Uploaded byazida3
PPTX, PDF33 views

Week 6 Secure SW Requirements -Abuse case.pptx

This document details the development and application of abuse cases within the secure software development life cycle (SDLC), outlining their role in identifying potential harmful interactions between actors and systems. It describes the steps for developing abuse cases, such as identifying actors, defining abuse cases, and checking for completeness, while differentiating between use case and abuse case diagrams. Additionally, the document highlights how abuse cases enhance understanding of security requirements during the requirements and design phases of software development.

Embed presentation

Download to read offline
Week 5 : Secure Software Requirements Requirements Phase from SSDLC
Secure SW Requirements Requirements Phase - Secure Software Development Life Cycle
Requirements Phase
Software Security Frameworks A. A. R. Angulo, X. Yang, Q. Niyaz, S. Paheding and A. Y. Javaid, "A Secure Software Engineering Design Framework for Educational Purpose," 2022 IEEE International
Requirements and design phase in SDLC with secure component A. A. R. Angulo, X. Yang, Q. Niyaz, S. Paheding and A. Y. Javaid, "A Secure Software Engineering Design Framework for Educational Purpose," 2022 IEEE International Conference
Define Abuse case
What is Abuse Case? • An abuse case as a specification of a type of complete interaction between a system and one or more actors, where the results of the interaction are harmful to the system, one of the actors, or one of the stakeholders in the system • An abuse case should describe the abuse of privilege used to complete the abuse case. • Any abuse can be accomplished by gaining total control of the target machine through modification of the system software or firmware.
What is Abuse Case? • Abuse cases are described using the same strategy as for use cases: use case diagrams and use case descriptions. • There are no use any special symbols for abuse cases in diagrams, that is, an abuse case diagram is drawn with the same symbols as a use case diagram. • This allows to create abuse case specifications in standard notation such as UML and to use design tools such as Rational Rose. • Distinguish the two by keeping them separate and labelling the diagrams. • Abuse cases are not shown on a use case diagram and use cases are not shown on an abuse case diagram. • Abuse cases can also range in levels of abstraction, and we use both essential abuse cases and real abuse cases
Elements of Abuse Case • If a human that is represented by an actor from a use case might also act maliciously in the corresponding role, then a new actor should be defined in the abuse case • A new actor Malicious Student for the abuse case will be defined, rather than have the Student actor associated with the abuse case. Malicious Student
Elements of Abuse Case • The abuse case Tamper with scores
Abuse case description • The description of an abuse case can also slightly differ from the approach taken with use case descriptions. • An abuse case describes a family of undesirable interactions. • The final "implementation" of an abuse case will be through the exploitation of requirements oversights, design flaws, and implementation flaws. • Since we want to use the abuse case model to reduce the number of requirements oversights and design flaws, we may choose describe many abstract "transactions" that might take place to accomplish the same abuse. • Each feature or component of the target system that might be exploited in an abuse case will be considered in the abuse case description
Steps for developing Abuse Case 1. Identify Actors • If an actor in the use case model might attempt harmful use of the system, then add a corresponding malicious actor to the abuse case model. • After the insider roles are represented, then actors should be added for any intruders that might be a problem.
Steps for developing Abuse Case • 2. Identify Abuse Case • For each actor, determine their interactions with the system. Name each abuse case. At this point, it is helpful to draw an abuse case diagram.
Steps for developing Abuse Case • 3. Define Abuse Case • As the interface to the system becomes more refined and the specific components are identified, the abuse case can be described. Since we use a tree structure to describe the possible points of abuse, we defer the definition until there is enough system structure to work with. The definitions can be refined as the description of the system is refined
Steps for developing Abuse Case • 4. Check granularity • There may be too few abuse cases or there may be too many. • Deciding how many are needed is largely a matter of experience and consideration of the specific target system. • There are two ways we can wind up with too many abuse cases: • including possible but unlikely cases, or • modelling with too much detail. • The latter problem results in several abuse cases that are distinguished only by details that are inappropriate for the purpose.
Steps for developing Abuse Case • 5. Check completeness and minimality • Each abuse case description should be checked to see if it describes an interaction that results in harm to a user or stakeholder in the system. • We should also check to see if a critical abuse case may have been omitted. • An abuse case in the model may lack an abuse based on the minimal privilege needed to accomplish the harm. • Requirements documents and the use case model should be reviewed, along with descriptions of anticipated security features. • Users and customers should be consulted to be sure that no critical abuse has been overlooked
Comparison Use Case diagram Abuse Case diagram A complete transaction between one or more actors and a system A family of complete transactions between one or more actors and a system, that results in harm UML-based use case diagrams. UML-based use case diagrams. Typically described using natural language. Typically described using natural language. A tree/DAG diagram may also be used. Potentially one family member for each kind of privilege abuse and for each component that might be exploited. Includes a description of the range of security privileges that may be abused. Includes a description of the harm that results from an abuse case.
An Abuse Case Model For An Internet Based Information Security Lab Use Case diagram Abuse Case diagram
Actor Descriptions - Script Kiddie • Resources • The Script Kiddie operates alone, although he or she may exchange some information with fellow Script Kiddies. The Script Kiddie has hardware, software, and Internet access that might be available to an individual through purchase with personal funds or by theft from an employer. Our model assumes that the Script Kiddie is willing to spend about 24 hours trying to defeat the security of a particular system
Actor Descriptions - Script Kiddie • Skills • Script Kiddies have limited technical skills. The majority of their activities are carried out using tools and techniques devised by other people •Objectives • Script Kiddies may have a variety of criminal objectives including vandalism and theft. They also are interested in demonstrating their technical prowess
Actor Descriptions - Nazgul • Resources • Nazguls operate on behalf of groups that have budgets set aside to accomplish some form of harm. They may have technical assistance from an organization that is tasked with supporting them. They have hardware, software, tools, and Internet access provided by a business, a government, or a quasi-government. They have significant access to documentation of the systems they intend to abuse and may be able to test or simulate an intended exploit on a copy of the target system. We assume that Nazguls may spend up to 90 days in preparation and execution of an attempt to breach the security of the system.
Actor Descriptions - Nazgul • Skills • Nazguls have superior technical skills. They can design operating systems, network protocols, computer hardware, and cryptographic algorithms. They apply software engineering technology, mathematics, computer engineering, and similar disciplines to their exploits. • Objectives • Nazguls are primarily interested in accomplishing the objective of the organization that supports them. They also seek to increase their own skills and knowledge, but not to demonstrate them to anyone. Organizations that support Nazguls do so to carry out espionage, warfare, terrorism or similar harmful activities
An Abuse Case Description: Browse Server Exercise With Warez • Browse Server Exercises with Warez
Applications Of Abuse Case Modelling • Requirements phase • abuse case models can be used to increase both user and customer understanding of the security features of a proposed product. • They can be made simple and abstract enough to be understood by users from a wide range of application domains. • They can be used to show customers what will be prevented and what will not, in terms of their application domain. F • Abuse case models are also useful for security requirements elicitation. • Users can decide, in terms of their own application domain, which threats apply, and which threats should be countered by product security features. • Abuse cases may help security practitioners and users save time in arriving at a good understanding of security requirements.
Applications Of Abuse Case Modelling • Design Phase • we can apply abuse cases through a refutation process. • As we analyse and design the system, we refute each use case to the appropriate level of assurance. This is one reason for describing the actors in greater detail in an abuse case. • Our refutation may depend on the skills, resources, or objectives of the actor. • For example, we may argue that 40-bit cryptographic keys are sufficient to refute an abuse case involving a Script Kiddie actor, because of their specified resource limitations, but not against a Nazgul. • In other instances, our refutation may be based on the properties of a design feature. The strength of the refutation can be used to characterize the assurance we have.
Applications Of Abuse Case Modelling • Testing Phase • During testing, we can design our security function tests to refute abuse cases. • For example, we can apply the abuse case directly as a family of test cases. • We form a test team that has the same skills and resources as the actors associated with the abuse case and let them exercise our system features. • We can also combine testing with other refutation arguments.
Conclusion • Abuse case are particularly useful in communicating with users and customers during requirements analysis and may be easier to understand when trade-offs must be made between security and functionality • Developing an abuse case diagram : 1. The abuse case diagram 2. Describe the actors 3. Abuse case description for each abuse case
References • McGraw, G. (2012). Software security: Building security in. Datenschutz und Datensicherheit-DuD, 36(9), 662-665. • McDermott, J., & Fox, C. (1999, December). Using abuse case models for security requirements analysis. In Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99) (pp. 55-64). IEEE. • A. A. R. Angulo, X. Yang, Q. Niyaz, S. Paheding and A. Y. Javaid, "A Secure Software Engineering Design Framework for Educational Purpose," 2022 IEEE International Conference on Electro Information Technology (eIT), Mankato, MN, USA, 2022, pp. 375-381
29

More Related Content

PPTX
USE case diagrams.ppt.pptx..............
bysalmannawaz6566504
 
PPTX
Lab 3 Introduction to the UML - how to create a use case diagram
byFarah Ahmed
 
PDF
Requirement analysis and UML modelling in Software engineering
bysnehalkulkarni74
 
PPTX
Use case modeling & analysis v 1
byJIGAR MAKHIJA
 
PPTX
System Analysis ct1414-lecture_3-part1.pptx
byIsaacKasisi
 
PPTX
Use Case Modeling In UML
bySyed Hassan Ali
 
PDF
UseCaseDiagrams.pdf shhsja whuwbwnwhwywbw
by211b410
 
PPT
Lecture 3 - Misuse Cases Final.ppt
byDrBasemMohamedElomda
 
USE case diagrams.ppt.pptx..............
bysalmannawaz6566504
 
Lab 3 Introduction to the UML - how to create a use case diagram
byFarah Ahmed
 
Requirement analysis and UML modelling in Software engineering
bysnehalkulkarni74
 
Use case modeling & analysis v 1
byJIGAR MAKHIJA
 
System Analysis ct1414-lecture_3-part1.pptx
byIsaacKasisi
 
Use Case Modeling In UML
bySyed Hassan Ali
 
UseCaseDiagrams.pdf shhsja whuwbwnwhwywbw
by211b410
 
Lecture 3 - Misuse Cases Final.ppt
byDrBasemMohamedElomda
 

Similar to Week 6 Secure SW Requirements -Abuse case.pptx

PPTX
Lecture no 8 use case modeling and use case diagrams
bynaveed428
 
PPT
Usecase
bynazeer pasha
 
PDF
Use case diagrams
byFajar Baskoro
 
PDF
Use case diagrams
bymohamed tahoon
 
PPT
05 use case
byBaskarkncet
 
PPTX
Basic Behavioral Modeling
byAMITJain879
 
PPT
Chap07
byprofessorkarla
 
PPT
Use case modeling
byWajahat Hasnain
 
PPT
Chapter 7 Use Case Model
byMae Abigail Banquil
 
PPT
Information Systems and Systems Design Chapter 7
bychaukevushaka
 
PPT
Use cases
byAmjad Adis
 
PPTX
Use Case Analysis and Diagramming
byOrnella Dunn
 
PPT
Use Case approach
bySreeram Kishore Chavali
 
PPTX
Use Case Diagram on real world scenaios.pptx
bynomi29kitchloo
 
PPTX
Lesson02_Use Case Diagrams
byMarwa Ali Eissa
 
PPT
chapter_5_5.ppt
byMonirHossain707319
 
PPT
Usecase Presentation
byRungsun Promprasith
 
PPTX
Lecture#04, use case diagram
bybabak danyal
 
PPTX
Presentation Use Case Diagram and Use Case Specification.pptx
byazida3
 
PPTX
Use Case Modelling.pptx
byazida3
 
Lecture no 8 use case modeling and use case diagrams
bynaveed428
 
Usecase
bynazeer pasha
 
Use case diagrams
byFajar Baskoro
 
Use case diagrams
bymohamed tahoon
 
05 use case
byBaskarkncet
 
Basic Behavioral Modeling
byAMITJain879
 
Chap07
byprofessorkarla
 
Use case modeling
byWajahat Hasnain
 
Chapter 7 Use Case Model
byMae Abigail Banquil
 
Information Systems and Systems Design Chapter 7
bychaukevushaka
 
Use cases
byAmjad Adis
 
Use Case Analysis and Diagramming
byOrnella Dunn
 
Use Case approach
bySreeram Kishore Chavali
 
Use Case Diagram on real world scenaios.pptx
bynomi29kitchloo
 
Lesson02_Use Case Diagrams
byMarwa Ali Eissa
 
chapter_5_5.ppt
byMonirHossain707319
 
Usecase Presentation
byRungsun Promprasith
 
Lecture#04, use case diagram
bybabak danyal
 
Presentation Use Case Diagram and Use Case Specification.pptx
byazida3
 
Use Case Modelling.pptx
byazida3
 

More from azida3

PPTX
Security Design Principles for developing secure application .pptx
byazida3
 
PPTX
Week 4.1 Building security into the software development lifecycle copy.pptx
byazida3
 
PPT
Prototyping.eveningclass.ppt
byazida3
 
PPT
3830100.ppt
byazida3
 
PPT
Access Control
byazida3
 
PPTX
OWASP_Top_Ten_Proactive_Controls_v2.pptx
byazida3
 
PPT
codingtechniques1.ppt
byazida3
 
PPTX
GCSECS-DefensiveDesign.pptx
byazida3
 
PPTX
DefensiveProgramming (1).pptx
byazida3
 
PPTX
Requirments Elicitation.pptx
byazida3
 
PPTX
Requirements analysis.pptx
byazida3
 
PPTX
Introduction to SAD.pptx
byazida3
 
PPT
Chap 4 - Requirements Engineering 1.ppt
byazida3
 
PPTX
BPM - Activity diagram.pptx
byazida3
 
PPTX
Introduction to SAD.pptx
byazida3
 
Security Design Principles for developing secure application .pptx
byazida3
 
Week 4.1 Building security into the software development lifecycle copy.pptx
byazida3
 
Prototyping.eveningclass.ppt
byazida3
 
3830100.ppt
byazida3
 
Access Control
byazida3
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
byazida3
 
codingtechniques1.ppt
byazida3
 
GCSECS-DefensiveDesign.pptx
byazida3
 
DefensiveProgramming (1).pptx
byazida3
 
Requirments Elicitation.pptx
byazida3
 
Requirements analysis.pptx
byazida3
 
Introduction to SAD.pptx
byazida3
 
Chap 4 - Requirements Engineering 1.ppt
byazida3
 
BPM - Activity diagram.pptx
byazida3
 
Introduction to SAD.pptx
byazida3
 

Recently uploaded

PDF
Orlando by Virginia Woolf: The Granite and The Rainbow
byAdityarajsinh Gohil
 
PPTX
Greengnorance Toolkit Module 6 Water Resources
byKarl Donert
 
PPTX
Greengnorance Toolkit Module 4 Active Mobility and Transport
byKarl Donert
 
PDF
Holm Community Heritage at St Nicholas Kirk - 2025 AGM Minutes (30.04.2025)
byAntoine Pietri
 
PPTX
Overview of How to set priority in Odoo 19 Todo
byCeline George
 
PDF
RAJAT ARORA SIR PHYSICAL EDUCATION NOTES ALL CHAPTERS .pdf
bysumitkannoujiya74
 
PPTX
Lesson_1 Acceleration.pptx_Science 8-4th quarter
byAnnabelAlarcon
 
PPTX
WEEK 2 (2).pptx TLE COOKERY 10 QUARTER 4
byResynFayeCortez2
 
PDF
Workshop 29 Crystal Review All Students by YogiGoddess
by©LDMMIA, ©Reiki Yoga
 
PDF
Types of Foot & Foot Modifications in Birds
byDr. Ramzan Virani
 
PPTX
Fluorimetric Analysis- Theory, Instrumentation and Application
bySayali Powar
 
PPTX
How to Manage Checkout Policy & Customer Portal in Odoo 18 Website
byCeline George
 
PDF
Pratishta Educational Society., Courses & Opportunities
byGanapathiVankudoth
 
PPTX
Greengnorance Toolkit Module 3 Shopping and Food
byKarl Donert
 
PDF
Bones by Sadu Kassam (play) story ppt pdf
byRonnieMaeBorres
 
PPTX
Types of counselling Directive, Non Directive, Eclectic Counselling
byPriya Sush
 
PPTX
How to Change Shipping Label Size in Odoo 18 Inventory
byCeline George
 
PPTX
Biological source, chemical constituents, and therapeutic efficacy of the fol...
bySai Meer College of Pharmacy
 
PDF
Beyond the Absurd: A Comparative Reading of Waiting for Godot and the Bhagava...
byKruti Vyas
 
PPTX
Plato's Insight model teaching and learning.pptx
byNikhitaDS
 
Orlando by Virginia Woolf: The Granite and The Rainbow
byAdityarajsinh Gohil
 
Greengnorance Toolkit Module 6 Water Resources
byKarl Donert
 
Greengnorance Toolkit Module 4 Active Mobility and Transport
byKarl Donert
 
Holm Community Heritage at St Nicholas Kirk - 2025 AGM Minutes (30.04.2025)
byAntoine Pietri
 
Overview of How to set priority in Odoo 19 Todo
byCeline George
 
RAJAT ARORA SIR PHYSICAL EDUCATION NOTES ALL CHAPTERS .pdf
bysumitkannoujiya74
 
Lesson_1 Acceleration.pptx_Science 8-4th quarter
byAnnabelAlarcon
 
WEEK 2 (2).pptx TLE COOKERY 10 QUARTER 4
byResynFayeCortez2
 
Workshop 29 Crystal Review All Students by YogiGoddess
by©LDMMIA, ©Reiki Yoga
 
Types of Foot & Foot Modifications in Birds
byDr. Ramzan Virani
 
Fluorimetric Analysis- Theory, Instrumentation and Application
bySayali Powar
 
How to Manage Checkout Policy & Customer Portal in Odoo 18 Website
byCeline George
 
Pratishta Educational Society., Courses & Opportunities
byGanapathiVankudoth
 
Greengnorance Toolkit Module 3 Shopping and Food
byKarl Donert
 
Bones by Sadu Kassam (play) story ppt pdf
byRonnieMaeBorres
 
Types of counselling Directive, Non Directive, Eclectic Counselling
byPriya Sush
 
How to Change Shipping Label Size in Odoo 18 Inventory
byCeline George
 
Biological source, chemical constituents, and therapeutic efficacy of the fol...
bySai Meer College of Pharmacy
 
Beyond the Absurd: A Comparative Reading of Waiting for Godot and the Bhagava...
byKruti Vyas
 
Plato's Insight model teaching and learning.pptx
byNikhitaDS
 

Week 6 Secure SW Requirements -Abuse case.pptx

  • 1.
    Week 5 :Secure Software Requirements Requirements Phase from SSDLC
  • 2.
    Secure SW Requirements RequirementsPhase - Secure Software Development Life Cycle
  • 3.
  • 4.
    Software Security Frameworks A.A. R. Angulo, X. Yang, Q. Niyaz, S. Paheding and A. Y. Javaid, "A Secure Software Engineering Design Framework for Educational Purpose," 2022 IEEE International
  • 5.
    Requirements and design phasein SDLC with secure component A. A. R. Angulo, X. Yang, Q. Niyaz, S. Paheding and A. Y. Javaid, "A Secure Software Engineering Design Framework for Educational Purpose," 2022 IEEE International Conference
  • 6.
  • 7.
    What is AbuseCase? • An abuse case as a specification of a type of complete interaction between a system and one or more actors, where the results of the interaction are harmful to the system, one of the actors, or one of the stakeholders in the system • An abuse case should describe the abuse of privilege used to complete the abuse case. • Any abuse can be accomplished by gaining total control of the target machine through modification of the system software or firmware.
  • 8.
    What is AbuseCase? • Abuse cases are described using the same strategy as for use cases: use case diagrams and use case descriptions. • There are no use any special symbols for abuse cases in diagrams, that is, an abuse case diagram is drawn with the same symbols as a use case diagram. • This allows to create abuse case specifications in standard notation such as UML and to use design tools such as Rational Rose. • Distinguish the two by keeping them separate and labelling the diagrams. • Abuse cases are not shown on a use case diagram and use cases are not shown on an abuse case diagram. • Abuse cases can also range in levels of abstraction, and we use both essential abuse cases and real abuse cases
  • 9.
    Elements of AbuseCase • If a human that is represented by an actor from a use case might also act maliciously in the corresponding role, then a new actor should be defined in the abuse case • A new actor Malicious Student for the abuse case will be defined, rather than have the Student actor associated with the abuse case. Malicious Student
  • 10.
    Elements of AbuseCase • The abuse case Tamper with scores
  • 11.
    Abuse case description •The description of an abuse case can also slightly differ from the approach taken with use case descriptions. • An abuse case describes a family of undesirable interactions. • The final "implementation" of an abuse case will be through the exploitation of requirements oversights, design flaws, and implementation flaws. • Since we want to use the abuse case model to reduce the number of requirements oversights and design flaws, we may choose describe many abstract "transactions" that might take place to accomplish the same abuse. • Each feature or component of the target system that might be exploited in an abuse case will be considered in the abuse case description
  • 12.
    Steps for developingAbuse Case 1. Identify Actors • If an actor in the use case model might attempt harmful use of the system, then add a corresponding malicious actor to the abuse case model. • After the insider roles are represented, then actors should be added for any intruders that might be a problem.
  • 13.
    Steps for developingAbuse Case • 2. Identify Abuse Case • For each actor, determine their interactions with the system. Name each abuse case. At this point, it is helpful to draw an abuse case diagram.
  • 14.
    Steps for developingAbuse Case • 3. Define Abuse Case • As the interface to the system becomes more refined and the specific components are identified, the abuse case can be described. Since we use a tree structure to describe the possible points of abuse, we defer the definition until there is enough system structure to work with. The definitions can be refined as the description of the system is refined
  • 15.
    Steps for developingAbuse Case • 4. Check granularity • There may be too few abuse cases or there may be too many. • Deciding how many are needed is largely a matter of experience and consideration of the specific target system. • There are two ways we can wind up with too many abuse cases: • including possible but unlikely cases, or • modelling with too much detail. • The latter problem results in several abuse cases that are distinguished only by details that are inappropriate for the purpose.
  • 16.
    Steps for developingAbuse Case • 5. Check completeness and minimality • Each abuse case description should be checked to see if it describes an interaction that results in harm to a user or stakeholder in the system. • We should also check to see if a critical abuse case may have been omitted. • An abuse case in the model may lack an abuse based on the minimal privilege needed to accomplish the harm. • Requirements documents and the use case model should be reviewed, along with descriptions of anticipated security features. • Users and customers should be consulted to be sure that no critical abuse has been overlooked
  • 17.
    Comparison Use Case diagramAbuse Case diagram A complete transaction between one or more actors and a system A family of complete transactions between one or more actors and a system, that results in harm UML-based use case diagrams. UML-based use case diagrams. Typically described using natural language. Typically described using natural language. A tree/DAG diagram may also be used. Potentially one family member for each kind of privilege abuse and for each component that might be exploited. Includes a description of the range of security privileges that may be abused. Includes a description of the harm that results from an abuse case.
  • 18.
    An Abuse CaseModel For An Internet Based Information Security Lab Use Case diagram Abuse Case diagram
  • 19.
    Actor Descriptions -Script Kiddie • Resources • The Script Kiddie operates alone, although he or she may exchange some information with fellow Script Kiddies. The Script Kiddie has hardware, software, and Internet access that might be available to an individual through purchase with personal funds or by theft from an employer. Our model assumes that the Script Kiddie is willing to spend about 24 hours trying to defeat the security of a particular system
  • 20.
    Actor Descriptions -Script Kiddie • Skills • Script Kiddies have limited technical skills. The majority of their activities are carried out using tools and techniques devised by other people •Objectives • Script Kiddies may have a variety of criminal objectives including vandalism and theft. They also are interested in demonstrating their technical prowess
  • 21.
    Actor Descriptions -Nazgul • Resources • Nazguls operate on behalf of groups that have budgets set aside to accomplish some form of harm. They may have technical assistance from an organization that is tasked with supporting them. They have hardware, software, tools, and Internet access provided by a business, a government, or a quasi-government. They have significant access to documentation of the systems they intend to abuse and may be able to test or simulate an intended exploit on a copy of the target system. We assume that Nazguls may spend up to 90 days in preparation and execution of an attempt to breach the security of the system.
  • 22.
    Actor Descriptions -Nazgul • Skills • Nazguls have superior technical skills. They can design operating systems, network protocols, computer hardware, and cryptographic algorithms. They apply software engineering technology, mathematics, computer engineering, and similar disciplines to their exploits. • Objectives • Nazguls are primarily interested in accomplishing the objective of the organization that supports them. They also seek to increase their own skills and knowledge, but not to demonstrate them to anyone. Organizations that support Nazguls do so to carry out espionage, warfare, terrorism or similar harmful activities
  • 23.
    An Abuse CaseDescription: Browse Server Exercise With Warez • Browse Server Exercises with Warez
  • 24.
    Applications Of AbuseCase Modelling • Requirements phase • abuse case models can be used to increase both user and customer understanding of the security features of a proposed product. • They can be made simple and abstract enough to be understood by users from a wide range of application domains. • They can be used to show customers what will be prevented and what will not, in terms of their application domain. F • Abuse case models are also useful for security requirements elicitation. • Users can decide, in terms of their own application domain, which threats apply, and which threats should be countered by product security features. • Abuse cases may help security practitioners and users save time in arriving at a good understanding of security requirements.
  • 25.
    Applications Of AbuseCase Modelling • Design Phase • we can apply abuse cases through a refutation process. • As we analyse and design the system, we refute each use case to the appropriate level of assurance. This is one reason for describing the actors in greater detail in an abuse case. • Our refutation may depend on the skills, resources, or objectives of the actor. • For example, we may argue that 40-bit cryptographic keys are sufficient to refute an abuse case involving a Script Kiddie actor, because of their specified resource limitations, but not against a Nazgul. • In other instances, our refutation may be based on the properties of a design feature. The strength of the refutation can be used to characterize the assurance we have.
  • 26.
    Applications Of AbuseCase Modelling • Testing Phase • During testing, we can design our security function tests to refute abuse cases. • For example, we can apply the abuse case directly as a family of test cases. • We form a test team that has the same skills and resources as the actors associated with the abuse case and let them exercise our system features. • We can also combine testing with other refutation arguments.
  • 27.
    Conclusion • Abuse caseare particularly useful in communicating with users and customers during requirements analysis and may be easier to understand when trade-offs must be made between security and functionality • Developing an abuse case diagram : 1. The abuse case diagram 2. Describe the actors 3. Abuse case description for each abuse case
  • 28.
    References • McGraw, G.(2012). Software security: Building security in. Datenschutz und Datensicherheit-DuD, 36(9), 662-665. • McDermott, J., & Fox, C. (1999, December). Using abuse case models for security requirements analysis. In Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99) (pp. 55-64). IEEE. • A. A. R. Angulo, X. Yang, Q. Niyaz, S. Paheding and A. Y. Javaid, "A Secure Software Engineering Design Framework for Educational Purpose," 2022 IEEE International Conference on Electro Information Technology (eIT), Mankato, MN, USA, 2022, pp. 375-381
  • 29.