Show simple item record

dc.contributor.authorHonkaranta, Anne
dc.contributor.authorLeppänen, Tiina
dc.contributor.authorCostin, Andrei
dc.contributor.editorBalandin, Sergey
dc.contributor.editorKoucheryavy, Yevgeni
dc.contributor.editorTyutina, Tatiana
dc.date.accessioned2021-06-24T09:01:28Z
dc.date.available2021-06-24T09:01:28Z
dc.date.issued2021
dc.identifier.citationHonkaranta, A., Leppänen, T., & Costin, A. (2021). Towards Practical Cybersecurity Mapping of STRIDE and CWE : a Multi-perspective Approach. In S. Balandin, Y. Koucheryavy, & T. Tyutina (Eds.), <i>FRUCT '29 : Proceedings of the 29th Conference of Open Innovations Association FRUCT</i> (pp. 150-159). FRUCT Oy. Proceedings of Conference of Open Innovations Association FRUCT. <a href="https://doi.org/10.23919/FRUCT52173.2021.9435453" target="_blank">https://doi.org/10.23919/FRUCT52173.2021.9435453</a>
dc.identifier.otherCONVID_89768550
dc.identifier.urihttps://jyx.jyu.fi/handle/123456789/76839
dc.description.abstractCybersecurity practitioners seek to prevent software vulnerabilities during the whole life-cycle of systems. Threat modeling which is done on the system design phase is an efficient way for securing systems; preventing system flaws is easier and more efficient than patching the security of the system later on. Therefore, many Secure Software Development methods include threat modeling as an integral part of the methodology. STRIDE is a popular threat modeling method used by many practitioners. Threat modelers using the STRIDE method work with abstract threat categories, and would benefit learning about the information about current system weaknesses and vulnerabilities. The information is available on the weakness and vulnerability databases (such as the CWE and the CVE). To our knowledge, there exists no mapping between the STRIDE threats and the actual weaknesses and vulnerabilities listed on the databases, thus hindering the effectiveness of the threat modeling and the DevSecOps and Secure Software Development Life Cycle methods as a whole. This work attempts to bridge the gap by exploring possible mappings between the STRIDE threats and the CWE weaknesses, with the goal of improving the cybersecurity processes from end to end. The paper explores three different approaches for mapping the STRIDE to the CWE weakness database, and discusses the findings. The paper concludes that the mapping between the STRIDE and the CWE “Technical Impact” and “Scope” elements of the CWE entries is the most prominent for the mapping. Paper also shows that other mappings were challenged by the different conceptual backgrounds between the threats and the weaknesses. The paper also discusses the challenges caused by the inherent vagueness of the items within the frameworks and the CWE and CVE databases, causing that the mappings to these databases remain largely as a manual tasks, which should be carried out by the domain experts.en
dc.format.extent540
dc.format.mimetypeapplication/pdf
dc.language.isoeng
dc.publisherFRUCT Oy
dc.relation.ispartofFRUCT '29 : Proceedings of the 29th Conference of Open Innovations Association FRUCT
dc.relation.ispartofseriesProceedings of Conference of Open Innovations Association FRUCT
dc.rightsIn Copyright
dc.subject.otherTechnological innovation
dc.subject.otherEstimation
dc.subject.otherManuals
dc.subject.otherSoftware
dc.subject.otherTask analysis
dc.titleTowards Practical Cybersecurity Mapping of STRIDE and CWE : a Multi-perspective Approach
dc.typeconference paper
dc.identifier.urnURN:NBN:fi:jyu-202106244033
dc.contributor.laitosInformaatioteknologian tiedekuntafi
dc.contributor.laitosFaculty of Information Technologyen
dc.type.urihttp://purl.org/eprint/type/ConferencePaper
dc.relation.isbn978-952-69244-5-8
dc.type.coarhttp://purl.org/coar/resource_type/c_5794
dc.description.reviewstatuspeerReviewed
dc.format.pagerange150-159
dc.relation.issn2305-7254
dc.type.versionacceptedVersion
dc.rights.copyright© 2021, IEEE
dc.rights.accesslevelopenAccessfi
dc.type.publicationconferenceObject
dc.relation.conferenceConference of Open Innovations Association
dc.subject.ysoohjelmistokehitys
dc.subject.ysoohjelmistosuunnittelu (tietotekniikka)
dc.subject.ysotietokoneohjelmat
dc.subject.ysotietoturva
dc.subject.ysohaavoittuvuus
dc.subject.ysotietokannat
dc.subject.ysojärjestelmäsuunnittelu
dc.subject.ysokyberturvallisuus
dc.subject.ysomallit (mallintaminen)
dc.format.contentfulltext
jyx.subject.urihttp://www.yso.fi/onto/yso/p21530
jyx.subject.urihttp://www.yso.fi/onto/yso/p27066
jyx.subject.urihttp://www.yso.fi/onto/yso/p26592
jyx.subject.urihttp://www.yso.fi/onto/yso/p5479
jyx.subject.urihttp://www.yso.fi/onto/yso/p25011
jyx.subject.urihttp://www.yso.fi/onto/yso/p3056
jyx.subject.urihttp://www.yso.fi/onto/yso/p28347
jyx.subject.urihttp://www.yso.fi/onto/yso/p26189
jyx.subject.urihttp://www.yso.fi/onto/yso/p510
dc.rights.urlhttp://rightsstatements.org/page/InC/1.0/?language=en
dc.relation.doi10.23919/FRUCT52173.2021.9435453
dc.type.okmA4


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record

In Copyright
Except where otherwise noted, this item's license is described as In Copyright