The latest IEEE Security & Privacy Journal has an article that I co-wrote with John Steven on Misuse Cases. The goal of the series and this article is to get beyond the hand wavy "security needs to get involved in the development lifecycle", and instead provide the where, what, and how that security needs to get involved with specific ways to doing this. Gary McGraw's latest book has excellent methods for doing this, as does Mike Howard's. One idea that Mike Howard talks about is particularly important which is that everything that security attempts to impose on developers is a like a tax on the developers time. As such, security's requests must be targeted at the areas of strategic importance, and in my view part of what this means is that security should be involved early enough in the lifecycle so that security can work in parallel with developers on building more secure code. It is hard to get involved to much early than use case modeling, which is what this article is about -- Defining Misuse in the Development Lifecycle.
In the article we explore how misuse cases are related to use cases, what to model, how misuse cases relate to architecture, and related considerations. We will continue on this theme over the next several issues of S&P.
Comments