Eliciting Security Requirements for an Information System using Asset Flows and Processor Deployment

Eliciting Security Requirements for an Information System using Asset Flows and Processor Deployment

Haruhiko Kaiya (Department of Computer Science, Shinshu University, Nagano, Japan), Junya Sakai (Department of Computer Science, Shinshu University, Nagano, Japan), Shinpei Ogata (Department of Computer Science, Shinshu University, Nagano, Japan) and Kenji Kaijiri (Department of Computer Science, Shinshu University, Nagano, Japan)
Copyright: © 2013 |Pages: 22
DOI: 10.4018/jsse.2013070103
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

The authors cannot comprehensively determine all of the vulnerabilities to an attack only from requirements descriptions. To resolve the problem, the authors propose a method for eliciting security requirements using the information about system architecture. The authors convert a use-case description into a variation of a data flow diagram called an asset-flow diagram (AFD). The authors then refine the AFDs based on a processor deployment diagram (PDD), which gives information about a system architecture. By using vulnerabilities patterns to an attack, the authors distinguish vulnerabilities to the attack that can be identifiable in AFDs from remaining vulnerabilities to the attack. To prohibit the former vulnerabilities, security requirements are defined as countermeasures and/or modification of existing requirements. To prevent the latter vulnerabilities, security requirements are defined as design and implementation constraints. Through an evaluation of a web application, the authors show that our method enables us to elicit security requirements against several different attacks in different system architectures.
Article Preview

2. Some Well-Known Attacks

The following attacks on Web applications were taken from a web site on Web application risks (OWASP, 2010):

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 8: 4 Issues (2017): 2 Released, 2 Forthcoming
Volume 7: 4 Issues (2016)
Volume 6: 4 Issues (2015)
Volume 5: 4 Issues (2014)
Volume 4: 4 Issues (2013)
Volume 3: 4 Issues (2012)
Volume 2: 4 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing