Artikel in Tagungsband INPROC-2019-40

Saatkamp, Karoline; Krieger, Christoph; Leymann, Frank; Sudendorf, Julian; Wurster, Michael: Application Threat Modeling and Automated VNF Selection for Mitigation using TOSCA.
In: 2019 International Conference on Networked Systems (NetSys).
Universität Stuttgart, Fakultät Informatik, Elektrotechnik und Informationstechnik.
S. 1-6, englisch.
IEEE, Oktober 2019.
ISBN: 10.1109/NetSys.2019.8854524.
Artikel in Tagungsband (Workshop-Beitrag).
CR-Klassif.D.2.2 (Software Engineering Design Tools and Techniques)
KeywordsThreat Modeling; VNF; STRIDE; TOSCA

In the era of Internet of Things (IoT) the interconnectedness of devices, and thus the need to protect them against threats increased. The widely used threat modeling method STRIDE can be used to identify the system's vulnerabilities and to determine appropriate mitigation solutions. In connected environments, especially the network layer plays a critical role in achieving security. Based on the Network Functions Virtualization (NFV) concept, network functions can be virtualized and provisioned on standard IT hardware. Virtualized Network Functions (VNFs) increase the flexibility of the provisioning, and thus security network functions, such as firewalls, can be easily deployed. However, in a complex distributed system it is time-consuming, error-prone, and for application architects even not possible to identify and provision the required security functions. For the orchestration and management of applications the TOSCA modeling language can be used to describe the application's components and their relations in a deployment model. The standard was mainly developed for cloud applications but was extended to the network layer. In this paper, we present a TOSCA-based approach for threat modeling based on STRIDE that facilitates the automated VNF selection and injection into TOSCA deployment models. The feasibility of our approach is validated by an extension of the TOSCA modeling tool Winery.

Abteilung(en)Universität Stuttgart, Institut für Architektur von Anwendungssystemen
Eingabedatum27. März 2020
   Publ. Informatik