| 1. |
|
|
| 2. |
- Tuma, Katja, 1991, et al.
(författare)
-
Threat analysis of software systems: A systematic literature review
- 2018
-
Ingår i: Journal of Systems and Software. - : Elsevier BV. - 0164-1212. ; 144, s. 275-294
-
Tidskriftsartikel (refereegranskat)abstract
- Architectural threat analysis has become an important cornerstone for organizations concerned with developing secure software. Due to the large number of existing techniques it is becoming more challenging for practitioners to select an appropriate threat analysis technique. Therefore, we conducted a systematic literature review (SLR) of the existing techniques for threat analysis. In our study we compare 26 methodologies for what concerns their applicability, characteristics of the required input for analysis, characteristics of analysis procedure, characteristics of analysis outcomes and ease of adoption. We also provide insight into the obstacles for adopting the existing approaches and discuss the current state of their adoption in software engineering trends (e.g. Agile, DevOps, etc.). As a summary of our findings we have observed that: the analysis procedure is not precisely defined, there is a lack of quality assurance of analysis outcomes and tool support and validation are limited.
|
|
| 3. |
- Tuma, Katja, 1991
(författare)
-
Towards Efficiency and Quality Assurance in Threat Analysis of Software Systems
- 2018
-
Licentiatavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Context: Security threats have been a growing concern in many organizations. Organizations developing software products strive to plan for security as soon as possible to mitigate such potential threats. In the design phase of the software development life-cycle, teams of experts routinely analyze the system architecture and design to nd potential security threats. Objective: The goal of this research is to improve on the performance of existing threat analysis techniques and support practitioners with automation and tool support. To understand the inner-workings of existing threat analysis methodologies we also conduct a systematic literature review examining 26 methodologies in detail. Our industrial partners conrm that existing techniques are labor intensive and do not provide quality guarantees about their outcomes. Method: We conducted empirical studies for building an in-depth understanding of existing techniques (Systematic Literature Review (SLR), controlled experiments). Further we rely on empirical case studies for ongoing validation of an attempted technique performance improvement. Findings: We have found that using a novel risk-rst approach can help reduce the labor while producing the same level of outcome quality in a shorter period of time. Further, we suggest that the key for a successful application of this approach is two fold. First, widening the analysis scope to end-to-end scenarios guides the analyst to focus on important assets. Second, appropriate model abstractions are required to manage the cognitive load of the human analysts. We have also found that reasoning about security in a formal setting requires extending the existing notations with security semantics. Further, minimal model extensions for doing so include security contracts for system nodes handling sensitive information. In such a setting, the analysis can be automated and can to some extent provide completeness guarantees. Future work: In the future, we plan to further study the analysis completeness guarantees. In particular, we plan to improve on the analysis automation and investigate complementary techniques for analysis completeness (namely informal pattern based techniques). We also plan to work on the disconnect between the planned and implemented security.
|
|
| 4. |
- Tuma, Katja, 1991, et al.
(författare)
-
Two architectural threat analysis techniques compared
- 2018
-
Ingår i: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). - Cham : Springer International Publishing. - 1611-3349 .- 0302-9743. ; 11048 LNCS, s. 347-363
-
Konferensbidrag (refereegranskat)abstract
- In an initial attempt to systematize the research field of architectural threat analysis, this paper presents a comparative study of two threat analysis techniques. In particular, the controlled experiment presented here compares two variants of Microsoft’s STRIDE. The two variants differ in the way the analysis is performed. In one case, each component of the software system is considered in isolation and scrutinized for potential security threats. In the other case, the analysis has a wider scope and considers the security threats that might occur in a pair of interacting software components. The study compares the techniques with respect to their effectiveness in finding security threats (benefits) as well as the time that it takes to perform the analysis (cost). We also look into other human aspects which are important for industrial adoption, like, for instance, the perceived difficulty in learning and applying the techniques as well as the overall preference of our experimental participants.
|
|
