Reviewing and Evaluating Techniques for Modeling and Analyzing Security Requirements

Abu-Sheikh, Khalil

January 2007

The software engineering community recognized the importance of addressing security requirements with other functional requirements from the beginning of the software development life cycle. Therefore, there are some techniques that have been developed to achieve this goal. Thus, we conducted a theoretical study that focuses on reviewing and evaluating some of the techniques that are used to model and analyze security requirements. Thus, the Abuse Cases, Misuse Cases, Data Sensitivity and Threat Analyses, Strategic Modeling, and Attack Trees techniques are investigated in detail to understand and highlight the similarities and differences between them. We found that using these techniques, in general, help requirements engineer to specify more detailed security requirements. Also, all of these techniques cover the concepts of security but in different levels. In addition, the existence of different techniques provides a variety of levels for modeling and analyzing security requirements. This helps requirements engineer to decide which technique to use in order to address security issues for the system under investigation. Finally, we found that using only one of these techniques will not be suitable enough to satisfy the security requirements of the system under investigation. Consequently, we consider that it would be beneficial to combine the Abuse Cases or Misuse Cases techniques with the Attack Trees technique or to combine the Strategic Modeling and Attack Trees techniques together in order to model and analyze security requirements of the system under investigation. The concentration on using the Attack Trees technique is due to the reusability of the produced attack trees, also this technique helps in covering a wide range of attacks, thus covering security concepts as well as security requirements in a proper way.

Security Requirements

Abuse Cases

Misuse Cases

Data Sensitivity and Threat Analyses

Strategic Modeling

Attack Trees.

Software Engineering

Programvaruteknik

A decentralized Git version controlsystem : A proposed architecture and evaluation of decentralized Git using DAG-based distributed ledgers

Habib, Christian, Ayoub, Ilian

January 2022

This thesis proposes an implementation for a decentralized version of the Git version controlsystem. This is achieved using a simple distributed DAG ledger. The thesis analyzeshow the decentralization of Git affects security. Use and misuse cases are used to compareand evaluate conventional Git web services and a decentralized version of Git. Theproposed method for managing the state of the Git project is described as a voting systemwhere participants in a Git project vote on changes to be made. The security evaluationfound that the removal of privileged roles in the Git version control system, mitigated thepossibility of malicious maintainers taking over the project. However, with the introductionof the DAG ledger and the decentralization, the possibility of a malicious actor takingover the network using Sybil attack arises, which in turn could cause the same issues as amalicious maintainer.

Blockchain

Distributed ledger technology

Git

Version control systems

Software Security

Web3

Misuse cases

Computer Sciences

Datavetenskap (datalogi)