Model-based security analysis
Model based security risk analysis use diagrams (graphic models) to improve communication during the analysis, and to document and analyse the results.

Model based security risk analysis is motivated by several factors:

  • Improved precision in describing security relevant aspects will usually improve the quality of the analysis results.
  • Using recent techniques for graphical modelling is expected to improve communication between the interested parties, and thereby reduce the risk of misunderstandings.
  • Using formal methods improve the possibility for re-use, which should reduce maintenance costs.
  • Close integration of security analysis in the system development process is expected to reduce development costs as well as making it easier to reach an acceptable security level.
  • Model based security risk analysis supports model driven system development.

Our method, CORAS, is based on the idea that requirement analysis and risk analysis are two closely related activities. During a requirement analysis the focus is mainly on documenting the required functionality of a system. In risk analysis you also want to understand how the system works, but the focus is on threat scenarios and unwanted behaviour.

More information on CORAS is available at http://coras.sourceforge.net/.


Share

Published November 10, 2011

Current projects in this area:

  • DIAMONDS - Effort-dependent technologies for multi-domain risk-based security testing (NFR-project, 2010-2014)
  • DIGIT - Digital interoperability with trust (NFR-project, 2007-2010)
  • EMERGENCY - Mobile decision support in emergency situations (NFR-project, 2008-2012)
  • NESSoS - Network of Excellence on Engineering Secure Future Internet Software Services and Systems (EU-project, 2010-2014)
  • SecureChange - Security Engineering for Lifelong Evolvable Systems (EU project, 2009-2012)
 

     Copyright © SINTEF      |    Email to SINTEF    |   About www.sintef.com