Towards Practical Cybersecurity Mapping of STRIDE and CWE a Multi-perspective Approach

Anne Honkaranta; Tiina Leppanen; Andrei Costin

doi:10.23919/FRUCT52173.2021.9435453

Proceedings of the XXth Conference of Open Innovations Association FRUCT (May 2021)

Towards Practical Cybersecurity Mapping of STRIDE and CWE a Multi-perspective Approach

Anne Honkaranta,
Tiina Leppanen,
Andrei Costin

Affiliations

Anne Honkaranta: University of Jyvaskyla, Finland
Tiina Leppanen: University of Jyvaskyla, Finland
Andrei Costin: University of Jyvaskyla, Finland

DOI: https://doi.org/10.23919/FRUCT52173.2021.9435453
Journal volume & issue: Vol. 29, no. 1
pp. 150 – 159

Abstract

Read online

Software vulnerabilities are identified during their whole life-cycle; some vulnerabilities may be caused by flaws on the design while other appear due to advances on the technologies around the systems. Frameworks such as OWASP are well- known and are used for testing a systems security before or after implementation, and such testing is carried out against the existing system. Threat modeling however focuses on the early stages of the system design when it is feasible and easy to fix security-related flaws and prevent possible damage caused by them. For example, STRIDE is one very popular threat modeling framework. A STRIDE threat modelling specialist deals with abstract categorizations of threats. (S)he needs to be aware of the real-life weaknesses and vulnerabilities related to the threats identified. Real-life examples of vulnerabilities provide important information for analyzing the severity and outcome of the threats as well as providing measures for the their mitigation. However, the actual security vulnerabilities are mainly collected and classified using other taxonomies such as Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE). Therefore, in real-life of cybersecurity practitioners there are multiple gaps between the threat modelling approaches (such STRIDE) and the corresponding classifications and databases (such as CWE, CVE) that are used in practice as systems are deployed and running. As a consequence, such gaps prevent the cybersecurity processes (such as DevSecOps, Secure SDLC) to be as effective as possible. This work attempts to bridge some of these gaps by exploring possible mappings between STRIDE and CWE with the goal of improving the cybersecurity processes end-to-end. The paper explores three different approaches of how the STRIDE threats could be mapped to the real-life system weaknesses within the CWE database, and discusses the findings of those three mapping trials. We show that the direct and unambiguous mapping may potentially be carried out between the STRIDE and the Technical Impact and Scope elements of the CWE entries. We also show that other mappings that seem intuitive at first are challenged by the different conceptual backgrounds between the threats and the weaknesses. The paper also discusses the challenges caused by the inherent vagueness of the items within the frameworks and the CWE, CVE databases which may still leave the mapping largely as a manual task carried out by the domain experts.

Published in Proceedings of the XXth Conference of Open Innovations Association FRUCT

ISSN: 2305-7254 (Print); 2343-0737 (Online)
Publisher: FRUCT
Country of publisher: Finland
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering: Telecommunication
Website: http://fruct.org/publication

About the journal

Abstract

Keywords