Please use this identifier to cite or link to this item:
Publisher DOI: 10.1007/s10270-022-00991-5
Title: Checking security compliance between models and code
Language: English
Authors: Tuma, Katja 
Peldszus, Sven 
Strüber, Daniel 
Scandariato, Riccardo 
Jürjens, Jan 
Keywords: Data flow diagram (DFD); Security compliance; Security-by-design; Static program analysis
Issue Date: 18-Mar-2022
Publisher: Springer
Source: Software and Systems Modeling 22 (1): 273-296 (2023-02)
Abstract (english): 
It is challenging to verify that the planned security mechanisms are actually implemented in the software. In the context of model-based development, the implemented security mechanisms must capture all intended security properties that were considered in the design models. Assuring this compliance manually is labor intensive and can be error-prone. This work introduces the first semi-automatic technique for secure data flow compliance checks between design models and code. We develop heuristic-based automated mappings between a design-level model (SecDFD, provided by humans) and a code-level representation (Program Model, automatically extracted from the implementation) in order to guide users in discovering compliance violations, and hence, potential security flaws in the code. These mappings enable an automated, and project-specific static analysis of the implementation with respect to the desired security properties of the design model. We developed two types of security compliance checks and evaluated the entire approach on open source Java projects.
DOI: 10.15480/882.4953
ISSN: 1619-1374
Journal: Software and systems modeling 
Institute: Software Security E-22 
Document Type: Article
Project: Assurance and certification in secure Multi-party Open Software and Services 
License: CC BY 4.0 (Attribution) CC BY 4.0 (Attribution)
Appears in Collections:Publications with fulltext

Files in This Item:
File Description SizeFormat
s10270-022-00991-5-1.pdfVerlagsversion2,07 MBAdobe PDFView/Open
Show full item record

Page view(s)

checked on Mar 21, 2023


checked on Mar 21, 2023

Google ScholarTM


Note about this record

Cite this record


This item is licensed under a Creative Commons License Creative Commons