Abstract
Software security is an important quality aspect of a software system. Therefore, it is important to integrate software security touch points throughout the development life-cycle. So far, the focus of touch points in the early phases has been on the identification of threats and attacks. In this paper we propose a novel method focusing on the end product by prioritizing countermeasures. The method provides an extension to attack trees and a process for identification and prioritization of countermeasures. The approach has been applied on an open-source application and showed that countermeasures could be identified. Furthermore, an analysis of the effectiveness and cost-efficiency of the countermeasures could be provided.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Frühwirth, C.: On business-driven it security management and mismatches between security requirements in firms, industry standards and research work. In: Proceedings of the 10th International Conference on Product-Focused Software Process Improvement (PROFES 2009), pp. 375–385 (2009)
McGraw, G.: Software security: building security in. Addison-Wesley, Upper Saddle River (2006)
Baca, D., Carlsson, B., Lundberg, L.: Evaluating the cost reduction of static code analysis for software security. In: Proceedings of the International Workshop on Programming Languages and Analysis for Security (PLAS 2008), pp. 79–88 (2008)
Baca, D., Petersen, K., Carlsson, B., Lundberg, L.: Static code analysis to detect software security vulnerabilities - does experience matter? In: Proceedings of the The 4th International Conference on Availability, Reliability and Security (ARES 2009), pp. 804–810 (2009)
Howard, M., LeBlanc, D.: Writing Secure Code. Microsoft Press, Redmond, Washington (2003)
Buldas, A., Laud, P., Priisalu, J., Saarepera, M., Willemson, J.: Rational choice of security measures via multi-parameter attack trees. In: López, J. (ed.) CRITIS 2006. LNCS, vol. 4347, pp. 235–248. Springer, Heidelberg (2006)
Moore, A.P., Ellison, R.J., Linger, R.C.: Attack modeling for information security and survivability. Technical Report Technical Report CMU/SEI-2001-TN-001, Software Engineering Institute (2001)
Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006)
Damm, L.O., Lundberg, L., Wohlin, C.: Faults-slip-through - a concept for measuring the efficiency of the test process. Software Process: Improvement and Practice 11(1), 47–59 (2006)
Peltier, T.R.: Information security risk analysis. Auerbach, Boca Raton (2001)
Schneier, B.: Attack trees. Dr. Dobb’s Journal 24(12), 21–29 (1999)
Viega, J., McGraw, G.: Building secure software: how to avoid security problems the right way. Addison-Wesley, Reading (2002)
Saini, V., Duan, Q., Paruchuri, V.: Threat modeling using attack trees. J. Comput. Small Coll. 23(4), 124–131 (2008)
Hederstierna, A.: Decisions Under Uncertainty - The Usefulness of an Indifference Method for Analysis of Dominance. EFI The Economic Research Institute, Stockholm School of Economics (1981)
Kontio, J.: Risk management in software development: A technology overview and the riskit method. In: Proceedings of the IEEE International Conference on Software Engineering (ICSE 1999), pp. 679–680 (1999)
Berander, P., Svahnberg, M.: Evaluating two ways of calculating priorities in requirements hierarchies - an experiment on hierarchical cumulative voting. Journal of Systems and Software 82(5), 836–850 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Baca, D., Petersen, K. (2010). Prioritizing Countermeasures through the Countermeasure Method for Software Security (CM-Sec). In: Ali Babar, M., Vierimaa, M., Oivo, M. (eds) Product-Focused Software Process Improvement. PROFES 2010. Lecture Notes in Computer Science, vol 6156. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-13792-1_15
Download citation
DOI: https://doi.org/10.1007/978-3-642-13792-1_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-13791-4
Online ISBN: 978-3-642-13792-1
eBook Packages: Computer ScienceComputer Science (R0)