Towards Automated Security Design Flaw Detection
Paper in proceeding, 2019

Efficiency of security-by-design has become an important goal for organizations implementing software engineering practices such as Agile, DevOps, and Continuous Integration. Software architectures are (often manually) analyzed at design time for potential security design flaws, based on natural language descriptions of security weaknesses (e.g., CWE, CAPEC). The use of natural language hinders the application of such knowledge bases in an automated fashion. In this paper, we analyze an existing catalog of 19 security design flaws in order to identify conceptual, technology-independent requirements on architectural models that enable automatically detecting these flaws. This constitutes the first step towards automated assessment of design-level security. Our findings are illustrated on an IoT-based smart home system.

design inspection

design flaws

Security

design analysis

Author

Laurens Sion

KU Leuven

Katja Tuma

Chalmers, Computer Science and Engineering (Chalmers), Software Engineering (Chalmers)

University of Gothenburg

Riccardo Scandariato

University of Gothenburg

Chalmers, Computer Science and Engineering (Chalmers), Software Engineering (Chalmers)

Koen Yskout

KU Leuven

Proceedings - 2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019

49-56
9781728141367 (ISBN)

34th IEEE/ACM International Conference on Automated Software Engineering Workshop (ASEW)
San Diego, USA,

Cyber Resilience for Vehicles - Cybersecurity for automotive systems in a changing environment - phase1 (CyReV)

VINNOVA (2018-05013), 2019-04-01 -- 2021-03-31.

Subject Categories (SSIF 2025)

Security, Privacy and Cryptography

Subject Categories (SSIF 2011)

Software Engineering

Information Science

Computer Systems

DOI

10.1109/ASEW.2019.00028

More information

Latest update

6/26/2025