Security Threat Modeling and Analysis: A Goal-Oriented Approach

E.A. Oladimeji, S. Supakkul, and L. Chung (USA)


software security, threat modeling, security requirements en gineering, negative softgoal, inverse contributions


Threat modeling provides a good foundation for the spec ification of security requirements during application devel opment. When applied during the early phases of software development, threat modeling empowers developers in sev eral ways. These range from verifying application archi tecture, identifying and evaluating threats, designing coun termeasures, to penetration testing based on a threat model. There is however paucity of established techniques and tools for threat modeling and analysis. This paper proposes a goal oriented approach to security threat modeling and analysis by using visual model elements to explicitly capture threat related concepts. We introduce the notions of negative soft goals for representing threats and inverse contributions for evaluating design alternatives during analysis, while adapting the formal semantics of the NFR Framework. An analysis procedure is also provided to guide context-sensitive selec tion of countermeasures. The significance of this approach derives from the strength of the underlining analysis frame work. We illustrate this approach by modeling and analyzing the security threats of an online banking system.

Important Links:

Go Back