System based on Port Logistics Information System", The Korean Society Fishries And Sciences Education, 29(4), pp. 1032-1042, Aug. 2017. https://doi.org/10.13000/jfmse.2017.29.4.1032   DOI