[Ph4nt0m] [zz]Developing Software Security Requirements

Thu, 29 May 2008 19:25:11 -0700 

 

Software Security Requirements Engineering

Users may not be totally aware of the security risks, risks to the mission,
and vulnerabilities associated with their system.

Commonly Used Techniques for Capturing Security Requirements can be broadly
categorized as a top-down or a bottom-up analysis of possible security
failures that could cause risk to the organization.

1. Fault Tree: Analysis for security is a top-down approach to identifying
vulnerabilities. In a fault tree, the attacker’s goal is placed at the top
of the tree. Then, the analyst documents possible alternatives for achieving
that attacker goal. For each alternative, the analyst may recursively add
precursor alternatives for achieving the subgoals that compose the main
attacker goal. This process is repeated for each attacker goal. By examining
the lowest level nodes of the resulting attack tree, the analyst can then
identify all possible techniques for violating the system’s security;
preventions for these techniques could then be specified as security
requirements for the system.

 
<http://bp0.blogger.com/_ndrxWV2ZI0s/SD6oW53RgOI/AAAAAAAABC0/6uDbD0ALjvU/s16
00-h/Security_Req.jpg> 

2. Failure Modes and Effects Analysis (FMEA) is a bottom-up approach for
analyzing possible security failures. The consequences of a simultaneous
failure of all existing or planned security protection mechanisms are
documented, and the impact of each failure on the system’s mission and
stakeholders is traced.

Other techniques for developing system security requirements include threat
modeling and misuse and abuse cases.

Posted by Dharmesh Mehta

 

 

[Ph4nt0m] <http://www.ph4nt0m.org/>  

[Ph4nt0m Security Team]

                   <http://blog.ph4nt0m.org/> [EMAIL PROTECTED]

          Email:  [EMAIL PROTECTED]

          PingMe:
<http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=hanqin_wu
hq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724> 

          === V3ry G00d, V3ry Str0ng ===

          === Ultim4te H4cking ===

          === XPLOITZ ! ===

          === #_# ===

#If you brave,there is nothing you cannot achieve.#

 

 


--~--~---------~--~----~------------~-------~--~----~
 要向邮件组发送邮件,请发到 [email protected]
 要退订此邮件,请发邮件至 [EMAIL PROTECTED]
-~----------~----~----~----~------~----~------~--~---

<<inline: image001.jpg>>

<<inline: image002.gif>>

回复