Inspection guidelines to identify security design flaws

Katja Tuma, Danial Hosseini, Kyriakos Malamas, Riccardo Scandariato

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review


Recent trends in the software development practices (Agile, De-vOps, CI) have shortened the development life-cycle causing the need for efficient security-by-design approaches. In this context, software architectures are analyzed for potential vulnerabilities and design flaws. Yet, design flaws are often documented with natural language and require a manual analysis, which is inefficient. Besides low-level vulnerability databases (e.g., CWE, CAPEC) there is little systematized knowledge on security design flaws. The purpose of this work is to present and evaluate a catalog of security design flaws accompanied by inspection guidelines for their detection. To this aim, we conduct empirical studies with master and doctoral students. This paper presents a catalog of 19 inspection guidelines for detecting security design flaws and contributes with an empirical evaluation of the inspection guidelines. We also account for the shortcomings of the inspection guidelines and make suggestions for their improvement with respect to the generalization of guidelines, catalog re-organization, and format of documentation. We record similar precision, recall, and productivity in both empirical studies.

Original languageEnglish
Title of host publication13th European Conference on Software Architecture, ECSA 2019 - Companion Proceedings
EditorsLaurence Duchien, Anne Koziolek, Raffaela Mirandola, Elena Maria Navarro Martinez, Clement Quinton, Ricardo Scandariato, Patrizia Scandurra, Catia Trubiani, Danny Weyns
PublisherAssociation for Computing Machinery
Number of pages7
ISBN (Electronic)9781450371421
Publication statusPublished - 9 Sept 2019
Externally publishedYes
Event13th European Conference on Software Architecture, ECSA 2019 - Paris, France
Duration: 9 Sept 201913 Sept 2019

Publication series

NameACM International Conference Proceeding Series


Conference13th European Conference on Software Architecture, ECSA 2019

Bibliographical note

Publisher Copyright:
© 2019 ACM.

Copyright 2020 Elsevier B.V., All rights reserved.


  • Empirical software engineering
  • Security design flaws
  • Security-by-design


Dive into the research topics of 'Inspection guidelines to identify security design flaws'. Together they form a unique fingerprint.

Cite this