Presentation is loading. Please wait.

Presentation is loading. Please wait.

Engineering Secure Software

Published byClinton McCormick Modified over 6 years ago

Similar presentations

Presentation on theme: "Engineering Secure Software"— Presentation transcript:

1 Engineering Secure Software
Misuse and Abuse cases

2 What is a requirement? How do you define it?
If done well, what are they useful for? © Andrew Meneely

3 Key Requirement Properties
What the system should… Do Not do Who interacts with the system (actors) Highly domain-specific Describe how the surrounding environment has changed as a result of the system

4 Requirements Modeling
System-as-is, System-to-be Actor Modeling Goal Modeling Dependency Modeling Plans, Beliefs, Resources, Context, …

5 Security is Not a Set of Features
Secure is an emergent property of software “Being dry” in a tent in the rain Being secure is the result of many, many factors, not one feature (e.g. SSL) …so requirements documents should not just be a list of features

6 Unintended Functionality
What the system is What the System Should Be Vulnerabilities Faults Non-security faults (bugs) Vulnerabilities are in areas of too much functionality Copyright © Andrew Meneely

7 Use Case Review Use cases include: Actor Preconditions
Main flow describes the primary scenario Alternative scenarios describe how the system reacts to alternative cases

8 Misuse & Abuse Cases A scenario within a use case in which an actor compromises the system Flow of events, but with malicious usage Define the harm done to the system Keys: Domain, domain, domain. Don’t focus on coding and design vulnerabilities here Malicious actors are creative Question the assumptions of the system Focus on what the actor can do over will do (prioritize later)

9 Misuse vs. Abuse Misuse is unintentional Abuse is intentional
Misuse cases are still security-related (crime of opportunity) Abuse cases imply the actor is actively seeking vulnerabilities

10 e.g. Maintain Drug Interactions
Actor: Hospital Administrator Precondition: Admin is authenticated. Main Flow: Admin selects two different drug codes from the National Drug Codes selection menu Admin enters a minimum dosage for both drugs Admin enters text notes about the potential consequences of the interaction Admin is shown a table of patient records where the interaction rule would apply Admin saves the interaction rule

11 e.g. Misusing Maintain Drug Interactions
Misuse case Main flow steps 1-3 Admin is shown a set of patient records that have not been authorized for hospital administrator viewing Harm done: Confidentiality (and consequently, patient privacy) has been violated

12 e.g. Abusing Maintain Drug Interactions
Abuse case Actor: attacker who has spoofed an administrator’s identity Repeat Main Flow steps 10,000 times Providing many rules for all different drug interactions Auto-generate vague, technical text notes for each interaction rule Stop when the preview step takes over a minute to complete Harm done: Patients are overwhelmed by alerts, so alerts become ignored Availability of the system is compromised

13 Isn’t this infinite? Yes But even one good abuse case goes far
Easier to think beyond one scenario Starts a discussion Gets stakeholders and developers into a balanced mindset early on Motivates good design decisions

14 Security Requirements
Generalized forms of misuse and abuse cases Use-cases trace to security requirements Document these in the main flow Also called “anti-requirements” E.g. from Maintain Drug Interactions Hospital administrators are only allowed to view a patient’s record with explicit, opt-in indication from the patient All actors are limited to 10 server requests per minute

15 Actor Inspiration Think of the best engineer on your team
Fire them and humiliate them publicly Now challenge them to break your system What would they go after? What knowledge could they leverage the most?

16 Assumptions Inspiration
What are the other non-malicious users expecting in this domain? What are the ramifications of violating access restrictions? Where could an attacker “sit in the middle” Sniff the network? Load a plug-in?

17 Today’s Activity See course website for “Abuse & Misuse Cases”
Systems are: An auction website A charity micro-lending website (e.g. Kiva.org) A social networking website for model rocket hobbyists A smartphone app for trading recipes with people in your neighborhood A reservation system for virtual images to be run on server farms A moderated and curated question-and-answer site (e.g. StackOverflow) A crowd-sourced service that curates automated language translation

Download ppt "Engineering Secure Software"

Similar presentations

Engineering Secure Software. Does Security Even Matter?  At your table, introduce yourselves: Your name, degree, & app domain What is your favorite software.

Engineering Secure Software. Does Security Even Matter?  At your table, introduce yourselves: Your name, degree, & app domain What is your favorite software.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.

Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.
EXAMINING CYBER/COMPUTER LAW BUSINESS LAW. EXPLAIN CYBER LAW AND THE VARIOUS TYPES OF CYBER CRIMES.

EXAMINING CYBER/COMPUTER LAW BUSINESS LAW. EXPLAIN CYBER LAW AND THE VARIOUS TYPES OF CYBER CRIMES.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
Security administrators The experts need better tools too!

Security administrators The experts need better tools too!
Engineering Secure Software. Why do we study risk?  Many outcomes are possible, not all are probable  Enumeration  Prioritization  Discussion.

Engineering Secure Software. Why do we study risk?  Many outcomes are possible, not all are probable  Enumeration  Prioritization  Discussion.
System Sequence Diagrams

System Sequence Diagrams
BUS1MIS Management Information Systems Semester 1, 2012 Week 7 Lecture 1.

BUS1MIS Management Information Systems Semester 1, 2012 Week 7 Lecture 1.
CSCE 548 Secure Software Development Risk-Based Security Testing.

CSCE 548 Secure Software Development Risk-Based Security Testing.
Managing Changing Requirements: Structure the Use Case Model PowerPoint Presentation derived from IBM/Rational course Mastering Requirements Management.

Managing Changing Requirements: Structure the Use Case Model PowerPoint Presentation derived from IBM/Rational course Mastering Requirements Management.
Prepared by: Dinesh Bajracharya Nepal Security and Control.

Prepared by: Dinesh Bajracharya Nepal Security and Control.
Requirements Elicitation. Who are the stakeholders in determining system requirements, and how does their viewpoint influence the process? How are non-technical.

Requirements Elicitation. Who are the stakeholders in determining system requirements, and how does their viewpoint influence the process? How are non-technical.
CMPT 275 Software Engineering

CMPT 275 Software Engineering
A Basic Introduction to Computer Security John H. Porter University of Virginia Department of Environmental Sciences.

A Basic Introduction to Computer Security John H. Porter University of Virginia Department of Environmental Sciences.
Faculty of Computer & Information

Faculty of Computer & Information
CSCE 522 Secure Software Development Best Practices.

CSCE 522 Secure Software Development Best Practices.
Software Testing and Maintenance 1 Code Review  Introduction  How to Conduct Code Review  Practical Tips  Tool Support  Summary.

Software Testing and Maintenance 1 Code Review  Introduction  How to Conduct Code Review  Practical Tips  Tool Support  Summary.
Yarmouk University Department of Computer Information Systems CIS 499 Yarmouk University Department of Computer Information Systems CIS 499 Yarmouk University.

Yarmouk University Department of Computer Information Systems CIS 499 Yarmouk University Department of Computer Information Systems CIS 499 Yarmouk University.

Similar presentations

Ads by Google