Towards automated security design flaw detection

Laurens Sion; Katja Tuma; Riccardo Scandariato; Koen Yskout; Wouter Joosen

doi:10.1109/ASEW.2019.00028

Towards automated security design flaw detection

Laurens Sion, Katja Tuma, Riccardo Scandariato, Koen Yskout, Wouter Joosen

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

Abstract

Efficiency of security-by-design has become an important goal for organizations implementing software engineering practices such as Agile, DevOps, and Continuous Integration. Software architectures are (often manually) analyzed at design time for potential security design flaws, based on natural language descriptions of security weaknesses (e.g., CWE, CAPEC). The use of natural language hinders the application of such knowledge bases in an automated fashion. In this paper, we analyze an existing catalog of 19 security design flaws in order to identify conceptual, technology-independent requirements on architectural models that enable automatically detecting these flaws. This constitutes the first step towards automated assessment of design-level security. Our findings are illustrated on an IoT-based smart home system.

Original language	English
Title of host publication	Proceedings - 2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	49-56
Number of pages	8
ISBN (Electronic)	9781728141367
DOIs	https://doi.org/10.1109/ASEW.2019.00028
Publication status	Published - Nov 2019
Externally published	Yes
Event	34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019 - San Diego, United States Duration: 10 Nov 2019 → 15 Nov 2019

Publication series

Name	Proceedings - 2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019

Conference

Conference	34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019
Country/Territory	United States
City	San Diego
Period	10/11/19 → 15/11/19

Bibliographical note

Funding Information:
This research is partially funded by the Research Fund KU Leuven. Katja Tuma was partially supported by the Swedish VINNOVA FFI project “CyReV: Cyber Resilience for Vehicles-Cybersecurity for automotive systems in a changing environment”.

Publisher Copyright:
© 2019 IEEE.

Copyright:
Copyright 2020 Elsevier B.V., All rights reserved.

Funding

This research is partially funded by the Research Fund KU Leuven. Katja Tuma was partially supported by the Swedish VINNOVA FFI project “CyReV: Cyber Resilience for Vehicles-Cybersecurity for automotive systems in a changing environment”.

Keywords

Design analysis
Design flaws
Design inspection
Security

Access to Document

10.1109/ASEW.2019.00028

Persistent URL (handle)

Persistent link

Cite this

Sion, L., Tuma, K., Scandariato, R., Yskout, K., & Joosen, W. (2019). Towards automated security design flaw detection. In Proceedings - 2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019 (pp. 49-56). Article 8967432 (Proceedings - 2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ASEW.2019.00028

Sion, Laurens ; Tuma, Katja ; Scandariato, Riccardo et al. / Towards automated security design flaw detection. Proceedings - 2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019. Institute of Electrical and Electronics Engineers Inc., 2019. pp. 49-56 (Proceedings - 2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019).

@inproceedings{7e872176dc6c46ef807196e5e3df8767,

title = "Towards automated security design flaw detection",

abstract = "Efficiency of security-by-design has become an important goal for organizations implementing software engineering practices such as Agile, DevOps, and Continuous Integration. Software architectures are (often manually) analyzed at design time for potential security design flaws, based on natural language descriptions of security weaknesses (e.g., CWE, CAPEC). The use of natural language hinders the application of such knowledge bases in an automated fashion. In this paper, we analyze an existing catalog of 19 security design flaws in order to identify conceptual, technology-independent requirements on architectural models that enable automatically detecting these flaws. This constitutes the first step towards automated assessment of design-level security. Our findings are illustrated on an IoT-based smart home system.",

keywords = "Design analysis, Design flaws, Design inspection, Security",

author = "Laurens Sion and Katja Tuma and Riccardo Scandariato and Koen Yskout and Wouter Joosen",

note = "Funding Information: This research is partially funded by the Research Fund KU Leuven. Katja Tuma was partially supported by the Swedish VINNOVA FFI project “CyReV: Cyber Resilience for Vehicles-Cybersecurity for automotive systems in a changing environment”. Publisher Copyright: {\textcopyright} 2019 IEEE. Copyright: Copyright 2020 Elsevier B.V., All rights reserved.; 34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019 ; Conference date: 10-11-2019 Through 15-11-2019",

year = "2019",

month = nov,

doi = "10.1109/ASEW.2019.00028",

language = "English",

series = "Proceedings - 2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "49--56",

booktitle = "Proceedings - 2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019",

address = "United States",

}

Sion, L, Tuma, K, Scandariato, R, Yskout, K & Joosen, W 2019, Towards automated security design flaw detection. in Proceedings - 2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019., 8967432, Proceedings - 2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019, Institute of Electrical and Electronics Engineers Inc., pp. 49-56, 34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019, San Diego, United States, 10/11/19. https://doi.org/10.1109/ASEW.2019.00028

Towards automated security design flaw detection. / Sion, Laurens; Tuma, Katja; Scandariato, Riccardo et al.
Proceedings - 2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019. Institute of Electrical and Electronics Engineers Inc., 2019. p. 49-56 8967432 (Proceedings - 2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019).

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Towards automated security design flaw detection

AU - Sion, Laurens

AU - Tuma, Katja

AU - Scandariato, Riccardo

AU - Yskout, Koen

AU - Joosen, Wouter

N1 - Funding Information: This research is partially funded by the Research Fund KU Leuven. Katja Tuma was partially supported by the Swedish VINNOVA FFI project “CyReV: Cyber Resilience for Vehicles-Cybersecurity for automotive systems in a changing environment”. Publisher Copyright: © 2019 IEEE. Copyright: Copyright 2020 Elsevier B.V., All rights reserved.

PY - 2019/11

Y1 - 2019/11

N2 - Efficiency of security-by-design has become an important goal for organizations implementing software engineering practices such as Agile, DevOps, and Continuous Integration. Software architectures are (often manually) analyzed at design time for potential security design flaws, based on natural language descriptions of security weaknesses (e.g., CWE, CAPEC). The use of natural language hinders the application of such knowledge bases in an automated fashion. In this paper, we analyze an existing catalog of 19 security design flaws in order to identify conceptual, technology-independent requirements on architectural models that enable automatically detecting these flaws. This constitutes the first step towards automated assessment of design-level security. Our findings are illustrated on an IoT-based smart home system.

AB - Efficiency of security-by-design has become an important goal for organizations implementing software engineering practices such as Agile, DevOps, and Continuous Integration. Software architectures are (often manually) analyzed at design time for potential security design flaws, based on natural language descriptions of security weaknesses (e.g., CWE, CAPEC). The use of natural language hinders the application of such knowledge bases in an automated fashion. In this paper, we analyze an existing catalog of 19 security design flaws in order to identify conceptual, technology-independent requirements on architectural models that enable automatically detecting these flaws. This constitutes the first step towards automated assessment of design-level security. Our findings are illustrated on an IoT-based smart home system.

KW - Design analysis

KW - Design flaws

KW - Design inspection

KW - Security

UR - http://www.scopus.com/inward/record.url?scp=85079279288&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85079279288&partnerID=8YFLogxK

U2 - 10.1109/ASEW.2019.00028

DO - 10.1109/ASEW.2019.00028

M3 - Conference contribution

AN - SCOPUS:85079279288

T3 - Proceedings - 2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019

SP - 49

EP - 56

BT - Proceedings - 2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019

Y2 - 10 November 2019 through 15 November 2019

ER -

Sion L, Tuma K, Scandariato R, Yskout K, Joosen W. Towards automated security design flaw detection. In Proceedings - 2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019. Institute of Electrical and Electronics Engineers Inc. 2019. p. 49-56. 8967432. (Proceedings - 2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019). doi: 10.1109/ASEW.2019.00028

Towards automated security design flaw detection

Abstract

Publication series

Conference

Bibliographical note

Funding

Keywords

Access to Document

Persistent URL (handle)

Other files and links

Fingerprint

Cite this