Inspection Guidelines to Identify Security Design Flaws

by   Katja Tuma, et al.

Recent trends in the software development practices (Agile, DevOps, CI) have shortened the development life-cycle causing the need for efficient security-by-design approaches. In this context, software architectures are analyzed for potential vulnerabilities and design flaws. Yet, design flaws are often documented with natural language and require a manual analysis, which is inefficient. Besides low-level vulnerability databases (e.g., CWE, CAPEC) there is little systematized knowledge on security design flaws. The purpose of this work is to provide a catalog of security design flaws and to empirically evaluate the inspection guidelines for detecting security design flaws. To this aim, we present a catalog of 19 security design flaws and conduct empirical studies with master and doctoral students. This paper contributes with: (i) a catalog of security design flaws, (ii) an empirical evaluation of the inspection guidelines with master students, and (iii) a replicated evaluation with doctoral students. We also account for the shortcomings of the inspection guidelines and make suggestions for their improvement with respect to the generalization of guidelines, catalog re-organization, and format of documentation. We record similar precision, recall, and productivity in both empirical studies and discuss the potential for automating the security design flaw detection.


page 1

page 2

page 3

page 4


Integration of Security Modules in Software Development Lifecycle Phases

Information protection is becoming a focal point for designing, creating...

Improved YOLOv8 Detection Algorithm in Security Inspection Image

Security inspection is the first line of defense to ensure the safety of...

"I Don't Know Too Much About It": On the Security Mindsets of Computer Science Students

The security attitudes and approaches of software developers have a larg...

Evaluating the Impact of ChatGPT on Exercises of a Software Security Course

Along with the development of large language models (LLMs), e.g., ChatGP...

How to design browser security and privacy alerts

It is important to design browser security and privacy alerts so as to m...

Constructive Master's Thesis Work in Industry: Guidelines for Applying Design Science Research

Context: Software engineering researchers and practitioners rely on empi...

Learning to Identify Security-RelatedIssues Using Convolutional Neural Networks

Software security is becoming a high priority for both large companies a...

Please sign up or login with your details

Forgot password? Click here to reset