Skip to main content
SpringerLink
Log in

Prioritizing Countermeasures through the Countermeasure Method for Software Security (CM-Sec)

  • Conference paper
Product-Focused Software Process Improvement (PROFES 2010)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 6156))

Abstract

Software security is an important quality aspect of a software system. Therefore, it is important to integrate software security touch points throughout the development life-cycle. So far, the focus of touch points in the early phases has been on the identification of threats and attacks. In this paper we propose a novel method focusing on the end product by prioritizing countermeasures. The method provides an extension to attack trees and a process for identification and prioritization of countermeasures. The approach has been applied on an open-source application and showed that countermeasures could be identified. Furthermore, an analysis of the effectiveness and cost-efficiency of the countermeasures could be provided.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Frühwirth, C.: On business-driven it security management and mismatches between security requirements in firms, industry standards and research work. In: Proceedings of the 10th International Conference on Product-Focused Software Process Improvement (PROFES 2009), pp. 375–385 (2009)

    Google Scholar 

  2. McGraw, G.: Software security: building security in. Addison-Wesley, Upper Saddle River (2006)

    Google Scholar 

  3. Baca, D., Carlsson, B., Lundberg, L.: Evaluating the cost reduction of static code analysis for software security. In: Proceedings of the International Workshop on Programming Languages and Analysis for Security (PLAS 2008), pp. 79–88 (2008)

    Google Scholar 

  4. Baca, D., Petersen, K., Carlsson, B., Lundberg, L.: Static code analysis to detect software security vulnerabilities - does experience matter? In: Proceedings of the The 4th International Conference on Availability, Reliability and Security (ARES 2009), pp. 804–810 (2009)

    Google Scholar 

  5. Howard, M., LeBlanc, D.: Writing Secure Code. Microsoft Press, Redmond, Washington (2003)

    Google Scholar 

  6. Buldas, A., Laud, P., Priisalu, J., Saarepera, M., Willemson, J.: Rational choice of security measures via multi-parameter attack trees. In: López, J. (ed.) CRITIS 2006. LNCS, vol. 4347, pp. 235–248. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  7. Moore, A.P., Ellison, R.J., Linger, R.C.: Attack modeling for information security and survivability. Technical Report Technical Report CMU/SEI-2001-TN-001, Software Engineering Institute (2001)

    Google Scholar 

  8. Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  9. Damm, L.O., Lundberg, L., Wohlin, C.: Faults-slip-through - a concept for measuring the efficiency of the test process. Software Process: Improvement and Practice 11(1), 47–59 (2006)

    Article  Google Scholar 

  10. Peltier, T.R.: Information security risk analysis. Auerbach, Boca Raton (2001)

    Google Scholar 

  11. Schneier, B.: Attack trees. Dr. Dobb’s Journal 24(12), 21–29 (1999)

    Google Scholar 

  12. Viega, J., McGraw, G.: Building secure software: how to avoid security problems the right way. Addison-Wesley, Reading (2002)

    Google Scholar 

  13. Saini, V., Duan, Q., Paruchuri, V.: Threat modeling using attack trees. J. Comput. Small Coll. 23(4), 124–131 (2008)

    Google Scholar 

  14. Hederstierna, A.: Decisions Under Uncertainty - The Usefulness of an Indifference Method for Analysis of Dominance. EFI The Economic Research Institute, Stockholm School of Economics (1981)

    Google Scholar 

  15. Kontio, J.: Risk management in software development: A technology overview and the riskit method. In: Proceedings of the IEEE International Conference on Software Engineering (ICSE 1999), pp. 679–680 (1999)

    Google Scholar 

  16. Berander, P., Svahnberg, M.: Evaluating two ways of calculating priorities in requirements hierarchies - an experiment on hierarchical cumulative voting. Journal of Systems and Software 82(5), 836–850 (2009)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Blekinge Institute of Technology, Box 520, SE-37225, Ronneby, Sweden

    Dejan Baca & Kai Petersen

  2. Ericsson AB, Sweden

    Dejan Baca & Kai Petersen

Authors
  1. Dejan Baca
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kai Petersen
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Software Development Group, IT University of Copenhagen, Rued Langgaards Vej 7, 2300, Copenhagen, Denmark

    M. Ali Babar

  2. VTT Technical Research Centre of Finland, Kaitoväylä 1, 90570, Oulu, Finland

    Matias Vierimaa

  3. Department of Information Processing Science, University of Oulu, P.O. Box 3000, 90014, Oulu, Finland

    Markku Oivo

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Baca, D., Petersen, K. (2010). Prioritizing Countermeasures through the Countermeasure Method for Software Security (CM-Sec). In: Ali Babar, M., Vierimaa, M., Oivo, M. (eds) Product-Focused Software Process Improvement. PROFES 2010. Lecture Notes in Computer Science, vol 6156. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-13792-1_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-13792-1_15

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-13791-4

  • Online ISBN: 978-3-642-13792-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation