Towards an Architecture-Centric Approach to Security Analysis

Recently there has been increased attention to the consequences of architecture design decisions and their impact on security. Architectural design decisions have been identified as being critical for achieving high levels of software system security. However the majority of this research has been anecdotal and there are few tools or methods for understanding the architectural relations among files, and their impact on security. In this paper we employ a DRSpace-based analysis approach to identify architectural design flaws and we show, via an empirical study of 10 open source projects, that areas of a software architecture that suffer from greater numbers of design flaws are highly correlated with security bugs, and high levels of churn associated with those security bugs. Finally, we show that a specific type of design flaw -- unstable interface -- is correlated with the greatest increase in software security bugs.

[1]  Rick Kazman,et al.  Natural Language Processing to Quantify Security Effort in the Software Development Lifecycle , 2015, SEKE.

[2]  Andrew Meneely,et al.  Do Bugs Foreshadow Vulnerabilities? A Study of the Chromium Project , 2015, 2015 IEEE/ACM 12th Working Conference on Mining Software Repositories.

[3]  Robert L. Nord,et al.  Managing technical debt in software-reliant systems , 2010, FoSER '10.

[4]  Rick Kazman,et al.  Architectural Analysis for Security , 2015, IEEE Security & Privacy.

[5]  Richard J. Murnane,et al.  Researching the robot revolution , 2014, CACM.

[6]  Kim B. Clark,et al.  The power of modularity , 2000 .

[7]  Kim B. Clark,et al.  The Option Value of Modularity in Design: An Example From Design Rules, Volume 1: The Power of Modularity , 2000 .

[8]  Eduardo B. Fernandez,et al.  Security patterns in practice : designing secure architectures using software patterns , 2013 .

[9]  Yuanfang Cai,et al.  Making the case for a "manufacturing execution system" for software development , 2014, CACM.

[10]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[11]  Yuanfang Cai,et al.  Design rule spaces: a new form of architecture insight , 2014, ICSE.

[12]  Yuanfang Cai,et al.  Manufacturing execution systems: A vision for managing software development , 2015, J. Syst. Softw..

[13]  Robert C. Seacord,et al.  Secure Design Patterns , 2009 .

[14]  青島 矢一,et al.  書評 カーリス Y. ボールドウィン/キム B. クラーク著 安藤晴彦訳『デザイン・ルール:モジュール化パワー』 Carliss Y. Baldwin & Kim B. Clark/Design Rules, Vol. 1: The Power of Modularity , 2005 .

[15]  Yuanfang Cai,et al.  Hotspot Patterns: The Formal Definition and Automatic Detection of Architecture Smells , 2015, 2015 12th Working IEEE/IFIP Conference on Software Architecture.

[16]  Yuanfang Cai,et al.  Design Rule Hierarchies and Parallelism in Software Development Tasks , 2009, 2009 IEEE/ACM International Conference on Automated Software Engineering.

[17]  Cyberpatterns, Unifying Design Patterns with Security and Attack Patterns , 2014 .

[18]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[19]  Kevin Lano,et al.  Design Patterns: Applications and Open Issues , 2014, Cyberpatterns.

[20]  Yuanfang Cai,et al.  A Case Study in Locating the Architectural Roots of Technical Debt , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[21]  Gary McGraw,et al.  Software Penetration Testing , 2005, IEEE Secur. Priv..

[22]  Yuanfang Cai,et al.  Measuring architecture quality by structure plus history analysis , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[23]  Yuanfang Cai,et al.  Decoupling Level: A New Metric for Architectural Maintenance Complexity , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[24]  Paul Clements,et al.  Software architecture in practice , 1999, SEI series in software engineering.

[25]  Pedram Amini,et al.  Fuzzing: Brute Force Vulnerability Discovery , 2007 .