A Hybrid Threat Model for Software Security Requirement Specification

2016 International Conference on Information Science and Security (ICISS) Pub Date : 2016-12-01 DOI:10.1109/ICISSEC.2016.7885836

Habeeb Omotunde, R. Ibrahim

{"title":"A Hybrid Threat Model for Software Security Requirement Specification","authors":"Habeeb Omotunde, R. Ibrahim","doi":"10.1109/ICISSEC.2016.7885836","DOIUrl":null,"url":null,"abstract":"Security is often treated as secondary or a non- functional feature of software which influences the approach of vendors and developers when describing their products often in terms of what it can do (Use Cases) or offer customers. However, tides are beginning to change as more experienced customers are beginning to demand for more secure and reliable software giving priority to confidentiality, integrity and privacy while using these applications. This paper presents the MOTH (Modeling Threats with Hybrid Techniques) framework designed to help organizations secure their software assets from attackers in order to prevent any instance of SQL Injection Attacks (SQLIAs). By focusing on the attack vectors and vulnerabilities exploited by the attackers and brainstorming over possible attacks, developers and security experts can better strategize and specify security requirements required to create secure software impervious to SQLIAs. A live web application was considered in this research work as a case study and results obtained from the hybrid models extensively exposes the vulnerabilities deep within the application and proposed resolution plans for blocking those security holes exploited by SQLIAs.","PeriodicalId":420224,"journal":{"name":"2016 International Conference on Information Science and Security (ICISS)","volume":"11 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 International Conference on Information Science and Security (ICISS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICISSEC.2016.7885836","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

Security is often treated as secondary or a non- functional feature of software which influences the approach of vendors and developers when describing their products often in terms of what it can do (Use Cases) or offer customers. However, tides are beginning to change as more experienced customers are beginning to demand for more secure and reliable software giving priority to confidentiality, integrity and privacy while using these applications. This paper presents the MOTH (Modeling Threats with Hybrid Techniques) framework designed to help organizations secure their software assets from attackers in order to prevent any instance of SQL Injection Attacks (SQLIAs). By focusing on the attack vectors and vulnerabilities exploited by the attackers and brainstorming over possible attacks, developers and security experts can better strategize and specify security requirements required to create secure software impervious to SQLIAs. A live web application was considered in this research work as a case study and results obtained from the hybrid models extensively exposes the vulnerabilities deep within the application and proposed resolution plans for blocking those security holes exploited by SQLIAs.

查看原文本刊更多论文

软件安全需求规范的混合威胁模型

安全性通常被视为软件的次要或非功能性特征，它影响供应商和开发人员在描述他们的产品时通常根据它可以做什么(用例)或提供给客户的方法。然而，随着越来越有经验的客户开始要求更安全可靠的软件，在使用这些应用程序时优先考虑保密性、完整性和隐私性，趋势开始发生变化。本文介绍了MOTH(基于混合技术的威胁建模)框架，旨在帮助组织保护其软件资产免受攻击者的攻击，以防止任何SQL注入攻击(sqlia)的实例。通过关注攻击者利用的攻击向量和漏洞，并对可能的攻击进行集思广益，开发人员和安全专家可以更好地制定战略并指定创建不受sqlia影响的安全软件所需的安全需求。本研究以一个实时web应用程序为例，混合模型的结果广泛地揭示了应用程序内部的漏洞，并提出了阻止sqlia利用的安全漏洞的解决方案。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2016 International Conference on Information Science and Security (ICISS)

自引率

0.00%

发文量