Towards automated security design flaw detection

Publikationstyp
Conference Paper
Date Issued
2019-11
Sprache
English
Author(s)
Sion, Laurens  
Tuma, Katja  
Scandariato, Riccardo  
Yskout, Koen  
Joosen, Wouter  
TORE-URI
http://hdl.handle.net/11420/10254
Start Page
49
End Page
56
Article Number
8967432
Citation
IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW 2019)
Contribution to Conference
34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019  
Publisher DOI
10.1109/ASEW.2019.00028
Scopus ID
2-s2.0-85079279288
Efficiency of security-by-design has become an important goal for organizations implementing software engineering practices such as Agile, DevOps, and Continuous Integration. Software architectures are (often manually) analyzed at design time for potential security design flaws, based on natural language descriptions of security weaknesses (e.g., CWE, CAPEC). The use of natural language hinders the application of such knowledge bases in an automated fashion. In this paper, we analyze an existing catalog of 19 security design flaws in order to identify conceptual, technology-independent requirements on architectural models that enable automatically detecting these flaws. This constitutes the first step towards automated assessment of design-level security. Our findings are illustrated on an IoT-based smart home system.
Subjects
Design analysis
Design flaws
Design inspection
Security