What if security people were to adopt a similar approach, but instead of looking at the correct way to interacting with a system, they were to map out a series of computer 'misuse cases' to show how systems could be improperly used, either by accident or for malicious purposes? If that were done ahead of time, then it would be easier to plans for such eventualities, and also to define what is needed from a security point of view.
This is the argument outlined by John Neil Ruck and Geraint Price, in a new article published in SearchSecurity.co.uk, entitled 'Misuse Cases: earlier and smarter information security' (see below for the full .pdf). The article is part of our 2009 series featuring the best new MSc theses from graduates of the information security group at Royal Holloway University of London (RHUL).
The authors argue that misuse cases could be embedded into the software development lifecycle, from the very earliest definition of requirements, right through to final testing. They would help to define and prioritise the security requirements at an early stage, and they would also help in ensuring that all security requirements have been met before the systems goes into production.
To illustrate the power of the concept, the authors provide a hypothetical case study of an IT contractor management system, and show how the many possible misuses can be pre-determined and accounted for.
Read Misuse cases: Earlier and smarter information security (.pdf) by John Neil Ruck and Geraint Price.
SearchSecurity's association with RHUL began last year when we published 12 articles from RHUL's MSc graduates. These were widely appreciated for their new ideas and relevance to security problems. We believe the 2009 series is equally wide-ranging and thought-provoking.
This was first published in June 2009