One of the biggest challenges for security people is to imagine what might go wrong with their systems and to plan for those eventualities. What effects could users' mistakes have on the smooth running of the systems? And how could thieves and hackers cause problems?
One approach is to borrow from software developers. They build their systems to meet a set of pre-defined uses that have been mapped out in the requirements and design stage.
What if security people were to adopt a similar approach, but instead of looking at the correct way to interacting with a system, they were to map out a series of computer 'misuse cases' to show how systems could be improperly used, either by accident or for malicious purposes? If that were done ahead of time, then it would be easier to plans for such eventualities, and also to define what is needed from a security point of view.
This is the argument outlined by John Neil Ruck and Geraint Price, in a new article published in SearchSecurity.co.uk, entitled 'Misuse Cases: earlier and smarter information security' (see below for the full .pdf). The article is part of our 2009 series featuring the best new MSc theses from graduates of the information security group at Royal Holloway University of London (RHUL).
The authors argue that misuse cases could be embedded into the software development lifecycle, from the very earliest definition of requirements, right through to final testing. They would help to define and prioritise the security requirements at an early stage, and they would also help in ensuring that all security requirements have been met before the systems goes into production.
To illustrate the power of the concept, the authors provide a hypothetical case study of an IT contractor management system, and show how the many possible misuses can be pre-determined and accounted for.
Read Misuse cases: Earlier and smarter information security (.pdf) by John Neil Ruck and Geraint Price.
SearchSecurity's association with RHUL began last year when we published 12 articles from RHUL's MSc graduates. These were widely appreciated for their new ideas and relevance to security problems. We believe the 2009 series is equally wide-ranging and thought-provoking.