Abstract
Misuse case analysis is a method for the elicitation, documentation, and communication of security requirements. It builds upon the well-established use case analysis method and is one of the few existing techniques dedicated to security requirements engineering. We present an anti-pattern for applying misuse cases, dubbed “orphan misuses.” Orphan misuse cases by and large ignore the system at hand, thus providing little insight into its security. Common symptoms include implementation-dependent threats and overly general, vacuous mitigations. We illustrate orphan misuse cases through examples, explain their negative consequences in detail, and give guidelines for avoiding them.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Cockburn, A.: Writing Effective Use Cases. Addison-Wesley, Boston (2001)
Firesmith, D.: Security use cases. J. Object Technol. 2(3), 53–64 (2003)
Fratantonio, Y., Qian, C., Chung, S.P., Lee, W.: Cloak and dagger: from two permissions to complete control of the UI feedback loop. In: 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, May 22–26, 2017, pp. 1041–1057. IEEE Computer Society (2017)
Garcia, M.L.: The Design and Evaluation of Physical Protection Systems. Elsevier Science, Burlington (2001)
Haley, C., Laney, R., Moffett, J., Nuseibeh, B.: Security requirements engineering: a framework for representation and analysis. IEEE Trans. Softw. Eng. 34(1), 133–153 (2008)
Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J.-H., Lee, D., Wilkerson, C., Lai, K., Mutlu, O.: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: ACM/IEEE 41st International Symposium on Computer Architecture, ISCA, pp. 361–372. IEEE Computer Society (2014)
Koenig, A.: Patterns and antipatterns. JOOP 8(1), 46–48 (1995)
Lehtonen, M.O., Michahelles, F., Fleisch, E.: Trust and security in RFID-based product authentication systems. IEEE Syst. J. 1(2), 129–144 (2007)
Object Management Group: Unified modeling language (OMG UML), version 2.5 (2015)
OWASP: Testing guide v. 4. https://www.owasp.org. Accessed Apr 2016
Pauli, J.J., Xu, D.: Misuse case-based design and analysis of secure software architecture. In: Proceedings of the International Conference on Information Technology: Coding and Computing, ITCC 2005, vol. 2, pp. 398–403. IEEE Computer Society (2005)
Peterson, G., Steven, J.: Defining misuse within the development process. IEEE Secur. Priv. 4(6), 81–84 (2006)
Regev, G., Alexander, I.F., Wegmann, A.: Modelling the regulative role of business processes with use and misuse cases. Bus. Process Manage. J. 11(6), 695–708 (2005)
Rostad, L.: An extended misuse case notation: Including vulnerabilities and the insider threat. In Working Conference on Requirements Engineering: Foundation for Software Quality (RREFSQ), pp. 33–34. Essener Informatik Beitrage (2006)
Sindre, G., Opdahl, A.L.: Eliciting security requirements by misuse cases. In: Proceedings 37th International Conference on Technology of Object-Oriented Languages and Systems. TOOLS-Pacific 2000, pp. 120–131 (2000)
Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requirements Eng. 10(1), 34–44 (2005)
van Wyk, K.R., McGraw, G.: Bridging the gap between software development and information security. IEEE Secur. Priv. 3(5), 75–79 (2005)
Van Vleck, T.: Three questions about each bug you find. ACM SIGSOFT Softw. Eng. Notes 14(5), 62–63 (1989)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this paper
Cite this paper
Dashti, M.T., Radomirović, S. (2018). An Anti-pattern for Misuse Cases. In: Katsikas, S., et al. Computer Security. SECPRE CyberICPS 2017 2017. Lecture Notes in Computer Science(), vol 10683. Springer, Cham. https://doi.org/10.1007/978-3-319-72817-9_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-72817-9_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-72816-2
Online ISBN: 978-3-319-72817-9
eBook Packages: Computer ScienceComputer Science (R0)