Reducing software defects earlier in the software lifecycle offers two main advantages first it lowers the cost of fixing the software and second it limits the risk of deploying insecure software to users. To address this issue security activities are increasingly being introduced into the software development lifecycle to reduce the number of software defects earlier in the software cycle. The growth of the Internet and networked systems has implied an increase of threats and challenges for software development companies. Software supports the information structure of businesses and governments worldwide. We validated AutSEC by implementing it in a tool based on data flow diagrams, from the Microsoft security development methodology, and applying it to VOMS, a grid middleware component, to evaluate our model's performance. These are the components of our model for automated threat modeling, AutSEC. To automate threat modeling two data structures are introduced, identification trees and mitigation trees, to identify threats in software designs and advise mitigation techniques, while taking into account specification requirements and cost concerns.
Reducing the dependency on security experts aims at reducing the cost of secure development by allowing non-security-aware developers to apply secure development with little to no additional cost, making secure development more accessible. This paper describes an approach to reduce the need for costly human expertise to perform risk analysis in software, which is common in secure development methodologies, by automating threat modeling. One of the responses from software developers to these threats is the introduction of security activities in the software development lifecycle. The growth of the internet and networked systems has exposed software to an increased amount of security threats.
0 kommentar(er)
