Evaluating software architectures: methods and case studies
Evaluating software architectures: methods and case studies
A survey on software architecture analysis methods
IEEE Transactions on Software Engineering
A Framework for Classifying and Comparing Software Architecture Evaluation Methods
ASWEC '04 Proceedings of the 2004 Australian Software Engineering Conference
ASAAM: Aspectual Software Architecture Analysis Method
WICSA '04 Proceedings of the Fourth Working IEEE/IFIP Conference on Software Architecture
A Basis for Analyzing Software Architecture Analysis Methods
Software Quality Control
Software Security: Building Security In
Software Security: Building Security In
Using Security Patterns to Combine Security Metrics
ARES '08 Proceedings of the 2008 Third International Conference on Availability, Reliability and Security
Architectural Risk Analysis of Software Systems Based on Security Patterns
IEEE Transactions on Dependable and Secure Computing
A Service-Oriented Framework for Quantitative Security Analysis of Software Architectures
APSCC '08 Proceedings of the 2008 IEEE Asia-Pacific Services Computing Conference
Security Metrics for Object-Oriented Class Designs
QSIC '09 Proceedings of the 2009 Ninth International Conference on Quality Software
Indicator-based architecture-level security evaluation in a service-oriented environment
Proceedings of the Fourth European Conference on Software Architecture: Companion Volume
IEEE Transactions on Software Engineering
Evaluating Security Properties of Architectures in Unpredictable Environments: A Case for Cloud
WICSA '11 Proceedings of the 2011 Ninth Working IEEE/IFIP Conference on Software Architecture
An architecture analysis approach for supporting black-box software development
ECSA'11 Proceedings of the 5th European conference on Software architecture
A Hierarchical Security Assessment Model for Object-Oriented Programs
QSIC '11 Proceedings of the 2011 11th International Conference on Quality Software
Idea: towards architecture-centric security analysis of software
ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems
Supporting automated vulnerability analysis using formalized vulnerability signatures
Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering
Towards a Secure Software Development Lifecycle with SQUARE+R
COMPSACW '12 Proceedings of the 2012 IEEE 36th Annual Computer Software and Applications Conference Workshops
Hi-index | 0.00 |
Reviewing software system architecture to pinpoint potential security flaws before proceeding with system development is a critical milestone in secure software development lifecycles. This includes identifying possible attacks or threat scenarios that target the system and may result in breaching of system security. Additionally we may also assess the strength of the system and its security architecture using well-known security metrics such as system attack surface, Compartmentalization, least-privilege, etc. However, existing efforts are limited to specific, predefined security properties or scenarios that are checked either manually or using limited toolsets. We introduce a new approach to support architecture security analysis using security scenarios and metrics. Our approach is based on formalizing attack scenarios and security metrics signature specification using the Object Constraint Language (OCL). Using formal signatures we analyse a target system to locate signature matches (for attack scenarios), or to take measurements (for security metrics). New scenarios and metrics can be incorporated and calculated provided that a formal signature can be specified. Our approach supports defining security metrics and scenarios at architecture, design, and code levels. We have developed a prototype software system architecture security analysis tool. To the best of our knowledge this is the first extensible architecture security risk analysis tool that supports both metric-based and scenario-based architecture security analysis. We have validated our approach by using it to capture and evaluate signatures from the NIST security principals and attack scenarios defined in the CAPEC database.