Architectural Risk Analysis of Software Systems Based on Security Patterns

The importance of software security has been profound, since most attacks to software systems are based on vulnerabilities caused by poorly designed and developed software. Furthermore, the enforcement of security in software systems at the design phase can reduce the high cost and effort associated with the introduction of security during implementation. For this purpose, security patterns that offer security at the architectural level have been proposed in analogy to the well-known design patterns. The main goal of this paper is to perform risk analysis of software systems based on the security patterns that they contain. The first step is to determine to what extent specific security patterns shield from known attacks. This information is fed to a mathematical model based on the fuzzy-set theory and fuzzy fault trees in order to compute the risk for each category of attacks. The whole process has been automated using a methodology that extracts the risk of a software system by reading the class diagram of the system under study.

[1]  Eduardo B. Fernandez,et al.  Metadata and authorization patterns , 2000 .

[2]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[3]  David Wright,et al.  Towards Operational Measures of Computer Security , 1993, J. Comput. Secur..

[4]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[5]  Bharat B. Madan,et al.  A method for modeling and quantifying the security attributes of intrusion tolerant systems , 2004, Perform. Evaluation.

[6]  Eduardo B. Fernandez,et al.  The Authenticator Pattern , 1999 .

[7]  Shyi-Ming Chen,et al.  Fuzzy risk analysis based on similarity measures of generalized fuzzy numbers , 2003, IEEE Trans. Fuzzy Syst..

[8]  Bernd Möller,et al.  Fuzzy analysis as alternative to stochastic methods – theoretical aspects , 2005 .

[9]  Edward G. Amoroso,et al.  Fundamentals of computer security technology , 1994 .

[10]  Diomidis Spinellis,et al.  Code Quality: The Open Source Perspective , 2006 .

[11]  Craig A. Berry,et al.  J2EE Design Patterns Applied , 2002 .

[12]  Ken Frazer,et al.  Building secure software: how to avoid security problems the right way , 2002, SOEN.

[13]  Jan Jantzen,et al.  Foundations of fuzzy control , 2007 .

[14]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[15]  Kai-Yuan Cai,et al.  Software Reliability Experimentation and Control , 2006, Journal of Computer Science and Technology.

[16]  Ramesh Nagappan,et al.  Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management , 2005 .

[17]  William H. Sanders,et al.  Model-based evaluation: from dependability to security , 2004, IEEE Transactions on Dependable and Secure Computing.

[18]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[19]  Richard F. Paige,et al.  Fault trees for security system design and analysis , 2003, Comput. Secur..

[20]  Thomas D. Wu A Real-World Analysis of Kerberos Password Security , 1999, NDSS.

[21]  Haralambos Mouratidis,et al.  Security Patterns for Agent Systems , 2003 .

[22]  Ricardo Dahab,et al.  Tropyc: A Pattern Language for Cryptographic Software , 1998 .

[23]  Kai-Yuan Cai,et al.  Introduction to Fuzzy Reliability , 1996 .

[24]  Hans-Jürgen Zimmermann,et al.  Fuzzy Set Theory - and Its Applications , 1985 .

[25]  Emanuela Merelli,et al.  Patterns for web applications , 2002, SEKE '02.

[26]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[27]  Joseph W. Yoder,et al.  Architectural Patterns for Enabling Application Security , 1998 .

[28]  Kai-Yuan Cai,et al.  System failure engineering and fuzzy methodology An introductory overview , 1996, Fuzzy Sets Syst..

[29]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[30]  Amela Karahasanovic,et al.  A survey of controlled experiments in software engineering , 2005, IEEE Transactions on Software Engineering.

[31]  Mike Shema,et al.  Hacking Exposed Web Applications , 2010 .

[32]  Scott W. Ambler,et al.  Mastering Enterprise JavaBeans , 2004 .

[33]  Alexander Chatzigeorgiou,et al.  A Qualitative Evaluation of Security Patterns , 2004, ICICS.

[34]  Katerina Goseva-Popstojanova,et al.  Architecture-based approach to reliability assessment of software systems , 2001, Perform. Evaluation.

[35]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[36]  Kendall Scott,et al.  UML distilled - a brief guide to the Standard Object Modeling Language (2. ed.) , 2000, notThenot Addison-Wesley object technology series.

[37]  Laura L. Pullum,et al.  Software Fault Tolerance Techniques and Implementation , 2001 .

[38]  H. Zimmermann,et al.  Fuzzy Set Theory and Its Applications , 1993 .

[39]  Qusay H. Mahmoud Security Policy: A Design Pattern for Mobile Java Code , 2000 .