Options
Automatic security-flaw detection replication and comparison
Publikationstyp
Conference Paper
Date Issued
2023-10
Sprache
English
Start Page
84
End Page
94
Citation
26th International Conference on Model Driven Engineering Languages and Systems (MODELS 2023)
Contribution to Conference
Publisher DOI
Scopus ID
Threat Modeling is an essential step in secure software system development. It is a manual, attacker-centric approach for identifying architecture-level security flaws during the planning phase of software systems. In the last years, academia presented two methods to automate threat detection that do not focus on a particular class of security flaws but offer general-purpose means to describe security flaws.This paper compares both approaches on an equal data foundation that was published with one of the approaches. Therefore, we specify a model-To-model transformation for converting between the approaches to allow this conceptual replication. Additionally, we provide security flaw patterns for the second approach that any user of the approach can use. We then replicate the detection with the second security flaw detection approach to compare both approaches. We focus our analysis on differences between automation-specific and approach-specific finding misclassifications on identifying whether some flaws are harder to find with an automated approach than others.We find that missed flaws usually stem from the imprecise definition of security flaws, while incorrectly identified flaws are approach-dependent. Despite that, both approaches perform similarly. The knowledge base, the transformation scripts and the evaluation script are publicly available to support the research community.
Subjects
automation
comparison
dataflow diagrams
interoperability
security flaw detection
threat modeling
DDC Class
620: Engineering