Inspection guidelines to identify security design flaws

Publikationstyp
Conference Paper
Date Issued
2019-09
Sprache
English
Author(s)
Tuma, Katja  
Hosseini, Danial  
Malamas, Kyriakos  
Scandariato, Riccardo  
TORE-URI
http://hdl.handle.net/11420/10255
Start Page
116
End Page
122
Citation
European Conference on Software Architecture (ECSA 2019): 116-122
Contribution to Conference
13th European Conference on Software Architecture, ECSA 2019  
Publisher DOI
10.1145/3344948.3344995
Scopus ID
2-s2.0-85081951205
Publisher
Association for Computing Machinery
ISBN
978-1-4503-7142-1
Recent trends in the software development practices (Agile, De-vOps, CI) have shortened the development life-cycle causing the need for efficient security-by-design approaches. In this context, software architectures are analyzed for potential vulnerabilities and design flaws. Yet, design flaws are often documented with natural language and require a manual analysis, which is inefficient. Besides low-level vulnerability databases (e.g., CWE, CAPEC) there is little systematized knowledge on security design flaws. The purpose of this work is to present and evaluate a catalog of security design flaws accompanied by inspection guidelines for their detection. To this aim, we conduct empirical studies with master and doctoral students. This paper presents a catalog of 19 inspection guidelines for detecting security design flaws and contributes with an empirical evaluation of the inspection guidelines. We also account for the shortcomings of the inspection guidelines and make suggestions for their improvement with respect to the generalization of guidelines, catalog re-organization, and format of documentation. We record similar precision, recall, and productivity in both empirical studies.
Subjects
Empirical software engineering
Security design flaws
Security-by-design
DDC Class
004: Computer Sciences