Jungwoo Ryoo, Pennsylvania State University, and Rick Kazman, University of Hawaii and Carnegie Mellon Software Engineering Institute
by Jacob Tate, Mount St. Mary’s University
In his talk titled “Architectural Analysis for Security (AAFS),” Jungwoo Ryoo explained that there is an absence of security practices in software architecture. His research concerns developing and implementing a methodology to test and secure software systems starting at the design phase. The architectural analysis is basically a structured way of discovering these security issues. It has frequently been common to implement methods like this after the design of the system, and Dr. Ryoo warned against this.
The method that he and his team developed has the following three steps: tactic-oriented analysis, pattern-oriented analysis, and vulnerability-oriented analysis. The first two steps should be conducted during the design phase by talking to an architect and identifying exactly how the system is designed and what patterns exist. The vulnerability-oriented analysis is usually concerned with software weaknesses, so this step usually deals with the actual code.
This method is not built completely from scratch, however. There are repositories that record vulnerabilities, and these can be useful resources. For example, the CWE categorizes various vulnerabilities and attacks such as SQL injection and XSS or cross-site scripting. Architects should take these types of security threats into account during the architecting or design phase. The future of this research project will focus on implementing this methodology on more case studies and then mapping between the patterns that are found and the CWE entries.
How do you ensure security in your architecture? Would you like to be involved in a case study? Leave a comment and let us know what you think! Also, look for an article in an IEEE publication concerning this research topic.