posted on 2017-04-10, 09:01authored byYijun Yu, Virginia N.L. Franqueira, Thein Than Tun, Roel J. Wieringa, Bashar NuseibehBashar Nuseibeh
Computer-based systems are increasingly being exposed to evolving security threats, which often reveal new vulnerabilities. A formal analysis of the evolving threats is difficult due to a number of practical considerations such as incomplete knowledge about the design, limited information about attacks, and constraints on organisational resources. In our earlier work on RISA (Risk assessment in Security Argumentation), we showed that informal risk assessment can complement the formal analysis of security requirements. In this paper, we integrate the formal and informal assessment of security by proposing a unified meta-model and an automated tool for supporting security argumentation called OpenRISA. Using a uniform representation of risks and arguments, our automated checking of formal arguments can identify relevant risks as rebuttals to those arguments, and identify mitigations from publicly available security catalogues when possible. As a result, security engineers are able to make informed and traceable decisions about the security of their computer-based systems. The application of OpenRISA is illustrated with examples from a PIN Entry Device case study. (C) 2015 Elsevier Inc. All rights reserved.
Funding
Study on Aerodynamic Characteristics Control of Slender Body Using Active Flow Control Technique
The Journal of Systems and Sofware;106, pp. 102-116
Publisher
Elsevier
Note
peer-reviewed
Other Funding information
ERC, SFI
Rights
This is the author submitted version of "Automated analysis of security requirements through risk-based argumentation" that was published in The Journal of Systems and Sofware, 2015, 106, pp. 102-116. The final published version is available at http://doi.org/10.1016/j.jss.2015.04.065