Identifying Potential Security Flaws using Loophole Analysis and the SECREt

Abstract

In contemporary software development there are a number of methods that attempt to ensure the security of a system. Many of these methods are however introduced in the latter stages of development or try to address the issues of securing a software system by envisioning possible threats to that system, knowledge that is usually both subjective and esoteric. In this paper we introduce the concept of path fixation and discuss how contradictory paths or loopholes, discovered during requirements engineering and using only a requirements specification document, can lead to potential security flaws in a proposed system. The SECREt is a proof-of-concept prototype tool developed to demonstrate the effectiveness of loophole analysis. We discuss how the tool performs a loophole analysis and present the results of tests conducted on an actual specification document. We conclude that loophole analysis is an effective, objective method for the discovery of potential vulnerabilitites that exist in proposed systems and that the SECREt can be successfully incorporated into the requirements engineering process.