Re: Information Security Considerations for Use Case Modeling

[Johan Peeters <yo () johanpeeters com>]

This topic is very pertinent. I agree that the lack of attention paid to
security in many development projects stems from an inability to  track
security requirements in the software development life cycle. By
addressing security requirements in a use case model, I believe that
traceability can be improved enormously. However, traditional use cases
are not always adequate to express security requirements. For example,
whereas it may be possible to say that a user needs to authenticate to
perform an action, it is not possible to express that attackers must be
prevented from executing their own code on the system. I therefore feel
there is a strong case for extending the use case concept to abuse
cases, as introduced by McDermott in C. Fox, "Using Abuse Case Model for
Security Requirements Analysis" in 1999 (http://www.acsac.org).
In agile ecologies, use cases have transmuted to user stories. I have
proposed to also extend user stories to abuser stories
(http://www.johanpeeters.com/papers/abuser stories.pdf).

kr,

Yo

Gunnar Peterson wrote:

I have published a new paper on integrating security into Use Case
Modeling:

http://www.arctecgroup.net/secusecase.htm

-gp






--
Johan Peeters
http://www.johanpeeters.com
+32 16 649000