Security in software architecture: a case study

Sachitano, A.; Chapman, Roderick; Hamilton, John A.

doi:10.1109/iaw.2004.1437841

Cited by 18 publications

(10 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Hoo, Sudbury, and Jaquith (2001) examined the software development and maintenance costs (e.g., patch development costs) associated with security in particular and concluded that return on investment (ROI) was "from 12-21%, with the highest rate of return occurring when analysis is performed during application design." Likewise reinforcing the notion of early consideration, the final security assurance attained by software products has also been shown to improve when security is considered early in design (Sachitano, Chapman, & Hamilton, 2004). Security improvements indirectly translate into operational cost savings since companies and/or users are less likely to incur losses and down-time when using a more secure software product; less time and money is wasted recovering from attacks enabled by software security vulnerabilities.…”

Section: Fundamental Question and Motivationmentioning

confidence: 93%

“…Furthermore, this post-mortem advisory counting technique only works on products from the same product line or that perform identical functions. In the case of Sachitano et al (2004), the security attributes of two mail programs were being compared. In the case of Alhazmi et al (2005), a model for vulnerability discovery rate in subsequent operating system versions was being validated.…”

Section: Current Challengesmentioning

confidence: 99%

See 1 more Smart Citation

Secure Software Engineering: Learning from the Past to Address Future Challenges

Hein¹,

Saiedian

2009

Information Security Journal: A Global Perspective

View full text Add to dashboard Cite

This paper provides a taxonomy of secure software systems engineering (SSE) by surveying and organizing relevant SSE research and presents current trends in SSE, on-going challenges, and models for reasoning about threats and vulnerabilities. Several challenging questions related to risk assessment/mitigation (e.g., "what is the likelihood of attack") as well as practical questions (e.g., "where do vulnerabilities originate" and "how can vulnerabilities be prevented") are addressed.

show abstract

Section: Fundamental Question and Motivationmentioning

confidence: 93%

Section: Current Challengesmentioning

confidence: 99%

Secure Software Engineering: Learning from the Past to Address Future Challenges

Hein¹,

Saiedian

2009

Information Security Journal: A Global Perspective

View full text Add to dashboard Cite

show abstract

“…Design Level Security Metrics: Measuring security at the design phase, based on typical design artifacts, has not been considered until recently even though such metrics could efficiently eliminate software security vulnerabilities before they reach the final product [44], [45]. Such metrics would also allow software developers to compare the security level of various alternative designs under consideration.…”

Section: Lecture Notes On Software Engineering Vol 4 No 2 May 2016mentioning

confidence: 99%

Developing Secure Systems: A Comparative Study of Existing Methodologies

Alshammari¹,

Fidge²,

Corney³

2016

LNSE

View full text Add to dashboard Cite

Abstract-With the increasing demand for developing high-quality and more reliable systems, the process of developing trustworthy computer software is a challenging one. In this paper, we review various approaches to producing more secure systems. This includes established general principles for designing secure systems. It also provides an introduction to general software quality measurements including existing software security metrics. This paper also includes a comparison of the various security metrics for developing secure systems (i.e., architectural, design, and code-level metrics). Lastly, the paper examines the approach of refactoring, illustrates its objectives, and shows how refactoring is generally used for enhancing the quality of existing programs from the perspective of information security. At the end of this paper, we provide a discussion of these three approaches and how they can be used to provide guidance for future secure software development processes.Index Terms-Security design principles, object-orientation, security metrics, secure refactoring. I. INTRODUCTIONMuch existing software is designed with poor consideration of information security which makes it vulnerable to many threats including malicious attacks [1]. Software patches are one of the suggested solutions for many of the security attacks facing software [1] but they are expensive to develop and deploy and do not solve basic design weaknesses in the program code. Another solution to achieve a secure product is by following a trustworthy security process [2]. Security processes, in general, consider many aspects of system design, coding, testing, and auditing [2] (e.g., international security standards such as the Common Criteria [3] or the Trusted Computer Criteria [4]).Another common approach for achieving a secure computer program is by following certain coding guidelines which focus on the level of individual program statements (e.g., to avoid/detect buffer overflows [5]). However, these solutions do not always work effectively and may, in general, even introduce new vulnerabilities to existing software [1]. Adding security features to systems after they have been developed and deployed has been a major cause of many system vulnerabilities [6]. Therefore, applying security principles from the early stages of the software development life cycle (SDLC) would be a better solution [1] and allow a Manuscript received October 10, 2014; revised January 5, 2015. Bandar M. Alshammari is with Aljouf University, Saudi Arabia (e-mail: bmshammeri@ju.edu.sa).Colin J. Fidge is with Queensland University of Technology, Australia (e-mail: c.fidge@qut.edu.au).Diane Corney is with Oracle, Australia (e-mail: diane.corney@oracle.com).more coherent system to be produced [6].Developing a secure system requires a good overall design which takes security into account from the beginning. A suggested methodology by Fernandez [1] incorporates security principles into each stage of the SDLC. It makes sure that each stage complies with these principles th...

show abstract

“…Instead, the most efficient approach is to enforce security at early phases of the software development lifecycle such as during the design phase [4] [5]. The National Institute of Standards and Technology [14] stated that eliminating vulnerabilities in the design stage can cost 30 times less than fixing them at a later stage.…”

Section: Related Work and Research Problemmentioning

confidence: 99%

“…Furthermore, those security measurements which have been defined either assess security at the abstract system architecture level [2] or at the low level of program code [3]. Measuring security at the design phase, based on typical design artifacts, has not been considered even though such metrics could have efficiently eliminated software security vulnerabilities before they reach the finalised product [4] [5]. Such metrics would also allow software developers to compare the security level of various alternative designs under consideration.…”

Section: Introductionmentioning

confidence: 99%

Security Metrics for Object-Oriented Designs

Alshammari

Fidge

Corney

2010

2010 21st Australian Software Engineering Conference

View full text Add to dashboard Cite

Abstract-Several studies have developed metrics for software quality attributes of object-oriented designs such as reusability and functionality. However, metrics which measure the quality attribute of information security have received little attention. Moreover, existing security metrics measure either the system from a high level (i.e. the whole system's level) or from a low level (i.e. the program code's level). These approaches make it hard and expensive to discover and fix vulnerabilities caused by software design errors. In this work, we focus on the design of an object-oriented application and define a number of information security metrics derivable from a program's design artifacts. These metrics allow software designers to discover and fix security vulnerabilities at an early stage, and help compare the potential security of various alternative designs. In particular, we present security metrics based on composition, coupling, extensibility, inheritance, and the design size of a given objectoriented, multi-class program from the point of view of potential information flow.

show abstract

Security in software architecture: a case study

Cited by 18 publications

References 8 publications

Secure Software Engineering: Learning from the Past to Address Future Challenges

Secure Software Engineering: Learning from the Past to Address Future Challenges

Developing Secure Systems: A Comparative Study of Existing Methodologies

Security Metrics for Object-Oriented Designs

Contact Info

Product

Resources

About