| 1. |
- Sion, Laurens, et al.
(author)
-
A modular meta-model for security solutions
- 2017
-
In: Proceedings of Programming ’17, Brussels, Belgium, April 03-06. - New York, NY, USA : Association for Computing Machinery. - 9781450348362 ; Part F129681
-
Conference paper (peer-reviewed)abstract
- © 2017 ACM. Designing a secure software system requires the ability to represent and reason about a wide variety of security concerns. Existing modelling representations lack a comprehensive set of security building blocks or lack support for composition or refinement of the design under consideration. We propose a new modular metamodel for representing these security designs. This model supports both composition for more complex solutions and representing different levels of abstraction to model the underlying details. This meta-model can subsequently be used for the construction of security solutions, supporting a wide range of mechanisms on a wide variety of abstraction levels, thereby providing a foundation for the security-by-design approach.
|
|
| 2. |
- Sion, Laurens, et al.
(author)
-
Towards Automated Security Design Flaw Detection
- 2019
-
In: Proceedings - 2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshops, ASEW 2019. ; , s. 49-56
-
Conference paper (peer-reviewed)abstract
- Efficiency of security-by-design has become an important goal for organizations implementing software engineering practices such as Agile, DevOps, and Continuous Integration. Software architectures are (often manually) analyzed at design time for potential security design flaws, based on natural language descriptions of security weaknesses (e.g., CWE, CAPEC). The use of natural language hinders the application of such knowledge bases in an automated fashion. In this paper, we analyze an existing catalog of 19 security design flaws in order to identify conceptual, technology-independent requirements on architectural models that enable automatically detecting these flaws. This constitutes the first step towards automated assessment of design-level security. Our findings are illustrated on an IoT-based smart home system.
|
|
| 3. |
- Tuma, Katja, 1991, et al.
(author)
-
Automating the early detection of security design flaws
- 2020
-
In: Proceedings - 23rd ACM/IEEE International Conference on Model Driven Engineering Languages and Systems, MODELS 2020. - New York, NY, USA : ACM. ; :MODELS '20, s. 332-342
-
Conference paper (peer-reviewed)abstract
- Security by design is a key principle for realizing secure software systems and it is advised to hunt for security flaws from the very early stages of development. At design-time, security analysis is often performed manually by means of either threat modeling or expert-based design inspections. However, when leveraging the wide range of established knowledge bases on security design flaws (e.g., CWE, CAWE), these manual assessments become too time consuming, error-prone, and infeasible in the context of contemporary development practices with frequent iterations. This paper focuses on design inspection and explores the potential for automating the application of inspection rules to speed up the security analysis. The contributions of this paper are: (i) the creation of a publicly available data set consisting of 26 design models annotated with security flaws, (ii) an automated approach for following inspection guidelines using model query patterns, and (iii) an empirical comparison of the results from this automated approach with those from manual inspection. Even though our results show that a complete automation of the security design flaw detection is hard to achieve, we find that some flaws (e.g., insecure data exposure) are more amenable to automation. Compared to manual analysis techniques, our results are encouraging and suggest that the automated technique could guide security analysts towards a more complete inspection of the software design, especially for large models.
|
|
| 4. |
- Van Den Berghe, Alexander, et al.
(author)
-
A lingua franca for security by design
- 2018
-
In: 2018 IEEE Cybersecurity Development Conference, SecDev 2018.
-
Conference paper (peer-reviewed)abstract
- © 2018 IEEE. The principle of security by design is advocated by academia as well as industry. Unfortunately, its adoption in practice is not yet widespread. We believe a reason for this is the lack of a 'lingua franca' for security modelling. Such a language should support security specialists to precisely describe the security aspects in a software design, as well as simultaneously serve to communicate with a broader audience of stakeholders. For this paper, we have assessed how well a formally backed security modelling language we previously proposed, suits the needs of the needs of these two groups. Concretely, we report on a large user study investigating how well security novices are able to comprehend the foundations of our language. Furthermore, to assess our language's practicality, we show how it can be used to create a realistic model of authentication. We have found that our language's foundations are comprehensible to a broader audience and they allow to precisely model a design's security aspects, albeit some shortcomings requiring attention have been identified. Based on these findings, we believe that a precise yet comprehensible security by design lingua franca is within reach.
|
|
| 5. |
- vandenBerghe, Alexander, et al.
(author)
-
Design notations for secure software: a systematic literature review
- 2017
-
In: Software and Systems Modeling. - : Springer Science and Business Media LLC. - 1619-1366 .- 1619-1374. ; 16, s. 809-831
-
Journal article (peer-reviewed)abstract
- © 2015, Springer-Verlag Berlin Heidelberg. In the past 10years, the research community has produced a significant number of design notations to represent security properties and concepts in a design artifact. These notations are aimed at documenting and analyzing security in a software design model. The fragmentation of the research space, however, has resulted in a complex tangle of different techniques. Hence, practitioners are confronted with the challenging task of scouting the right approach from a multitude of proposals. Similarly, it is hard for researchers to keep track of the synergies among the existing notations, in order to identify the existing opportunities for original contributions. This paper presents a systematic literature review that inventorizes the existing notations and provides an in-depth, comparative analysis for each.
|
|
| 6. |
|
|
