Automated Threat Analysis for Security and Privacy

Security and privacy are long recognized as key concerns in the development of software systems. Despite their recognized importance, much of the attention is focused only on the code-level implementation of these principles. However, the design-level consideration of these principles is instrumental to fully realize secure and privacy-preserving software and avoid costly design flaws. Avoiding these security and privacy flaws requires support for analyzing the software design for security and privacy threats. A common design representation used in this context is the Data Flow Diagram (DFD). Security and privacy threat modeling approaches use this DFD representation to identify security and privacy threats. However, these analyses involve extensive manual effort and quickly lead to an explosion of threats to resolve. This makes the analyses effort-intensive and error-prone. It hinders their reproducibility and overburdens the evaluation of design alternatives. This thesis addresses the automation of security and privacy threat analysis and thus supports security and privacy by design. The automated threat analysis is enabled through: (i) an extension to the DFD representation of software systems to support the inclusion of essential information on security and privacy solutions, considering the effects of these solutions in mitigating security and privacy threats, and (ii) extending model-based security and privacy design analysis activities to enable the elicitation of security and privacy threats using model queries and the prioritization of the identified security and privacy threats using risk indicators. These extensions are validated and integrated in the SPARTA tool prototype to realize comprehensive and automated security and privacy threat analyses. The implementation provides a foundation for further exploring and realizing automation opportunities in the construction of system designs, the evaluation of security and privacy design alternatives, and the integration as an automated analysis activity in contemporary continuous integration and deployment practices.

Jaar van publicatie:2020

Toegankelijkheid:Open