Architecture Anti-Patterns: Automatically Detectable Violations of Design Principles

Mo, Ran; Cai, Yuanfang; Kazman, Rick; Xiao, Lu; Feng, Qiong

doi:10.1109/tse.2019.2910856

Cited by 42 publications

(24 citation statements)

References 75 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Architectural bad smells and anti-patterns. The literature on architectural bad smells [9,19] and anti-patterns [5,13,14] collides with our work for what concerns the ambition to find and remove architectural issues that negatively impact system life-cycle properties (extensibility, maintainability, testability, etc.). In contrast, our work investigates security design flaws, that is architectural design decisions that negatively impact the system security.…”

Section: Related Workmentioning

confidence: 90%

Inspection guidelines to identify security design flaws

Tuma

Hosseini

Malamas

et al. 2019

Proceedings of the 13th European Conference on Software Architecture - Volume 2

View full text Add to dashboard Cite

Recent trends in the software development practices (Agile, De-vOps, CI) have shortened the development life-cycle causing the need for efficient security-by-design approaches. In this context, software architectures are analyzed for potential vulnerabilities and design flaws. Yet, design flaws are often documented with natural language and require a manual analysis, which is inefficient. Besides low-level vulnerability databases (e.g., CWE, CAPEC) there is little systematized knowledge on security design flaws. The purpose of this work is to provide a catalog of security design flaws and to empirically evaluate the inspection guidelines for detecting security design flaws. To this aim, we present a catalog of 19 security design flaws and conduct empirical studies with master and doctoral students. This paper contributes with: (i) a catalog of security design flaws, (ii) an empirical evaluation of the inspection guidelines with master students, and (iii) a replicated evaluation with doctoral students. We also account for the shortcomings of the inspection guidelines and make suggestions for their improvement with respect to the generalization of guidelines, catalog re-organization, and format of documentation. We record similar precision, recall, and productivity in both empirical studies and discuss the potential for automating the security design flaw detection.

show abstract

Section: Related Workmentioning

confidence: 90%

Inspection guidelines to identify security design flaws

Tuma

Hosseini

Malamas

et al. 2019

Proceedings of the 13th European Conference on Software Architecture - Volume 2

View full text Add to dashboard Cite

show abstract

“…We also collected size and complexity data from Designite. DV8: DV8 performs the calculation of decoupling level [17] and propagation cost [18], the identification of architectural roots [19], and the identification of design anti-patterns [16]. Our study only considers the six anti-patterns: 1) Clique-files forming a strongly connected component, 2) Unhealthy Inheritance-violations of the Liskov Substitution Principle [20], 3) Package Cycle-two folders mutually depend on each other, 4) Unstable Interface-a file with many dependents that changes often with all of them, 5) Crossing-a file with a high fanin and fan-out that changes often with its dependents and dependees, and 6) Modularity Violation-files that change together frequently but have no structural relationship.…”

Section: Sonarqube (Sq)mentioning

confidence: 99%

“…For example, Designite [5] defines smells at architectural, design, and code levels, each based on different sets of rules. DV8 [10], [16] defines a suite of anti-patterns that are claimed to be design debts. Structure101 [4] considers tangles and excessive complexity as the measures of technical debt.…”

Section: Introductionmentioning

confidence: 99%

On the Lack of Consensus Among Technical Debt Detection Tools

Lefever

Cai

Cervantes³

et al. 2021

2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)

Self Cite

View full text Add to dashboard Cite

A vigorous and growing set of technical debt analysis tools have been developed in recent years-both research tools and industrial products-such as Structure 101, SonarQube, and DV8. Each of these tools identifies problematic files using their own definitions and measures. But to what extent do these tools agree with each other in terms of the files that they identify as problematic? If the top-ranked files reported by these tools are largely consistent, then we can be confident in using any of these tools. Otherwise, a problem of accuracy arises. In this paper, we report the results of an empirical study analyzing 10 projects using multiple tools. Our results show that: 1) these tools report very different results even for the most common measures, such as size, complexity, file cycles, and package cycles. 2) These tools also differ dramatically in terms of the set of problematic files they identify, since each implements its own definitions of "problematic". After normalizing by size, the most problematic file sets that the tools identify barely overlap. 3) Our results show that code-based measures, other than size and complexity, do not even moderately correlate with a file's change-proneness or errorproneness. In contrast, co-change-related measures performed better. Our results suggest that, to identify files with true technical debt-those that experience excessive changes or bugsco-change information must be considered. Code-based measures are largely ineffective at pinpointing true debt. Finally, this study reveals the need for the community to create benchmarks and data sets to assess the accuracy of software analysis tools in terms of commonly used measures.

show abstract

“…The identification of problematic areas in design-level representations of a system with architectural smells [25]- [28] or anti-patterns [29], [30] has previously been used to identify software engineering issues, such as maintainability, and to assist in refactoring. For example, Garcia et al [25] introduce a catalog of architectural bad smells specified with UML diagrams.…”

Section: Related Workmentioning

confidence: 99%

“…Similarly, Bouhours et al [27] contribute with a catalog of 23 "spoiled patterns" or, architectural design antipatterns. Yet, the existing literature about architectural design flaws [25], [27], [30]- [32] lacks a systematized knowledge base about security-relevant architectural design flaws supporting automated assessment.…”

Section: Related Workmentioning

confidence: 99%

Towards Automated Security Design Flaw Detection

Sion

Tuma

Scandariato

et al. 2019

2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshop (ASEW)

View full text Add to dashboard Cite

Efficiency of security-by-design has become an important goal for organizations implementing software engineering practices such as Agile, DevOps, and Continuous Integration. Software architectures are (often manually) analyzed at design time for potential security design flaws, based on natural language descriptions of security weaknesses (e.g., CWE, CAPEC). The use of natural language hinders the application of such knowledge bases in an automated fashion. In this paper, we analyze an existing catalog of 19 security design flaws in order to identify conceptual, technology-independent requirements on architectural models that enable automatically detecting these flaws. This constitutes the first step towards automated assessment of design-level security. Our findings are illustrated on an IoT-based smart home system.

show abstract

Architecture Anti-Patterns: Automatically Detectable Violations of Design Principles

Cited by 42 publications

References 75 publications

Inspection guidelines to identify security design flaws

Inspection guidelines to identify security design flaws

On the Lack of Consensus Among Technical Debt Detection Tools

Towards Automated Security Design Flaw Detection

Contact Info

Product

Resources

About