On the design of more secure software-intensive systems by use of attack patterns

Authors:
Michael Gegick;Laurie Williams
Affiliations:
North Carolina State University, Department of Computer Science, 890 Oval Drive, Campus Box 8206, Raleigh, NC 27695, USA;North Carolina State University, Department of Computer Science, 890 Oval Drive, Campus Box 8206, Raleigh, NC 27695, USA
Venue:
Information and Software Technology
Year:
2007

Citing 12
Cited 0

A taxonomy of computer program security flaws

ACM Computing Surveys (CSUR)
Attack net penetration testing

Proceedings of the 2000 workshop on New security paradigms
Collaborative attack modeling

Proceedings of the 2002 ACM symposium on Applied computing
Writing Secure Code

Writing Secure Code
MOPS: an infrastructure for examining security properties of software

Proceedings of the 9th ACM conference on Computer and communications security
Windows of Vulnerability: A Case Study Analysis

Computer
Software Defect Reduction Top 10 List

Computer
Software vulnerability analysis

Software vulnerability analysis
Using build-integrated static checking to preserve correctness invariants

Proceedings of the 11th ACM conference on Computer and communications security
Matching attack patterns to security vulnerabilities in software-intensive system designs

SESS '05 Proceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications
Software Security: Building Security In

Software Security: Building Security In
Building Secure Software: How to Avoid Security Problems the Right Way (paperback) (Addison-Wesley Professional Computing Series)

Building Secure Software: How to Avoid Security Problems the Right Way (paperback) (Addison-Wesley Professional Computing Series)

Quantified Score

Hi-index	0.00

Visualization

Abstract

Retrofitting security implementations to a released software-intensive system or to a system under development may require significant architectural or coding changes. These late changes can be difficult and more costly than if performed early in the software process. We have created regular expression-based attack patterns that show the sequential events that occur during an attack. By performing a Security Analysis for Existing Threats (SAFE-T), software engineers can match the symbols of a regular expression to their system design. An architectural analysis that identifies security vulnerabilities early in the software process can prepare software engineers for which security implementations are necessary when coding starts. A case study involving students in an upper-level undergraduate security course suggests that SAFE-T can be performed by relatively inexperienced engineers who are not experts in security. Data from the case study also suggest that the attack patterns do not restrict themselves to vulnerabilities in specific environments.