JSW 2016 Vol.11(5): 520-527 ISSN: 1796-217X
doi: 10.17706/jsw.11.5.520-527
doi: 10.17706/jsw.11.5.520-527
A Method for Developing Abuse Cases and Its Evaluation
Imano Williams1, Xiaohong Yuan1*, Jeffrey Todd McDonald2, Mohd Anwar1
1Department of Computer Science, North Carolina A&T State University, 1601 East Market St., Greensboro, North Carolina, USA.
2Department of Computer Science, University of South Alabama, 3150 Jaguar Drive, Mobile, Alabama, USA.
Abstract—To develop secure software, software engineers need to have the mindset of attackers. Developing abuse cases can help software engineers to think more like attackers. This paper describes a method for developing abuse cases based on threat modeling, attack patterns, and Common Weakness Enumeration. The method also includes ranking the abuse cases according to their risks. This method intends to help non-experts create abuse cases following a specific process, and leveraging the knowledge bases of threat modeling, attack patterns, and Common Weakness Enumeration. The proposed method was evaluated through two evaluation studies conducted in two secure software engineering courses at two different universities. Evaluation studies show that the proposed method was easier to follow by non-experts in generating abuse cases than brainstorming, and could reduce the time needed for creating abuse cases. Other findings from the evaluation studies are also discussed in the paper.
Index Terms—Abuse cases, threat modeling, attack patterns, common weakness enumeration, secure software development.
2Department of Computer Science, University of South Alabama, 3150 Jaguar Drive, Mobile, Alabama, USA.
Abstract—To develop secure software, software engineers need to have the mindset of attackers. Developing abuse cases can help software engineers to think more like attackers. This paper describes a method for developing abuse cases based on threat modeling, attack patterns, and Common Weakness Enumeration. The method also includes ranking the abuse cases according to their risks. This method intends to help non-experts create abuse cases following a specific process, and leveraging the knowledge bases of threat modeling, attack patterns, and Common Weakness Enumeration. The proposed method was evaluated through two evaluation studies conducted in two secure software engineering courses at two different universities. Evaluation studies show that the proposed method was easier to follow by non-experts in generating abuse cases than brainstorming, and could reduce the time needed for creating abuse cases. Other findings from the evaluation studies are also discussed in the paper.
Index Terms—Abuse cases, threat modeling, attack patterns, common weakness enumeration, secure software development.
Cite: Imano Williams, Xiaohong Yuan, Jeffrey Todd McDonald, Mohd Anwar, "A Method for Developing Abuse Cases and Its Evaluation," Journal of Software vol. 11, no. 5, pp. 520-527, 2016.
General Information
ISSN: 1796-217X (Online)
Frequency: Quarterly
Editor-in-Chief: Prof. Antanas Verikas
Executive Editor: Ms. Yoyo Y. Zhou
Abstracting/ Indexing: DBLP, EBSCO, CNKI, Google Scholar, ProQuest, INSPEC(IET), ULRICH's Periodicals Directory, WorldCat, etc
E-mail: jsweditorialoffice@gmail.com
-
Mar 01, 2024 News!
Vol 19, No 1 has been published with online version [Click]
-
Jan 04, 2024 News!
JSW will adopt Article-by-Article Work Flow
-
Apr 01, 2024 News!
Vol 14, No 4- Vol 14, No 12 has been indexed by IET-(Inspec) [Click]
-
Apr 01, 2024 News!
Papers published in JSW Vol 18, No 1- Vol 18, No 6 have been indexed by DBLP [Click]
-
Nov 02, 2023 News!
Vol 18, No 4 has been published with online version [Click]