A Catalog of Security Architecture Weaknesses
Title | A Catalog of Security Architecture Weaknesses |
Publication Type | Conference Paper |
Year of Publication | 2017 |
Authors | Santos, J. C. S., Tarrit, K., Mirakhorli, M. |
Conference Name | 2017 IEEE International Conference on Software Architecture Workshops (ICSAW) |
Keywords | architectural choices, architectural decisions, Architecture, authentication, CAWE, CAWE catalog, Common Architectural Weakness Enumeration, composability, Computer architecture, Computer bugs, Flaw, interactive systems, interactive Web-based solution, Internet, mitigation techniques, pubcrawl, Scalability, secure software systems, security architectural flaw identification, security architecture weaknesses, security bugs, security design thinking, security of data, security tactics, software architecture, software architecture design, software assurance, software quality, software reliability, Software systems, weakness |
Abstract | Secure by design is an approach to developing secure software systems from the ground up. In such approach, the alternate security tactics are first thought, among them, the best are selected and enforced by the architecture design, and then used as guiding principles for developers. Thus, design flaws in the architecture of a software system mean that successful attacks could result in enormous consequences. Therefore, secure by design shifts the main focus of software assurance from finding security bugs to identifying architectural flaws in the design. Current research in software security has been neglecting vulnerabilities which are caused by flaws in a software architecture design and/or deteriorations of the implementation of the architectural decisions. In this paper, we present the concept of Common Architectural Weakness Enumeration (CAWE), a catalog which enumerates common types of vulnerabilities rooted in the architecture of a software and provides mitigation techniques to address them. The CAWE catalog organizes the architectural flaws according to known security tactics. We developed an interactive web-based solution which helps designers and developers explore this catalog based on architectural choices made in their project. CAWE catalog contains 224 weaknesses related to security architecture. Through this catalog, we aim to promote the awareness of security architectural flaws and stimulate the security design thinking of developers, software engineers, and architects. |
URL | http://ieeexplore.ieee.org/document/7958491/ |
DOI | 10.1109/ICSAW.2017.25 |
Citation Key | santos_catalog_2017 |
- pubcrawl
- weakness
- Software systems
- software reliability
- software quality
- software assurance
- software architecture design
- Software Architecture
- security tactics
- security of data
- security design thinking
- security bugs
- security architecture weaknesses
- security architectural flaw identification
- secure software systems
- Scalability
- architectural choices
- mitigation techniques
- internet
- interactive Web-based solution
- interactive systems
- Flaw
- Computer bugs
- computer architecture
- composability
- Common Architectural Weakness Enumeration
- CAWE catalog
- CAWE
- authentication
- architecture
- architectural decisions