Automating the early detection of security design flaws

Katja Tuma, Laurens Sion, Riccardo Scandariato, Koen Yskout

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

Security by design is a key principle for realizing secure software systems and it is advised to hunt for security flaws from the very early stages of development. At design-time, security analysis is often performed manually by means of either threat modeling or expert-based design inspections. However, when leveraging the wide range of established knowledge bases on security design flaws (e.g., CWE, CAWE), these manual assessments become too time consuming, error-prone, and infeasible in the context of contemporary development practices with frequent iterations. This paper focuses on design inspection and explores the potential for automating the application of inspection rules to speed up the security analysis. The contributions of this paper are: (i) the creation of a publicly available data set consisting of 26 design models annotated with security flaws, (ii) an automated approach for following inspection guidelines using model query patterns, and (iii) an empirical comparison of the results from this automated approach with those from manual inspection. Even though our results show that a complete automation of the security design flaw detection is hard to achieve, we find that some flaws (e.g., insecure data exposure) are more amenable to automation. Compared to manual analysis techniques, our results are encouraging and suggest that the automated technique could guide security analysts towards a more complete inspection of the software design, especially for large models.

Original languageEnglish
Title of host publicationProceedings - 23rd ACM/IEEE International Conference on Model Driven Engineering Languages and Systems, MODELS 2020
PublisherAssociation for Computing Machinery, Inc
Pages332-342
Number of pages11
ISBN (Electronic)9781450370196
DOIs
Publication statusPublished - 16 Oct 2020
Externally publishedYes
Event23rd ACM/IEEE International Conference on Model Driven Engineering Languages and Systems, MODELS 2020 - Virtual, Online, Canada
Duration: 18 Oct 202023 Oct 2020

Publication series

NameProceedings - 23rd ACM/IEEE International Conference on Model Driven Engineering Languages and Systems, MODELS 2020

Conference

Conference23rd ACM/IEEE International Conference on Model Driven Engineering Languages and Systems, MODELS 2020
Country/TerritoryCanada
CityVirtual, Online
Period18/10/2023/10/20

Bibliographical note

Publisher Copyright:
© 2020 ACM.

Copyright:
Copyright 2020 Elsevier B.V., All rights reserved.

Keywords

  • automation
  • design flaw detection
  • empirical software engineering
  • secure design
  • security flaw
  • security-by-design

Fingerprint

Dive into the research topics of 'Automating the early detection of security design flaws'. Together they form a unique fingerprint.

Cite this