Abstract
Recent trends in the software development practices (Agile, De-vOps, CI) have shortened the development life-cycle causing the need for efficient security-by-design approaches. In this context, software architectures are analyzed for potential vulnerabilities and design flaws. Yet, design flaws are often documented with natural language and require a manual analysis, which is inefficient. Besides low-level vulnerability databases (e.g., CWE, CAPEC) there is little systematized knowledge on security design flaws. The purpose of this work is to present and evaluate a catalog of security design flaws accompanied by inspection guidelines for their detection. To this aim, we conduct empirical studies with master and doctoral students. This paper presents a catalog of 19 inspection guidelines for detecting security design flaws and contributes with an empirical evaluation of the inspection guidelines. We also account for the shortcomings of the inspection guidelines and make suggestions for their improvement with respect to the generalization of guidelines, catalog re-organization, and format of documentation. We record similar precision, recall, and productivity in both empirical studies.
Original language | English |
---|---|
Title of host publication | 13th European Conference on Software Architecture, ECSA 2019 - Companion Proceedings |
Editors | Laurence Duchien, Anne Koziolek, Raffaela Mirandola, Elena Maria Navarro Martinez, Clement Quinton, Ricardo Scandariato, Patrizia Scandurra, Catia Trubiani, Danny Weyns |
Publisher | Association for Computing Machinery |
Pages | 116-122 |
Number of pages | 7 |
ISBN (Electronic) | 9781450371421 |
DOIs | |
Publication status | Published - 9 Sept 2019 |
Externally published | Yes |
Event | 13th European Conference on Software Architecture, ECSA 2019 - Paris, France Duration: 9 Sept 2019 → 13 Sept 2019 |
Publication series
Name | ACM International Conference Proceeding Series |
---|---|
Volume | 2 |
Conference
Conference | 13th European Conference on Software Architecture, ECSA 2019 |
---|---|
Country/Territory | France |
City | Paris |
Period | 9/09/19 → 13/09/19 |
Bibliographical note
Publisher Copyright:© 2019 ACM.
Copyright:
Copyright 2020 Elsevier B.V., All rights reserved.
Keywords
- Empirical software engineering
- Security design flaws
- Security-by-design