Secure Coding mailing list archives
Re: Information Security Considerations for Use Case Modeling
From: Johan Peeters <yo () johanpeeters com>
Date: Mon, 27 Jun 2005 08:14:18 +0100
This topic is very pertinent. I agree that the lack of attention paid to security in many development projects stems from an inability to track security requirements in the software development life cycle. By addressing security requirements in a use case model, I believe that traceability can be improved enormously. However, traditional use cases are not always adequate to express security requirements. For example, whereas it may be possible to say that a user needs to authenticate to perform an action, it is not possible to express that attackers must be prevented from executing their own code on the system. I therefore feel there is a strong case for extending the use case concept to abuse cases, as introduced by McDermott in C. Fox, "Using Abuse Case Model for Security Requirements Analysis" in 1999 (http://www.acsac.org). In agile ecologies, use cases have transmuted to user stories. I have proposed to also extend user stories to abuser stories (http://www.johanpeeters.com/papers/abuser stories.pdf). kr, Yo Gunnar Peterson wrote: I have published a new paper on integrating security into Use Case Modeling: http://www.arctecgroup.net/secusecase.htm -gp -- Johan Peeters http://www.johanpeeters.com +32 16 649000
Current thread:
- Information Security Considerations for Use Case Modeling Gunnar Peterson (Jun 24)
- Re: Information Security Considerations for Use Case Modeling Johan Peeters (Jun 27)
- Re: Information Security Considerations for Use Case Modeling Gunnar Peterson (Jun 27)
- Re: Information Security Considerations for Use Case Modeling John Steven (Jun 27)
- Re: Information Security Considerations for Use Case Modeling Gunnar Peterson (Jun 27)
- Re: Information Security Considerations for Use Case Modeling Johan Peeters (Jun 27)