[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
research-article

Research on software design level security vulnerabilities

Published: 03 December 2009 Publication History

Abstract

One of the major problems in software security is the lack of knowledge about security among software developers. Even if a developer has good knowledge about current software vulnerabilities, they generally have little or no idea about the causes and measures that can avoid those vulnerabilities. Now it is established fact that most of the vulnerabilities arise in design phase of the software development lifecycle. Keeping in view the importance of software design level security, a study of current software design level vulnerabilities and their cause is conducted. In this paper, we discuss current practices in specific software design tasks, vulnerabilities and mitigation mechanism. On the basis of the critical review, areas of research are identified that warrant further investigation.

References

[1]
Stuart Edward Schechter (2004): Computer Security Strength & Risk: A Quantitative Approach.Thesis, Harvard University, Cambridge, Massachusetts, 2004, pp 1.
[2]
G. McGraw (2003): From the Ground Up: The DIMACS Software Security Workshop. In IEEE Security & Privacy, vol. 1, 2003, pp. 59--66.
[3]
Laura Falk, Atul Prakash and Kevin Borders (2008): Analyzing websites for user-visible security design flaws. In ACM International Conference Proceeding Series; Vol. 337, 2008, pp.117--126.
[4]
Viega, J. and McGraw (2002): Building Secure Software: How to Avoid Security Problems in the Right Way. Addison Wesley, USA, 2002.
[5]
Hoglund G. and McGraw G (2004): Exploiting Software: How to Break Code. Addison-Wesley, 2004.
[6]
http://www.devdaily.com/java/java_oo/node2.shtml
[7]
Pravir Chandra (Project Lead) (2006): CLASP -Comprehensive, Lightweight Application Security Process, Version 1.2, Version Date: 31 march 2006. URL: http://www.owasp.org/index.php/Category: OWASP_CLASP_Project.
[8]
Haralambos Mouratidis, Jan Jürjens and Jorge Fox (2006): Towards a Comprehensive Framework for Secure Systems Development. In Advanced Information Systems Engineering, 2006, pp. 48--62.
[9]
Jing Dong, Tu Peng and Yajing Zhao (2007): Model Checking Security Pattern Compositions. In Seventh International Conference on Quality Software, 2007, pp.80--89.
[10]
Zhiqiang Liny, Xuxian Jiangz, Dongyan Xux, Bing Maoy, and Li Xiey (2007): AutoPaG: Towards Automated Software Patch Generation with Source Code Root Cause Identification and Repair. In ASIACCS, 2007.
[11]
URL - http://www.first.org/cvss/
[12]
A.S. Sodiya, S.A. Onashoga, and B. A. Oladunjoye (2007): Threat Modeling Using Fuzzy Logic Paradigm. In Informing Science and Information Technology, Volume 4, 2007.
[13]
Johan Grégoire, Koen Buyens, Bart De Win, Riccardo Scandariato and Wouter Joosen (2007): On the Secure Software Development Process: CLASP and SDL Compared. In the proceedings of the Third IEEE International Workshop on Software Engineering for Secure Systems, 2007.
[14]
NHS and NIST, National Vulnerability Database (NVD), automating vulnerability management, security measurement, and compliance checking, URL- http://nvd.nist.gov/scap.cfm, (Accessed on 11 June 2009).
[15]
J. A. Wang and Minzhe Guo (2009): OVM: An Ontology for Vulnerability Management. In Proceedings of CSIIRW'09, Tennessee, USA, 2009.
[16]
Zhongqiang Chen, Yuan Zhang and Zhongrong Chen (2009): A Categorization Framework for Common Computer Vulnerabilities and Exposures. In the Computer Journal Advance Access published online on May 7, 2009, URL-http://comjnl.oxfordjournals.org/ cgi/content/abstract/bxp040
[17]
M.A. Hadavi, H. M. Sangchi, V. S. Hamishagi and H. Shirazi (2008): Software Security; A Vulnerability Activity Revisit. In the Third International Conference on Availability, Reliability and Security, IEEE, 2008.
[18]
Per Håkon Meland and Jostein Jensen (2008): Secure Software Design in Practice. In the Third International Conference on Availability, Reliability and Security, IEEE, 2008.
[19]
Dianxiang Xu and Kendall Nygard (2005): A Threat Driven Approach to Modeling and Verifying Secure Software. In the Proceeding of the 20thIEEE International Conference on Automated Software Engineering, 2005.
[20]
Xiaohong Li and Ke He (2008): A Unified Threat Model for Assessing Threat in Web Applications. In the International Journal of Security and its Applications, Vol. 2, No. 3, July, 2008.
[21]
Ivan Flechais, Cecilia Mascolo and M. Angela Sasse (2007): Integrating security and usability into the requirements and design process. In the International Journal of Electronic Security and Digital Forensics, Vol. 1, 2007, pp 12--26.
[22]
G. Peterson (2004): Collaboration in Secure Development process, Part 1. Information Security Bulletin 9, June 2004, pp. 165--172. URL - http://arctecgroup.net/ISB0905GP.pdf
[23]
Chad Dougherty, Kirk Sayre, Robert C. Seacord, David Svoboda and Kazuya Togashi (2009): Secure Design Patterns. Technical Report, CMU/SEI-2009-TR-010, ESC-TR-2009-010, 2009.
[24]
Haralambos Mouratidis and Paolo Giorgini (2007): Secure Tropos: a Security-Oriented Extension of the Tropos Methodology, In International Journal of Software Engineering and Knowledge Engineering, Volume 17, 2007, pp.285--309.
[25]
Jun Kong Dianxiang Xu (2008): A UML-based Framework for Design and Analysis of Dependable Software. In Annual IEEE International Computer Software and Applications Conference, 2008, pp.28--31.
[26]
Jie Zhou and Jim Alves-Foss (2008): Security policy refinement and enforcement for the design of multi-level secure systems. In Journal of Computer Security, Volume 16, Issue 2, April 2008, pp. 107--131.
[27]
Eduardo B. Fernandez (2009): Security Patterns and A Methodology to Apply them. In Security and Dependability for Ambient Intelligence, Volume 45, Springer US, 2009, pp.37--46.
[28]
Mustafa k. et al (2008): Development of Security Assessment Framework for Object Oriented Software. Project Report, Submitted to DIT, Ministry of Communication and IT, Govt. of India, (2008).
[29]
Hakjin Lee, Hyunsang Youn, and Eunseok Lee (2008): A Design Pattern Detection Technique that Aids Reverse Engineering. In International Journal of Security and its Applications, Vol. 2, 2008.
[30]
Linzhang Wang Eric Wong (2007): A Threat Model Driven Approach for Security Testing, In International Workshop on Software Engineering for Secure Systems, IEEE, 2007.

Cited By

View all
  • (2024)VALIDATEInformation and Software Technology10.1016/j.infsof.2024.107448170:COnline publication date: 1-Jun-2024
  • (2023)Automatic Security-Flaw Detection Replication and Comparison2023 ACM/IEEE 26th International Conference on Model Driven Engineering Languages and Systems (MODELS)10.1109/MODELS58315.2023.00027(84-94)Online publication date: 1-Oct-2023
  • (2017)A Catalog of Security Architecture Weaknesses2017 IEEE International Conference on Software Architecture Workshops (ICSAW)10.1109/ICSAW.2017.25(220-223)Online publication date: Apr-2017
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM SIGSOFT Software Engineering Notes
ACM SIGSOFT Software Engineering Notes  Volume 34, Issue 6
November 2009
115 pages
ISSN:0163-5948
DOI:10.1145/1640162
Issue’s Table of Contents

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2009
Published in SIGSOFT Volume 34, Issue 6

Check for updates

Author Tags

  1. mitigation mechanisms
  2. research
  3. security
  4. software design
  5. vulnerabilities

Qualifiers

  • Research-article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)40
  • Downloads (Last 6 weeks)3
Reflects downloads up to 20 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)VALIDATEInformation and Software Technology10.1016/j.infsof.2024.107448170:COnline publication date: 1-Jun-2024
  • (2023)Automatic Security-Flaw Detection Replication and Comparison2023 ACM/IEEE 26th International Conference on Model Driven Engineering Languages and Systems (MODELS)10.1109/MODELS58315.2023.00027(84-94)Online publication date: 1-Oct-2023
  • (2017)A Catalog of Security Architecture Weaknesses2017 IEEE International Conference on Software Architecture Workshops (ICSAW)10.1109/ICSAW.2017.25(220-223)Online publication date: Apr-2017
  • (2016)Embedding Model-Based Security Policies in Software Development2016 IEEE 2nd International Conference on Big Data Security on Cloud (BigDataSecurity), IEEE International Conference on High Performance and Smart Computing (HPSC), and IEEE International Conference on Intelligent Data and Security (IDS)10.1109/BigDataSecurity-HPSC-IDS.2016.46(116-122)Online publication date: Apr-2016
  • (2014)Architecture-Centric Testing for SecurityAgile Software Architecture10.1016/B978-0-12-407772-0.00009-5(245-267)Online publication date: 2014
  • (2013)Vulnerability Scrying Method for Software Vulnerability Discovery Prediction Without a Vulnerability DatabaseIEEE Transactions on Reliability10.1109/TR.2013.225705262:2(395-407)Online publication date: Jun-2013
  • (2012)Software SecurityProceedings of the 2012 Ninth International Conference on Information Technology - New Generations10.1109/ITNG.2012.60(815-818)Online publication date: 16-Apr-2012

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media