Abstract
In this chapter, I illustrate how modest extensions to the IRIS meta-model, together with complementary updates to CAIRIS, can be used to automate an architectural risk analysis. I introduce meta-models for architectural patterns and contextualised attack patterns; these formalise the elements necessary to facilitate an architectural risk analysis. I show how these elements are applied in practice in Sect. 9.7
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
See Sect. 5.4.1.1 for details on how this score is calculated.
References
McGraw G. Software Security: Building Security. Boston: Addison-Wesley; 2006.
Khan MU, Munib M, Manzoor U, Nefti S. Analyzing risks at architectural level. In: International Conference on Information Society (i-Society 2011); 2011. p. 231–236.
Buschmann F, Meunier R, Rohnert H, Sommerlad P, Stal M. Pattern-oriented software architecture: a system of patterns. Wiley; 1996.
Buhr RJA, Casselman RS. Use Case Maps for Object-Oriented Systems. Prentice Hall; 1996.
Gennari J, Garlan D. Measuring Attack Surface in Software Architecture. Carnegie Mellon University; 2012. CMU-ISR-11-121.
Howard M. Fending Off Future Attacks by Reducing Attack Surface; 2003. https://msdn.microsoft.com/en-us/library/ms972812.
The MITRE Corporation. Common Attack Pattern Enumeration and Classification (CAPEC) web site; 2017. http://capec.mitre.org.
The MITRE Corporation. Common Weakness Enumeration (CWE) web site; 2017. http://cwe.mitre.org.
Gamma E, Helm R, Johnson R, Vlissides J. Design patterns: elements of reusable object-oriented software. Addison-Wesley; 1995.
Van Lamsweerde A, Letier E. Integrating obstacles in goal-driven requirements engineering; 1998. p. 53–62.
Dusseault L. HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV). CommerceNet; 2007. 4918. https://tools.ietf.org/html/rfc4918.
Simpson A, Power D, Russell D, Slaymaker M, Mostefaoui GK, Wilson G, et al. The Development, Testing, and Deployment of a Web Services Infrastructure for Distributed Healthcare Delivery, Research, and Training. In: Managing Web Services Quality: Measuring Outcomes and Effectiveness. IGI Global; 2008. p. 1–22.
Dusseault L. WebDAV: Next-Generation Collaborative Web Authoring. Prentice Hall; 2003.
MITRE. CWE-427: Uncontrolled Search Path Element; 2017. https://cwe.mitre.org/data/definitions/427.html.
MITRE. CAPEC-542: Targeted Malware; 2017. https://capec.mitre.org/data/definitions/542.html.
MITRE. CAPEC-550: Install New Service; 2017. https://capec.mitre.org/data/definitions/550.html.
MITRE. CAPEC-551: Modify Existing Service; 2017. https://capec.mitre.org/data/definitions/551.html.
MITRE. CAPEC-552: Install Rootkit; 2017. https://capec.mitre.org/data/definitions/552.html.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this chapter
Cite this chapter
Faily, S. (2018). Analysing and Managing Architectural Risk. In: Designing Usable and Secure Software with IRIS and CAIRIS. Springer, Cham. https://doi.org/10.1007/978-3-319-75493-2_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-75493-2_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-75492-5
Online ISBN: 978-3-319-75493-2
eBook Packages: Computer ScienceComputer Science (R0)