Towards Practical Cybersecurity Mapping of STRIDE and CWE : a Multi-perspective Approach
Honkaranta, A., Leppänen, T., & Costin, A. (2021). Towards Practical Cybersecurity Mapping of STRIDE and CWE : a Multi-perspective Approach. In S. Balandin, Y. Koucheryavy, & T. Tyutina (Eds.), FRUCT '29 : Proceedings of the 29th Conference of Open Innovations Association FRUCT (pp. 150-159). FRUCT Oy. Proceedings of Conference of Open Innovations Association FRUCT. https://doi.org/10.23919/FRUCT52173.2021.9435453
Date
2021Copyright
© 2021, IEEE
Cybersecurity practitioners seek to prevent software vulnerabilities during the whole life-cycle of systems. Threat modeling which is done on the system design phase is an efficient way for securing systems; preventing system flaws is easier and more efficient than patching the security of the system later on. Therefore, many Secure Software Development methods include threat modeling as an integral part of the methodology. STRIDE is a popular threat modeling method used by many practitioners. Threat modelers using the STRIDE method work with abstract threat categories, and would benefit learning about the information about current system weaknesses and vulnerabilities. The information is available on the weakness and vulnerability databases (such as the CWE and the CVE). To our knowledge, there exists no mapping between the STRIDE threats and the actual weaknesses and vulnerabilities listed on the databases, thus hindering the effectiveness of the threat modeling and the DevSecOps and Secure Software Development Life Cycle methods as a whole. This work attempts to bridge the gap by exploring possible mappings between the STRIDE threats and the CWE weaknesses, with the goal of improving the cybersecurity processes from end to end. The paper explores three different approaches for mapping the STRIDE to the CWE weakness database, and discusses the findings. The paper concludes that the mapping between the STRIDE and the CWE “Technical Impact” and “Scope” elements of the CWE entries is the most prominent for the mapping. Paper also shows that other mappings were challenged by the different conceptual backgrounds between the threats and the weaknesses. The paper also discusses the challenges caused by the inherent vagueness of the items within the frameworks and the CWE and CVE databases, causing that the mappings to these databases remain largely as a manual tasks, which should be carried out by the domain experts.
...
Publisher
FRUCT OyParent publication ISBN
978-952-69244-5-8Conference
Conference of Open Innovations AssociationIs part of publication
FRUCT '29 : Proceedings of the 29th Conference of Open Innovations Association FRUCTISSN Search the Publication Forum
2305-7254Keywords
Publication in research information system
https://converis.jyu.fi/converis/portal/detail/Publication/89768550
Metadata
Show full item recordCollections
License
Related items
Showing items with similar title or keywords.
-
Frameworks for software threats and security in secure DevOps
Leppänen, Tiina (2022)Tämä artikkeligradu pohjautuu kahteen tietoturvallista ohjelmistokehitystä tutkivaan artikkeliin. Ensimmäisen artikkelin tavoitteena on kehittää kyber-turvallisuuden prosesseja tutkimalla ja arvioimalla valittujen uhkamallien ... -
Secure software design and development : towards practical models for implementing information security into the requirements engineering process
Väyrynen, Aino-Maria; Räisänen, Elina (2020)Vaatimusmäärittelyprosessin tavoitteena on kerätä ja jalostaa ratkaisuiksi tuotteen tai palvelun sidosryhmiksi tunnistettujen osapuolten ajatuksia ja tarpeita. Näiden ratkaisujen avulla poistetaan asiakkaan liiketoiminnassa ... -
Principles of social media monitoring and analysis software
Semenov, Alexander (University of Jyväskylä, 2013) -
Introducing Traceability in GitHub for Medical Software Development
Stirbu, Vlad; Mikkonen, Tommi (Springer International Publishing, 2021)Assuring traceability from requirements to implementation is a key element when developing safety critical software systems. Traditionally, this traceability is ensured by a waterfall-like process, where phases follow each ... -
Omission of Quality Software Development Practices : A Systematic Literature Review
Ghanbari, Hadi; Vartiainen, Tero; Siponen, Mikko (Association for Computing Machinery (ACM), 2018)Software deficiencies are minimized by utilizing recommended software development and quality assurance practices. However, these recommended practices (i.e., quality practices) become ineffective if software professionals ...