Finding architectural flaws using constraints

Vanciu, Radu; Abi-Antoun, Marwan

doi:10.1109/ase.2013.6693092

Cited by 14 publications

(8 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Scoria [69] is a semi-automated approach for extracting and analyzing the Owner Object Graph annotated with security properties (i.e., SecGraph) to find security flaws in the architecture. First, The SecGraph is extracted from a manually annotated implementation.…”

Section: Related Workmentioning

confidence: 99%

Checking security compliance between models and code

et al. 2022

View full text Add to dashboard Cite

It is challenging to verify that the planned security mechanisms are actually implemented in the software. In the context of model-based development, the implemented security mechanisms must capture all intended security properties that were considered in the design models. Assuring this compliance manually is labor intensive and can be error-prone. This work introduces the first semi-automatic technique for secure data flow compliance checks between design models and code. We develop heuristic-based automated mappings between a design-level model (SecDFD, provided by humans) and a code-level representation (Program Model, automatically extracted from the implementation) in order to guide users in discovering compliance violations, and hence, potential security flaws in the code. These mappings enable an automated, and project-specific static analysis of the implementation with respect to the desired security properties of the design model. We developed two types of security compliance checks and evaluated the entire approach on open source Java projects.

show abstract

Section: Related Workmentioning

confidence: 99%

Checking security compliance between models and code

et al. 2022

View full text Add to dashboard Cite

show abstract

“…Scoria [73] is a semi-automated approach for extracting and analyzing the Owner Object Graph annotated with security properties (i.e., SecGraph) to find security flaws in the architecture. First, The SecGraph is extracted from a manually annotated implementation.…”

Section: Related Workmentioning

confidence: 99%

Checking Security Compliance between Models and Code

Tuma,

Peldszus,

Strüber

et al. 2021

Preprint

View full text Add to dashboard Cite

The verification that planned security mechanisms are actually implemented in the software code is a challenging endeavor. In the context of modelbased development, the implemented security mechanisms must capture all intended security properties that were considered in the design models. Assuring this compliance manually is labor intensive and can be error-prone. This work introduces the first semiautomatic technique for secure data flow compliance checks between design models and code. We develop heuristic-based automated mappings between a designlevel model (SecDFD, provided by humans) and a codelevel representation (Program Model, automatically extracted from the implementation) in order to guide users in discovering compliance violations, and hence potential security flaws in the code. These mappings enable an automated, and project-specific static analysis of the implementation with respect to the desired security properties of the design model.We contribute with (i) a definition of corresponding elements between the design-level and the implementation-level models and a heuristic-based approach to search for correspondences, (ii) two types of security compliance checks using static code analysis, and (iii) an implementation of our approach as a publicly available Eclipse plugin, evaluated with three studies on

show abstract

“…Vanciu [28] proposed Scoria, a semi-automatic approach to find architectural flaws, which count for 50% of security vulnerabilities. They proposed the use of annotations to mark the security-related code.…”

Section: Related Workmentioning

confidence: 99%

The current practices of changing secure software

Jamil

Othmane

Valani

et al. 2020

Proceedings of the 35th Annual ACM Symposium on Applied Computing

View full text Add to dashboard Cite

Developers change the code of their software to add new features, fix bugs, or enhance its structure. Such frequent changes impact occasionally the security of the software. This paper reports a qualitative study of the practices of changing secure-software in the industry. The study involves interviews with eleven developers and security experts working on banking software, software for control systems, and software consultation companies. Through these interviews, we identified that the main security aspects are: dependency vulnerabilities, authentication and authorization, and OWASP 10 vulnerabilities. The common techniques used to assess software after code change are: code review, code analysis, testing, and keywords search. The main challenges that practitioners face are the diversity of the security issues and the lack of effectiveness of the security assurance tools in detecting vulnerabilities. The study suggests that developers of secure software need techniques that support effective security assurance of modified software. CCS CONCEPTS • Security and privacy → Software security engineering;

show abstract

Finding architectural flaws using constraints

Cited by 14 publications

References 32 publications

Checking security compliance between models and code

Checking security compliance between models and code

Checking Security Compliance between Models and Code

The current practices of changing secure software

Contact Info

Product

Resources

About