Skip to main content
SpringerLink
Log in

Environment-Driven Threats Elicitation for Web Applications

  • Conference paper
Agent and Multi-Agent Systems: Technologies and Applications (KES-AMSTA 2011)

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 6682))

Abstract

The popularity and complexity of web application present challenges to the security implementation for web engineering. Threat elicitation is an indispensable step for developers to identify the possible threats to the web applications in the early phase of software development. In this context, a novel approach is proposed to ease the threats elicitation for web application by using a defined web application classification as the sieve to sift a common threat list. The final result shows that the proposed model is a simplified and effective solution to threats elicitation to web application.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Brunil, R., Hisham, M.H., Jorge, M.: A methodological tool for asset identification in web applications. In: 2009 Fourth International Conference on Software Engineering Advances, pp. 413–418 (2009)

    Google Scholar 

  2. Web application security trends report, http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q3-Q4-2008.pdf

  3. Sethi R.: The Importance of application classification in secure application development, version 1.0 (2007), http://www.webappsec.org/projects/articles/041607.shtml

  4. Liu, L., Yu, E., Mylopoulos, J.: Secure Design Based on Social Modeling. COMPSAC 2006: Proceedings of the 30th Annual International Computer Software & Applications Conference, Chicago, Illinois, USA, pp. 71–76 (2006)

    Google Scholar 

  5. Long, T., Liu, L., Yu, Y., Jin, Z.: AVT Vector: A Quantitative Security Requirements Evaluation Approach based on Assets, Vulnerabilities and Trustworthiness of Environment. In: Proceedings of 17th IEEE International Requirements Engineering Conference, Atlanta, USA (2009)

    Google Scholar 

  6. Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requirements Engineeing 10, 34–44 (2005)

    Article  Google Scholar 

  7. Alexander, I.: Misuse Cases: Use Cases with Hostile Intent. IEEE Software 20(1), 58–66 (2003)

    Article  Google Scholar 

  8. Braz, F.A., Fernandez, E.B., VanHilst, M.: Eliciting security requirements through misuse activities. In: 19th International Conference on Database and Expert Systems Application, pp. 328–333 (2008)

    Google Scholar 

  9. Swiderski, F., Snyder, W.: Threat modeling. Microsoft Press (July 2004)

    Google Scholar 

  10. Tøndel, I.A., Jaatun, M.G., Meland, P.H.: Security requirements for the rest of us: a survey. To appear in IEEE Software (January/February 2008)

    Google Scholar 

  11. Oladimeji, E., Supakkul, S., Chung, L.: Security threat modeling: a goal-oriented approach. In: Proceedings of SEA 2006, Dallas, TX (2006)

    Google Scholar 

  12. Curphey M., Scambra J., Olson E.: Improving web application security: threats and countermeasures (2003), http://www.cgisecurity.com/lib/Threats_Countermeasures.pdf

  13. Möckel, C., Abdallah, A.E.: Threat modeling approaches and tools for securing architectural designs of an e-banking application. In: 6th International Conference on Information Assurance and Security, art. no. 5604049, pp. 149–154 (2010)

    Google Scholar 

  14. Jackson, M.: Problem Frames, Problem frames and software engineering. Expert Systems 25(1), 7–8 (2008)

    Article  Google Scholar 

  15. Haley, C., Laney, R., Moffett, J., Nuseibeh, B.: Security requirements engineering: a framework for representation and analysis. IEEE Trans. on Software Engineering 34(1), 133–153 (2008)

    Article  Google Scholar 

  16. Hatebur, D., Heisel, M., Schmidt, H.: Analysis and component-based realization of security requirements. In: Proceedings of the International Conference on Availability, Reliability and Security (AReS), pp. 195–203 (2008); IEEE Transactions

    Google Scholar 

  17. Jesan J. P.: Threat modeling web-applications using STRIDE average model. In: Computer Security Conference (2008)

    Google Scholar 

  18. Director of Central Intelligence Directive 6/3: Protecting sensitive compartmented information within information systems, http://www.fas.org/irp/offdocs/DCID_6-3_20Manual.htm

  19. Hernan S., Lambert S., Ostwald  T., Shostack A.: Uncover security design flaws using the STRIDE approach (2006), http://msdn.microsoft.com/en-us/magazine/cc163519.aspx

Download references

Author information

Authors and Affiliations

  1. Shenyang University of Chemical Technology, China

    Hui Guan & Weiru Chen

  2. School of Software, Tsinghua University, Beijing, China

    Lin Liu

  3. Software Technology Research Laboratory, De Montfort University, Leicester, England

    Hui Guan & Hongji Yang

Authors
  1. Hui Guan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Weiru Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lin Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hongji Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Manchester Metropolitan University, M1 5GD, Manchester, UK

    James O’Shea  & Keeley Crockett  & 

  2. Wroclaw University of Technology, Wyb. Wyspianskiego 27, 50-370, Wroclaw, Poland

    Ngoc Thanh Nguyen

  3. University of Bournemouth, BH12 5BB, Poole, UK

    Robert J. Howlett

  4. University of South Australia, 5095, Mawson Lakes, SA, Australia

    Lakhmi C. Jain

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Guan, H., Chen, W., Liu, L., Yang, H. (2011). Environment-Driven Threats Elicitation for Web Applications. In: O’Shea, J., Nguyen, N.T., Crockett, K., Howlett, R.J., Jain, L.C. (eds) Agent and Multi-Agent Systems: Technologies and Applications. KES-AMSTA 2011. Lecture Notes in Computer Science(), vol 6682. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22000-5_31

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-22000-5_31

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-21999-3

  • Online ISBN: 978-3-642-22000-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation