Research on software design level security vulnerabilities

One of the major problems in software security is the lack of knowledge about security among software developers. Even if a developer has good knowledge about current software vulnerabilities, they generally have little or no idea about the causes and measures that can avoid those vulnerabilities. Now it is established fact that most of the vulnerabilities arise in design phase of the software development lifecycle. Keeping in view the importance of software design level security, a study of current software design level vulnerabilities and their cause is conducted. In this paper, we discuss current practices in specific software design tasks, vulnerabilities and mitigation mechanism. On the basis of the critical review, areas of research are identified that warrant further investigation.

[1]  Jie Zhou,et al.  Security policy refinement and enforcement for the design of multi-level secure systems , 2008, J. Comput. Secur..

[2]  Wouter Joosen,et al.  On the Secure Software Development Process: CLASP and SDL Compared , 2007, Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007).

[3]  Eunseok Lee,et al.  A Design Pattern Detection Technique that Aids Reverse Engineering , 2008 .

[4]  Dianxiang Xu,et al.  A threat-driven approach to modeling and verifying secure software , 2005, ASE.

[5]  Michael D. Smith,et al.  Computer security strength and risk: a quantitative approach , 2004 .

[6]  Robert C. Seacord,et al.  Secure Design Patterns , 2009 .

[7]  Xiaohong Li,et al.  A Unified Threat Model for Assessing Threat in Web Applications , 2008, 2008 International Conference on Information Security and Assurance (isa 2008).

[8]  Ju An Wang,et al.  OVM: an ontology for vulnerability management , 2009, CSIIRW '09.

[9]  Yuan Zhang,et al.  A Categorization Framework for Common Computer Vulnerabilities and Exposures , 2010, Comput. J..

[10]  Jing Dong,et al.  Model Checking Security Pattern Compositions , 2007 .

[11]  Cecilia Mascolo,et al.  Integrating security and usability into the requirements and design process , 2007, Int. J. Electron. Secur. Digit. Forensics.

[12]  Per Håkon Meland,et al.  Secure Software Design in Practice , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[13]  Kevin Borders,et al.  Analyzing websites for user-visible security design flaws , 2008, SOUPS '08.

[14]  Dianxiang Xu,et al.  A UML-Based Framework for Design and Analysis of Dependable Software , 2008, 2008 32nd Annual IEEE International Computer Software and Applications Conference.

[15]  Haralambos Mouratidis,et al.  Secure Tropos: a Security-Oriented Extension of the Tropos Methodology , 2007, Int. J. Softw. Eng. Knowl. Eng..

[16]  A. S. Sodiya,et al.  Threat Modeling Using Fuzzy Logic Paradigm , 2007 .

[17]  Eduardo B. Fernández Security Patterns and A Methodology to Apply them , 2009, Security and Dependability for Ambient Intelligence.

[18]  Gunnar Peterson,et al.  Collaboration in a Secure Development Process Part 2 , 2004 .

[19]  Xuxian Jiang,et al.  AutoPaG: towards automated software patch generation with source code root cause identification and repair , 2007, ASIACCS '07.

[20]  Jan Jürjens,et al.  Towards a Comprehensive Framework for Secure Systems Development , 2006, CAiSE.

[21]  Ken Frazer,et al.  Building secure software: how to avoid security problems the right way , 2002, SOEN.

[22]  Gary McGraw,et al.  From the Ground Up: The DIMACS Software Security Workshop , 2003, IEEE Secur. Priv..

[23]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[24]  Dianxiang Xu,et al.  A Threat Model Driven Approach for Security Testing , 2007, Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007).

[25]  Mohammad Ali Hadavi,et al.  Software Security; A Vulnerability Activity Revisit , 2008, 2008 Third International Conference on Availability, Reliability and Security.