Experiences from Using the CORAS Methodology to Analyze a Web Application

Abstract

During a field trial performed at the Norwegian telecom company NetCom from May 2003 to July 2003, a methodology for model-based risk analysis was assessed. The chosen methodology was the CORAS methodology (CORAS, 2000), which has been developed in a European research project carried out by 11 European companies and research institutes partly funded by the European Union. The risk analysis and assessment were carried out by the Norwegian research institute SINTEF in cooperation with NetCom. NetCom (www.netcom.no) is one of the main mobile phone network providers in Norway. Their ‘MinSide’ application offers their customers access to their personal account information via the Internet, enabling them to view and change the properties of their mobile phone subscription. ‘MinSide’ deals with a lot of sensitive customer information that needs to be secure, while at the same time being easily available tithe customer in order for the service to remain usable and competitive. The goal of the analysis was to identify risks in relation to the use of the ‘MinSide’ application and, where possible, suggest treatments for these risks. This was achieved through two model-driven brainstorming sessions based on system documentation in the form of UML sequence diagrams and data flow diagrams.