A Security Evaluation Framework Based on STRIDE Model for Software in Networks

Software in networks, which is a special kind of applications in service-oriented computing and ultra-large-scale systems, is a complex software system deploying on network environment. Requirements of networked software pose many security problems owing to the dynamic topology structure and users’ uncertainty. How to evaluate the degree of software security in networks is a challenging problem. In this paper, we present a framework for flexible assessing software to determine how well it can satisfy intended security requirements. On the basis of analyzing the threats which software in network facing, a security evaluation method based on STRIDE model is proposed. According to its own features of networked software and threat classification method of STRIDE model, we design a SN-Security Evaluation Model, in which the dependability-based, vulnerability-based and risk-based approaches are incorporated for the software security estimation. It provides a valuable way to help users to create the threat modeling and evaluating the safety degree for software security. A case study is conducted to verify the framework proposed in the paper.