Article: A risk-centric defensive architecture for threat modelling in e-government application Journal: Electronic Government, an International Journal (EG) 2018 Vol.14 No.1 pp.16 - 31 Abstract: To improve the security of an e-government, software engineering plays a vital role. During the application development for an e-government, there exist several risks. To analyse those risks, threat modelling methodology which is defined as the process to understand and address the threats of an application. Threat modelling is used to determine security controls and countermeasures for the targeting attacks. This paper describes an approach to identify how far the attack penetrates in risk layers and how the model defends from an attacker in e-government systems. The relevant attacks are retrieved from the attack pattern information is gathered from MITRE's common attack pattern enumeration and classification (CAPEC) security source. This architecture dynamically identifies the risk severity and prioritises the risk in a single step. An attack pattern applied to a risk-centric defensive architecture model to identify threat severity and also it is prioritised based on its impact. We validate risk-centric defensive architecture model by implementing it in a tool based on data flow diagrams (DFDs), from the Microsoft security development methodology. Inderscience Publishers - linking academia, business and industry through research

Title: A risk-centric defensive architecture for threat modelling in e-government application

Authors: Maheshwari Venkatasen; Prasanna Mani

Addresses: School of Information Technology and Engineering, Vellore Institute of Technology University, Vellore, Tamilnadu, 632014, India ' School of Information Technology and Engineering, Vellore Institute of Technology University, Vellore, Tamilnadu, 632014, India

Abstract: To improve the security of an e-government, software engineering plays a vital role. During the application development for an e-government, there exist several risks. To analyse those risks, threat modelling methodology which is defined as the process to understand and address the threats of an application. Threat modelling is used to determine security controls and countermeasures for the targeting attacks. This paper describes an approach to identify how far the attack penetrates in risk layers and how the model defends from an attacker in e-government systems. The relevant attacks are retrieved from the attack pattern information is gathered from MITRE's common attack pattern enumeration and classification (CAPEC) security source. This architecture dynamically identifies the risk severity and prioritises the risk in a single step. An attack pattern applied to a risk-centric defensive architecture model to identify threat severity and also it is prioritised based on its impact. We validate risk-centric defensive architecture model by implementing it in a tool based on data flow diagrams (DFDs), from the Microsoft security development methodology.

Keywords: threat model; Microsoft STRIDE; attack pattern; CAPEC; common attack pattern enumeration and classification; SDLC; software development life cycle; e-government.

DOI: 10.1504/EG.2018.089537

Electronic Government, an International Journal, 2018 Vol.14 No.1, pp.16 - 31

Received: 31 Jan 2017
Accepted: 23 Mar 2017
Published online: 29 Jan 2018 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article

Title: A risk-centric defensive architecture for threat modelling in e-government application

Keep up-to-date