• Security use cases are derived from abuse cases
    安全用例來自濫用案例
  • Security use cases capture the security requirements needed to defeat each abuse case
    安全用例捕獲了打敗每個濫用案例所需的安全要求
  • It uncovers software abuse cases and its response
    它揭示了軟體濫用案例及其響應

Security Use Cases are Abuse Case Driven

Modeling Steps for Security Use Cases

  1. Analyze the possible abuse cases generated for system
    分析為系統生成的可能濫用案例
  2. Identify the security steps required to mitigate each abuse case at granular level
    確定在粒度級別緩解每個濫用案例所需的安全步驟
  3. Include “mitigation" mappings between security use case and abuse case
    包括安全用例和濫用案例之間的“緩解”映射
  4. Construct a generalized use case model consisting of use, abuse, and security use cases
    構建一個由使用,濫用和安全用例組成的通用用例模型

Mitigates Relationship

  1. The mitigate relationship in a use case can portray the circumstances that can avoid the impact of any abuse case on any user or system
    用例中的緩解關係可以描述可以避免任何濫用案例對任何用戶或系統的影響的情況
  2. It provides countermeasures to uncover the abuse case
    它提供了發現濫用案例的對策

Abuse Case vs Security Use Case

Security Use Case:Advantages and Disadvantages

  • Advantages
    Large applications mostly use security use cases
    大型應用程式主要使用安全用例
    Most of the security use cases depend on scientific and precise methods in order to define the security encounters in the system
    大多數安全用例依賴於科學和精確的方法來定義系統中的安全性遭遇
  • Disadvantages
    Cannot be used for small applications
    不能用於小型應用
    Possibilities of architectural and design issues in the system
    系統中架構和設計問題的可能性

Security Use Case Template

Use normal use case template to describe security use cases
使用常規用例模板來描述安全用例

Typical security template consists of:

Security Use Case Guidelines

  • Use cases should only specify the vital requirements needed for the development of the application
    用例應僅指定開發應用程序所需的重要要求
  • Always ensure that the use cases do not include any architectural mechanisms like User ID, passwords, biometrics, etc.
    始終確保用例不包括任何架構機制,如用戶ID,密碼,生物識別等。
  • You may check the structure or arrangement of interaction of the user with the system and specify its order. In this way, it is possible to restrict any chances of evolution of the constraints in design
    您可以檢查用戶與系統的交互結構或排列,並指定其順序。 以這種方式,可以限制設計中約束的任何演變機會
  • It is advisable to create a base security case for various types of security requirements in the organization
    建議為組織中的各種安全要求創建基本安全案例
  • Always document the threats and risks with the help of security use cases
    始終在安全用例的幫助下記錄威脅和風險
  • The difference in user and misuser interactions must be specified in a transparent way in the security use cases
    必須在安全用例中以透明的方式指定用戶和濫用者交互的差異
  • The security use case should provide different scenarios for externally-visible actions and for those which are hidden
    安全用例應為外部可見操作和隱藏操作提供不同的方案
  • Always ensure to clearly document both preconditions and post conditions in a security use case
    始終確保在安全用例中清楚地記錄先決條件和後置條件