A User Study: Abuse Cases Derived from Use Case Description and CAPEC Attack Patterns

Abstract

Nowadays, developers should incorporate software security best practices from the early stages of the software development lifecycle to build more robust software against software security attacks. However, incorporating security practices at the early stages of the SDLC is difficult for novice software developers that do not have a systematic approach to address security issues. In this paper, we proposed a preliminary method to derive abuse cases, one of software security best practices, based on use case description and attack patterns and then evaluate the method in a user study. We investigated the effectiveness of the proposed method to help novices develop abuse cases and gained insights on how a novice of software security would select keywords from use case descriptions, and select relevant attack patterns for developing abuse cases. Our main findings were (1) the approaches participants used to select the keywords and the attack patterns as they related to the use cases; (2) the approach used to select relevant attack patterns; (3) the relationship between the keywords and the attack patterns; and (4) use case based on the textual content showed the method can be effective in assisting non-experts to create abuse cases. Finally, we suggest possible approaches to select keywords more effectively and the implication of using an inference engine to build relationships between use cases and attack patterns.