Automating architectural security analysis

Abstract

In earlier work [1] we had looked at implementing the Microsoft STRIDE methodology in the context of evaluating security properties of FMC/TAM architectural diagrams. However, a major drawback of this approach is that it requires significant manual work to assess all reported potential threats, as well as identify concrete follow-ups. Equally, it is not possible to analyse an architecture from the perspective of the primary assets that require protection. This led us to two questions: a) whether using interaction information in architecture diagrams, supported by additional security semantics, can reduce the scope of analysis as well as partly automate it; b) whether using asset-centric and attacker-centric perspectives can complement the software-centric perspective of STRIDE and thus add value to the current threat model.