Sökning: onr:"swepub:oai:gup.ub.gu.se/306823" >
Finding security th...
Finding security threats that matter: Two industrial case studies
-
- Tuma, Katja, 1991 (författare)
- Gothenburg University,Göteborgs universitet,Institutionen för data- och informationsteknik (GU),Department of Computer Science and Engineering (GU)
-
Sandberg, C. (författare)
-
Thorsson, U. (författare)
-
visa fler...
-
Widman, M. (författare)
-
Herpel, T. (författare)
-
Scandariato, R. (författare)
-
visa färre...
-
(creator_code:org_t)
- Elsevier BV, 2021
- 2021
- Engelska.
-
Ingår i: Journal of Systems and Software. - : Elsevier BV. - 0164-1212. ; 179
- Relaterad länk:
-
https://gup.ub.gu.se...
-
visa fler...
-
https://doi.org/10.1...
-
visa färre...
Abstract
Ämnesord
Stäng
- In the past decade, speed has become an essential trait of software development (e.g., agile, continuous integration, DevOps) and any inefficiency is considered unaffordable time waster. Such a fast pace causes challenges for architectural threat analysis. Leading techniques for threat analysis, like STRIDE, have the advantage of being systematic. However, they are not equipped to discern between important and less critical threats, while the threats are being discovered. Consequently, many threats are discarded at a later time, when their risk value is assessed. An alternative technique, called eSTRIDE, promises to remove these inefficiencies by focusing the analysis on the critical parts of the architecture. Yet, no empirical evidence exists about the actual effect of trading off systematicity, for a more focused attention on high-priority threats. This paper contributes with an empirical study comparing these two approaches in the context of two industrial case studies. We found that the two approaches yield the same number of security threats during a given time frame. However, participants using eSTRIDE found twice as many high-priority threats. The underlying analysis procedures cause similarities and differences in the execution. In addition, security expertise has an effect (albeit small) on the quality of analysis outcomes and execution. (C) 2021 Elsevier Inc. All rights reserved.
Ämnesord
- NATURVETENSKAP -- Data- och informationsvetenskap -- Programvaruteknik (hsv//swe)
- NATURAL SCIENCES -- Computer and Information Sciences -- Software Engineering (hsv//eng)
Nyckelord
- Threat analysis
- Risk
- STRIDE
- Case study
- Empirical software
- engineering
- Security deskilling
- software systems
- requirements
- Computer Science
Publikations- och innehållstyp
- ref (ämneskategori)
- art (ämneskategori)
Hitta via bibliotek
Till lärosätets databas