Ensuring threat-model assumptions by using static code analyses

In the past years, the security of information systems has become more and more important. Threat modeling techniques are applied during the design phase of the development, helping to find potential threats as early as possible. However, assumptions made at this development step are often not considered in later steps or are not validated correctly, particularly not during the concrete implementation of the system. To overcome this problem, we present cards, a security modeling approach on the architectural level which utilizes code analyses to validate assumptions made during the threat modeling phase. cards helps ensure a correct implementation but also allows one to determine which effect code vulnerabilities can have on the overall architecture, as described through models. We implemented cards based on the Eclipse Modeling Framework, for Java-based system implementations. We evaluated cards based on the CoCoME case study to show its efficacy. The evaluation showed that cards can ease the validation of assumptions made during threat modeling and reduce the overall analysis effort.