A Catalog of Security Architecture Weaknesses

@article{Santos2017ACO,
  title={A Catalog of Security Architecture Weaknesses},
  author={Joanna C. S. Santos and Katy Tarrit and Mehdi Mirakhorli},
  journal={2017 IEEE International Conference on Software Architecture Workshops (ICSAW)},
  year={2017},
  pages={220-223}
}
Secure by design is an approach to developing secure software systems from the ground up. In such approach, the alternate security tactics are first thought, among them, the best are selected and enforced by the architecture design, and then used as guiding principles for developers. Thus, design flaws in the architecture of a software system mean that successful attacks could result in enormous consequences. Therefore, secure by design shifts the main focus of software assurance from finding… 

Figures and Tables from this paper

An empirical study of tactical vulnerabilities

Automating the early detection of security design flaws

This paper focuses on design inspection and explores the potential for automating the application of inspection rules to speed up the security analysis and suggests that the automated technique could guide security analysts towards a more complete inspection of the software design, especially for large models.

Understanding Software Security from Design to Deployment

The second edition of the International Workshop on Security from Design to Deployment (SEAD) at the International Conference on Automated Software Engineering (ASE) 2020 aimed to bring the research and practitioner communities of requirements engineers, security experts, architects, developers, and testers together to formulate solutions related to automating the analysis, design, implementation, testing, and maintenance of secure software systems.

Understanding Software Security from Design to Deployment

The second edition of the International Workshop on Security from Design to Deployment (SEAD) at the International Conference on Automated Software Engineering (ASE) 2020 aimed to bring the research and practitioner communities of requirements engineers, security experts, architects, developers, and testers together to formulate solutions related to automating the analysis, design, implementation, testing, and maintenance of secure software systems.

Architectural Security Weaknesses in Industrial Control Systems (ICS) an Empirical Study Based on Disclosed Software Vulnerabilities

This paper presents the first in-depth analysis of 988 vulnerability advisory reports for Industrial Control Systems developed by 277 vendors to measure which components of ICS have been affected the most by known vulnerabilities, which security tactics were affected most often in ICS and what are the common architectural security weaknesses in these systems.

Mitigating security threats through the use of security tactics to design secure cyber-physical systems (CPS)

The principled derivation of architectural tactics for an actual SCADA-SAP bridge is reported, where security was the key concern and the key inputs were a well-known taxonomies of architectural Tactics and a detailed record of trade-offs among these tactics.

Security Threat and Vulnerability Assessment and Measurement in Secure Software Development

A detailed overview of secure software development practices while taking care of project costs and deadlines is provided, and a secure SDLC framework based on the identified practices is proposed, which integrates the best security practices in various SDLC phases.

Strategies for Pattern-Based Detection of Architecturally-Relevant Software Vulnerabilities

This paper's guiding observation was that vulnerabilities that belong to the same category result in commonalities in the source code, which led to hypothesize that it is possible to define patterns that can be used to detect similar vulnerabilities.

Metamorphic Testing for Web System Security

Metamorphic Security Testing for Web-interactions ( MST-wi), a metamorphic testing approach that integrates test input generation strategies inspired by mutational fuzzing and alleviates the oracle problem in security testing, is proposed and results demonstrate that the approach scale, thus enabling automated security testing overnight.

A Stakeholder-Centric Approach for Defining Metrics for Information Security Management Systems

A set of metrics has been defined that covers all facets of ISMS and addresses security concerns of all categories of stakeholders and would help in the design of an effective and efficient ISMS.

References

SHOWING 1-10 OF 20 REFERENCES

Software Security: Building Security In

  • G. McGraw
  • Computer Science
    2006 17th International Symposium on Software Reliability Engineering
  • 2006
This book presents a detailed approach to getting past theory and putting software security into practice, and describes a manageably small set of touchpoints based around the software artifacts that you already produce that can be adopted without radically changing the way you work.

Research on software design level security vulnerabilities

Current practices in specific software design tasks, vulnerabilities and mitigation mechanism are discussed and areas of research are identified that warrant further investigation.

A methodological approach to apply security tactics in software architecture design

This study presents a methodological approach to address and specify the quality attribute of security in architecture design applying security tactics and illustrated with a case study about a Tsunami Early Warning System.

Catalog of security tactics linked to common criteria requirements

A brief introduction to the Common Criteria standard and to Goal Structuring Notation is given, the full structured and refined catalog of security tactics is presented, and benefits of the link with the CommonCriteria security standard regarding security certification are discussed.

Revising a Security Tactics Hierarchy through Decomposition, Reclassification, and Derivation

  • J. RyooP. LaplanteR. Kazman
  • Computer Science
    2012 IEEE Sixth International Conference on Software Security and Reliability Companion
  • 2012
Using a well-known taxonomy of security tactics, a novel methodology of extracting tactics is proposed and it is claimed that the revised hierarchy is complete enough for use in practical applications.

Detecting, Tracing, and Monitoring Architectural Tactics in Code

A machine learning approach for discovering and visualizing architectural tactics in code, mapping these code segments to tactic traceability patterns, and monitoring sensitive areas of the code for modification events in order to provide users with up-to-date information about underlying architectural concerns is presented.

A tactic-centric approach for automating traceability of quality concerns

This paper presents a novel approach for automating the construction of traceability links for architectural tactics using machine learning methods and lightweight structural analysis to detect tactic-related classes and train the trace algorithm using code extracted from performance-centric and safety-critical open source software systems.

Security Patterns - Integrating Security and Systems Engineering

This book discusses the development of security patterns in the enterprise, the history of Security Patterns, and some of the strategies used to develop and apply these patterns.

Software architecture in practice

This second edition of this book reflects the new developments in the field and new understanding of the important underpinnings of software architecture with new case studies and the new understanding both through new chapters and through additions to and elaboration of the existing chapters.

Using semantic templates to study vulnerabilities recorded in large software repositories

Findings are presented from a study of vulnerable software components using an ontology-guided analysis of vulnerabilities recorded in a software project's code repository and results from the study of vulnerabilities in the Apache web server are presented.