Security Modeling with SeaMonster:: A survey of information sources used when modeling threats and attacks

Abstract

Software security is becoming increasingly important during software development. One reason for this is that attackers have evolved from being teenagers trying to improve their skills to people involved in organized crime with economic or political motives, so the consequence of attacks can be disastrous. Today, there is a knowledge gap between security experts and developers. Security experts know much about software security, but not necessarily so much about software development, and software developers know much about software development, but not necessarily so much about software security. Security models can be used to reduce this gap. They are easy to understand, reusable artifacts that can help spread knowledge in the field of software security. Traditionally, a problem has been lack of proper tool support, and because of that SeaMonster, a project initiated by SINTEF Autumn 2007, created a graphical security modeling tool carrying the name SeaMonster. With a modeling tool in place, one can focus on how to improve the security models themselves. A prestudy is done to find state-of-the-art sercurity modeling techniques and sources of information, with a focus on threats and attacks. A selection of the sources are used for security model creation, and the results are evaluated.