A User Study: Abuse Cases Derived from Use Case Description and CAPEC Attack Patterns
Nowadays, developers should incorporate software security best practices from the early stages of the software development lifecycle to build more robust software against software security attacks. However, incorporating security practices at the early stages of the SDLC is difficult for novice software developers that do not have a systematic approach to address security issues. In this paper, we proposed a preliminary method to derive abuse cases, one of software security best practices, based on use case description and attack patterns and then evaluate the method in a user study. We investigated the effectiveness of the proposed method to help novices develop abuse cases and gained insights on how a novice of software security would select keywords from use case descriptions, and select relevant attack patterns for developing abuse cases. Our main findings were (1) the approaches participants used to select the keywords and the attack patterns as they related to the use cases; (2) the approach used to select relevant attack patterns; (3) the relationship between the keywords and the attack patterns; and (4) use case based on the textual content showed the method can be effective in assisting non-experts to create abuse cases. Finally, we suggest possible approaches to select keywords more effectively and the implication of using an inference engine to build relationships between use cases and attack patterns.
KeywordsSoftware security Attack patterns Abuse cases
This work is partially supported by National Science Foundation under the grant HRD-1332504 Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
- 1.Wei C. Sia: “misuse cases and abuse cases in eliciting security requirements”. System security: COMPSCI, vol 725Google Scholar
- 2.McDermott J, Fox C (1999) Using abuse case models for security requirements analysis. In: Proceedings of 15th annual computer security applications conference, 1999 (ACSAC’99), pp 55–64Google Scholar
- 3.McGraw G (2006) Software security: building security, vol 1. Addison-Wesley ProfessionalGoogle Scholar
- 5.CAPEC (2014) Classification (CAPEC)Google Scholar
- 6.Sindre G, Opdahl AL (2000) Eliciting security requirements by misuse cases. In: Proceedings 37th international conference on technology of object-oriented languages and systems, 2000 (TOOLS-Pacific 2000), pp 120–131Google Scholar
- 7.Alexander I (2002) Initial industrial experience of misuse cases in trade-off analysis. In: Proceedings of IEEE joint international conference on requirements engineering, 2002, pp 61–68Google Scholar
- 8.Pauli JJ, Engebretson PH (2008) Hierarchy-driven approach for attack patterns in software security education. In: Fifth international conference on information technology: new generations, 2008 (ITNG 2008), pp 1156–1157Google Scholar
- 9.Kaiya H, Kono S, Ogata S, Okubo T, Yoshioka N, Washizaki H et al (2014) Security requirements analysis using knowledge in capec. In: International conference on advanced information systems engineering, 2014, pp 343–348Google Scholar
- 10.Yuan X, Nuakoh EB, Beal JS, Yu H (2014) Retrieving relevant CAPEC attack patterns for secure software development. In: Proceedings of the 9th annual cyber and information security research conference. Oak Ridge, Tennessee, USA.Google Scholar
- 12.Microsoft threat modeling tool (2014) https://www.microsoft.com/en-us/download/details.aspx?id=42518. Accessed 28 Feb 2018
- 13.Owasp threat risk modeling. https://www.owasp.org/index.php/Threat_Risk_Modeling. Accessed 28 Feb 2018
- 14.Castañeda V, Ballejos L, Caliusco ML, Galli MR (2010) The use of ontologies in requirements engineering. Glob J Res Eng 10:2–8Google Scholar