Inspection guidelines to identify security design flaws
Paper in proceedings, 2019

Recent trends in the software development practices (Agile, De-vOps, CI) have shortened the development life-cycle causing the need for efficient security-by-design approaches. In this context, software architectures are analyzed for potential vulnerabilities and design flaws. Yet, design flaws are often documented with natural language and require a manual analysis, which is inefficient. Besides low-level vulnerability databases (e.g., CWE, CAPEC) there is little systematized knowledge on security design flaws. The purpose of this work is to present and evaluate a catalog of security design flaws accompanied by inspection guidelines for their detection. To this aim, we conduct empirical studies with master and doctoral students. This paper presents a catalog of 19 inspection guidelines for detecting security design flaws and contributes with an empirical evaluation of the inspection guidelines. We also account for the shortcomings of the inspection guidelines and make suggestions for their improvement with respect to the generalization of guidelines, catalog re-organization, and format of documentation. We record similar precision, recall, and productivity in both empirical studies.

Empirical software engineering

Security design flaws

Security-by-design

Author

Katja Tuma

University of Gothenburg

Danial Hosseini

University of Gothenburg

Kyriakos Malamas

University of Gothenburg

Riccardo Scandariato

Chalmers, Computer Science and Engineering (Chalmers), Software Engineering (Chalmers), Software Engineering for Testing, Requirements, Innovation and Psychology

ACM International Conference Proceeding Series

Vol. 2 116-122

13th European Conference on Software Architecture, ECSA 2019
Paris, France,

Subject Categories

Design

Software Engineering

Information Science

DOI

10.1145/3344948.3344995

More information

Latest update

5/6/2020 7