Fuzzy Logic Approach for Threat Prioritization in Agile Security Framework using DREAD Model (1312.6836v1)

Abstract: For a qualitative system sound security practices must be a crucial part throughout the entire software lifecycle. Furthermore, agile software development has paved the way for overcoming the problems faced by developers during traditional development process. In the given paper we are using an Agile Security Framework that is compatible with practices of agile processes and inherit in it the benefits of security engineering activities in the form of risk assessment and threat prioritization. One of the most popular techniques to deal with ever growing risks associated with security threats is DREAD model. It is used for rating risk of threats identified in the abuser stories. In this model threats needs to be defined by sharp cutoffs. However, such precise distribution is not suitable for risk categorization as risks are vague in nature and deals with high level of uncertainty. In view of these risk factors, our paper proposes a novel fuzzy approach using DREAD model for computing risk level that ensures better evaluation of imprecise concepts. Thus it provides the capacity to include subjectivity and uncertainty during risk ranking. A case study has been presented to illustrate and compare the proposed approach with the existing one using Matlab.