This topic is very pertinent. I agree that the lack of attention paid to security in many development projects stems from an inability to track security requirements in the software development life cycle. By addressing security requirements in a use case model, I believe that traceability can be improved enormously. However, traditional use cases are not always adequate to express security requirements. For example, whereas it may be possible to say that a user needs to authenticate to perform an action, it is not possible to express that attackers must be prevented from executing their own code on the system. I therefore feel there is a strong case for extending the use case concept to abuse cases, as introduced by McDermott in C. Fox, "Using Abuse Case Model for Security Requirements Analysis" in 1999 (http://www.acsac.org). In agile ecologies, use cases have transmuted to user stories. I have proposed to also extend user stories to abuser stories (http://www.johanpeeters.com/papers/abuser stories.pdf).
kr, Yo Gunnar Peterson wrote:
I have published a new paper on integrating security into Use Case Modeling: http://www.arctecgroup.net/secusecase.htm -gp
-- Johan Peeters http://www.johanpeeters.com +32 16 649000