Inspection guidelines to identify security design flaws
Paper i proceeding, 2019

Recent trends in the software development practices (Agile, De-vOps, CI) have shortened the development life-cycle causing the need for efficient security-by-design approaches. In this context, software architectures are analyzed for potential vulnerabilities and design flaws. Yet, design flaws are often documented with natural language and require a manual analysis, which is inefficient. Besides low-level vulnerability databases (e.g., CWE, CAPEC) there is little systematized knowledge on security design flaws. The purpose of this work is to present and evaluate a catalog of security design flaws accompanied by inspection guidelines for their detection. To this aim, we conduct empirical studies with master and doctoral students. This paper presents a catalog of 19 inspection guidelines for detecting security design flaws and contributes with an empirical evaluation of the inspection guidelines. We also account for the shortcomings of the inspection guidelines and make suggestions for their improvement with respect to the generalization of guidelines, catalog re-organization, and format of documentation. We record similar precision, recall, and productivity in both empirical studies.


Empirical software engineering

Security design flaws


Katja Tuma

Göteborgs universitet

Danial Hosseini

Göteborgs universitet

Kyriakos Malamas

Göteborgs universitet

Riccardo Scandariato

Göteborgs universitet

ACM International Conference Proceeding Series

Vol. 2 116-122
978-145037142-1 (ISBN)

13th European Conference on Software Architecture, ECSA 2019
Paris, France,







Mer information

Senast uppdaterat