Automating the early detection of security design flaws
Paper i proceeding, 2020
The contributions of this paper are: (i) the creation of a publicly available data set consisting of 26 design models annotated with security flaws, (ii) an automated approach for following inspection guidelines using model query patterns, and (iii) an empirical comparison of the results from this automated approach with those from manual inspection. Even though our results show that a complete automation of the security design flaw detection is hard to achieve, we find that some flaws (e.g., insecure data exposure) are more amenable to automation. Compared to manual analysis techniques, our results are encouraging and suggest that the automated technique could guide security analysts towards a more complete inspection of the software design, especially for large models.
design flaw detection
empirical software engineering
security flaw
secure design
security-by-design
automation
Författare
Katja Tuma
Göteborgs universitet
Laurens Sion
KU Leuven
Riccardo Scandariato
Göteborgs universitet
Koen Yskout
KU Leuven
Proceedings - 23rd ACM/IEEE International Conference on Model Driven Engineering Languages and Systems, MODELS 2020
MODELS '20 332-342
9781450370196 (ISBN)
Virtual Event, Canada,
Ämneskategorier
Annan data- och informationsvetenskap
Övrig annan teknik
Systemvetenskap
DOI
10.1145/3365438.3410954