Authors: Maheshwari Venkatasen; Prasanna Mani
Addresses: School of Information Technology and Engineering, Vellore Institute of Technology University, Vellore, Tamilnadu, 632014, India ' School of Information Technology and Engineering, Vellore Institute of Technology University, Vellore, Tamilnadu, 632014, India
Abstract: To improve the security of an e-government, software engineering plays a vital role. During the application development for an e-government, there exist several risks. To analyse those risks, threat modelling methodology which is defined as the process to understand and address the threats of an application. Threat modelling is used to determine security controls and countermeasures for the targeting attacks. This paper describes an approach to identify how far the attack penetrates in risk layers and how the model defends from an attacker in e-government systems. The relevant attacks are retrieved from the attack pattern information is gathered from MITRE's common attack pattern enumeration and classification (CAPEC) security source. This architecture dynamically identifies the risk severity and prioritises the risk in a single step. An attack pattern applied to a risk-centric defensive architecture model to identify threat severity and also it is prioritised based on its impact. We validate risk-centric defensive architecture model by implementing it in a tool based on data flow diagrams (DFDs), from the Microsoft security development methodology.
Keywords: threat model; Microsoft STRIDE; attack pattern; CAPEC; common attack pattern enumeration and classification; SDLC; software development life cycle; e-government.
Electronic Government, an International Journal, 2018 Vol.14 No.1, pp.16 - 31
Available online: 25 Jan 2018 *Full-text access for editors Access for subscribers Free access Comment on this article