The Experts below are selected from a list of 5259 Experts worldwide ranked by ideXlab platform
Riccardo Scandariato - One of the best experts on this subject based on the ideXlab platform.
-
ASE Workshops - Towards Automated Security Design Flaw Detection
2019 34th IEEE ACM International Conference on Automated Software Engineering Workshop (ASEW), 2019Co-Authors: Laurens Sion, Katja Tuma, Riccardo Scandariato, Koen Yskout, Wouter JoosenAbstract:Efficiency of Security-by-Design has become an important goal for organizations implementing software engineering practices such as Agile, DevOps, and Continuous Integration. Software architectures are (often manually) analyzed at Design time for potential Security Design flaws, based on natural language descriptions of Security weaknesses (e.g., CWE, CAPEC). The use of natural language hinders the application of such knowledge bases in an automated fashion. In this paper, we analyze an existing catalog of 19 Security Design flaws in order to identify conceptual, technology-independent requirements on architectural models that enable automatically detecting these flaws. This constitutes the first step towards automated assessment of Design-level Security. Our findings are illustrated on an IoT-based smart home system.
-
ECSA (Companion) - Inspection guidelines to identify Security Design flaws
Proceedings of the 13th European Conference on Software Architecture - ECSA '19 - volume 2, 2019Co-Authors: Katja Tuma, Danial Hosseini, Kyriakos Malamas, Riccardo ScandariatoAbstract:Recent trends in the software development practices (Agile, De-vOps, CI) have shortened the development life-cycle causing the need for efficient Security-by-Design approaches. In this context, software architectures are analyzed for potential vulnerabilities and Design flaws. Yet, Design flaws are often documented with natural language and require a manual analysis, which is inefficient. Besides low-level vulnerability databases (e.g., CWE, CAPEC) there is little systematized knowledge on Security Design flaws. The purpose of this work is to present and evaluate a catalog of Security Design flaws accompanied by inspection guidelines for their detection. To this aim, we conduct empirical studies with master and doctoral students. This paper presents a catalog of 19 inspection guidelines for detecting Security Design flaws and contributes with an empirical evaluation of the inspection guidelines. We also account for the shortcomings of the inspection guidelines and make suggestions for their improvement with respect to the generalization of guidelines, catalog re-organization, and format of documentation. We record similar precision, recall, and productivity in both empirical studies.
-
Inspection Guidelines to Identify Security Design Flaws
arXiv: Software Engineering, 2019Co-Authors: Katja Tuma, Danial Hosseini, Kyriakos Malamas, Riccardo ScandariatoAbstract:Recent trends in the software development practices (Agile, DevOps, CI) have shortened the development life-cycle causing the need for efficient Security-by-Design approaches. In this context, software architectures are analyzed for potential vulnerabilities and Design flaws. Yet, Design flaws are often documented with natural language and require a manual analysis, which is inefficient. Besides low-level vulnerability databases (e.g., CWE, CAPEC) there is little systematized knowledge on Security Design flaws. The purpose of this work is to provide a catalog of Security Design flaws and to empirically evaluate the inspection guidelines for detecting Security Design flaws. To this aim, we present a catalog of 19 Security Design flaws and conduct empirical studies with master and doctoral students. This paper contributes with: (i) a catalog of Security Design flaws, (ii) an empirical evaluation of the inspection guidelines with master students, and (iii) a replicated evaluation with doctoral students. We also account for the shortcomings of the inspection guidelines and make suggestions for their improvement with respect to the generalization of guidelines, catalog re-organization, and format of documentation. We record similar precision, recall, and productivity in both empirical studies and discuss the potential for automating the Security Design flaw detection.
-
Towards Automated Security Design Flaw Detection
2019 34th IEEE ACM International Conference on Automated Software Engineering Workshop (ASEW), 2019Co-Authors: Laurens Sion, Katja Tuma, Riccardo Scandariato, Koen Yskout, Wouter JoosenAbstract:Efficiency of Security-by-Design has become an important goal for organizations implementing software engineering practices such as Agile, DevOps, and Continuous Integration. Software architectures are (often manually) analyzed at Design time for potential Security Design flaws, based on natural language descriptions of Security weaknesses (e.g., CWE, CAPEC). The use of natural language hinders the application of such knowledge bases in an automated fashion. In this paper, we analyze an existing catalog of 19 Security Design flaws in order to identify conceptual, technology-independent requirements on architectural models that enable automatically detecting these flaws. This constitutes the first step towards automated assessment of Design-level Security. Our findings are illustrated on an IoT-based smart home system.
-
MoDELS - SoSPa: a system of Security Design patterns for systematically engineering secure systems
2015 ACM IEEE 18th International Conference on Model Driven Engineering Languages and Systems (MODELS), 2015Co-Authors: Phu H. Nguyen, Riccardo Scandariato, Koen Yskout, Thomas Heyman, Jacques Klein, Yves Le TraonAbstract:Model-Driven Security (MDS) for secure systems development still has limitations to be more applicable in practice. A recent systematic review of MDS shows that current MDS approaches have not dealt with multiple Security concerns systematically. Besides, catalogs of Security patterns which can address multiple Security concerns have not been applied efficiently. This paper presents an MDS approach based on a unified System of Security Design Patterns (SoSPa). In SoSPa, Security Design patterns are collected, specified as reusable aspect models to form a coherent system of them that guides developers in systematically addressing multiple Security concerns. SoSPa consists of not only interrelated Security Design patterns but also a refinement process towards their application. We applied SoSPa to Design the Security of crisis management systems. The result shows that multiple Security concerns in the case study have been addressed by systematically integrating different Security solutions.
Wouter Joosen - One of the best experts on this subject based on the ideXlab platform.
-
ASE Workshops - Towards Automated Security Design Flaw Detection
2019 34th IEEE ACM International Conference on Automated Software Engineering Workshop (ASEW), 2019Co-Authors: Laurens Sion, Katja Tuma, Riccardo Scandariato, Koen Yskout, Wouter JoosenAbstract:Efficiency of Security-by-Design has become an important goal for organizations implementing software engineering practices such as Agile, DevOps, and Continuous Integration. Software architectures are (often manually) analyzed at Design time for potential Security Design flaws, based on natural language descriptions of Security weaknesses (e.g., CWE, CAPEC). The use of natural language hinders the application of such knowledge bases in an automated fashion. In this paper, we analyze an existing catalog of 19 Security Design flaws in order to identify conceptual, technology-independent requirements on architectural models that enable automatically detecting these flaws. This constitutes the first step towards automated assessment of Design-level Security. Our findings are illustrated on an IoT-based smart home system.
-
Towards Automated Security Design Flaw Detection
2019 34th IEEE ACM International Conference on Automated Software Engineering Workshop (ASEW), 2019Co-Authors: Laurens Sion, Katja Tuma, Riccardo Scandariato, Koen Yskout, Wouter JoosenAbstract:Efficiency of Security-by-Design has become an important goal for organizations implementing software engineering practices such as Agile, DevOps, and Continuous Integration. Software architectures are (often manually) analyzed at Design time for potential Security Design flaws, based on natural language descriptions of Security weaknesses (e.g., CWE, CAPEC). The use of natural language hinders the application of such knowledge bases in an automated fashion. In this paper, we analyze an existing catalog of 19 Security Design flaws in order to identify conceptual, technology-independent requirements on architectural models that enable automatically detecting these flaws. This constitutes the first step towards automated assessment of Design-level Security. Our findings are illustrated on an IoT-based smart home system.
Koen Yskout - One of the best experts on this subject based on the ideXlab platform.
-
ASE Workshops - Towards Automated Security Design Flaw Detection
2019 34th IEEE ACM International Conference on Automated Software Engineering Workshop (ASEW), 2019Co-Authors: Laurens Sion, Katja Tuma, Riccardo Scandariato, Koen Yskout, Wouter JoosenAbstract:Efficiency of Security-by-Design has become an important goal for organizations implementing software engineering practices such as Agile, DevOps, and Continuous Integration. Software architectures are (often manually) analyzed at Design time for potential Security Design flaws, based on natural language descriptions of Security weaknesses (e.g., CWE, CAPEC). The use of natural language hinders the application of such knowledge bases in an automated fashion. In this paper, we analyze an existing catalog of 19 Security Design flaws in order to identify conceptual, technology-independent requirements on architectural models that enable automatically detecting these flaws. This constitutes the first step towards automated assessment of Design-level Security. Our findings are illustrated on an IoT-based smart home system.
-
Towards Automated Security Design Flaw Detection
2019 34th IEEE ACM International Conference on Automated Software Engineering Workshop (ASEW), 2019Co-Authors: Laurens Sion, Katja Tuma, Riccardo Scandariato, Koen Yskout, Wouter JoosenAbstract:Efficiency of Security-by-Design has become an important goal for organizations implementing software engineering practices such as Agile, DevOps, and Continuous Integration. Software architectures are (often manually) analyzed at Design time for potential Security Design flaws, based on natural language descriptions of Security weaknesses (e.g., CWE, CAPEC). The use of natural language hinders the application of such knowledge bases in an automated fashion. In this paper, we analyze an existing catalog of 19 Security Design flaws in order to identify conceptual, technology-independent requirements on architectural models that enable automatically detecting these flaws. This constitutes the first step towards automated assessment of Design-level Security. Our findings are illustrated on an IoT-based smart home system.
-
MoDELS - SoSPa: a system of Security Design patterns for systematically engineering secure systems
2015 ACM IEEE 18th International Conference on Model Driven Engineering Languages and Systems (MODELS), 2015Co-Authors: Phu H. Nguyen, Riccardo Scandariato, Koen Yskout, Thomas Heyman, Jacques Klein, Yves Le TraonAbstract:Model-Driven Security (MDS) for secure systems development still has limitations to be more applicable in practice. A recent systematic review of MDS shows that current MDS approaches have not dealt with multiple Security concerns systematically. Besides, catalogs of Security patterns which can address multiple Security concerns have not been applied efficiently. This paper presents an MDS approach based on a unified System of Security Design Patterns (SoSPa). In SoSPa, Security Design patterns are collected, specified as reusable aspect models to form a coherent system of them that guides developers in systematically addressing multiple Security concerns. SoSPa consists of not only interrelated Security Design patterns but also a refinement process towards their application. We applied SoSPa to Design the Security of crisis management systems. The result shows that multiple Security concerns in the case study have been addressed by systematically integrating different Security solutions.
-
SoSPa: A system of Security Design Patterns for systematically engineering secure systems
2015 ACM IEEE 18th International Conference on Model Driven Engineering Languages and Systems (MODELS), 2015Co-Authors: Phu H. Nguyen, Riccardo Scandariato, Koen Yskout, Thomas Heyman, Jacques Klein, Yves Le TraonAbstract:Model-Driven Security (MDS) for secure systems development still has limitations to be more applicable in practice. A recent systematic review of MDS shows that current MDS approaches have not dealt with multiple Security concerns systematically. Besides, catalogs of Security patterns which can address multiple Security concerns have not been applied efficiently. This paper presents an MDS approach based on a unified System of Security Design Patterns (SoSPa). In SoSPa, Security Design patterns are collected, specified as reusable aspect models to form a coherent system of them that guides developers in systematically addressing multiple Security concerns. SoSPa consists of not only interrelated Security Design patterns but also a refinement process towards their application. We applied SoSPa to Design the Security of crisis management systems. The result shows that multiple Security concerns in the case study have been addressed by systematically integrating different Security solutions.
Katja Tuma - One of the best experts on this subject based on the ideXlab platform.
-
ASE Workshops - Towards Automated Security Design Flaw Detection
2019 34th IEEE ACM International Conference on Automated Software Engineering Workshop (ASEW), 2019Co-Authors: Laurens Sion, Katja Tuma, Riccardo Scandariato, Koen Yskout, Wouter JoosenAbstract:Efficiency of Security-by-Design has become an important goal for organizations implementing software engineering practices such as Agile, DevOps, and Continuous Integration. Software architectures are (often manually) analyzed at Design time for potential Security Design flaws, based on natural language descriptions of Security weaknesses (e.g., CWE, CAPEC). The use of natural language hinders the application of such knowledge bases in an automated fashion. In this paper, we analyze an existing catalog of 19 Security Design flaws in order to identify conceptual, technology-independent requirements on architectural models that enable automatically detecting these flaws. This constitutes the first step towards automated assessment of Design-level Security. Our findings are illustrated on an IoT-based smart home system.
-
ECSA (Companion) - Inspection guidelines to identify Security Design flaws
Proceedings of the 13th European Conference on Software Architecture - ECSA '19 - volume 2, 2019Co-Authors: Katja Tuma, Danial Hosseini, Kyriakos Malamas, Riccardo ScandariatoAbstract:Recent trends in the software development practices (Agile, De-vOps, CI) have shortened the development life-cycle causing the need for efficient Security-by-Design approaches. In this context, software architectures are analyzed for potential vulnerabilities and Design flaws. Yet, Design flaws are often documented with natural language and require a manual analysis, which is inefficient. Besides low-level vulnerability databases (e.g., CWE, CAPEC) there is little systematized knowledge on Security Design flaws. The purpose of this work is to present and evaluate a catalog of Security Design flaws accompanied by inspection guidelines for their detection. To this aim, we conduct empirical studies with master and doctoral students. This paper presents a catalog of 19 inspection guidelines for detecting Security Design flaws and contributes with an empirical evaluation of the inspection guidelines. We also account for the shortcomings of the inspection guidelines and make suggestions for their improvement with respect to the generalization of guidelines, catalog re-organization, and format of documentation. We record similar precision, recall, and productivity in both empirical studies.
-
Inspection Guidelines to Identify Security Design Flaws
arXiv: Software Engineering, 2019Co-Authors: Katja Tuma, Danial Hosseini, Kyriakos Malamas, Riccardo ScandariatoAbstract:Recent trends in the software development practices (Agile, DevOps, CI) have shortened the development life-cycle causing the need for efficient Security-by-Design approaches. In this context, software architectures are analyzed for potential vulnerabilities and Design flaws. Yet, Design flaws are often documented with natural language and require a manual analysis, which is inefficient. Besides low-level vulnerability databases (e.g., CWE, CAPEC) there is little systematized knowledge on Security Design flaws. The purpose of this work is to provide a catalog of Security Design flaws and to empirically evaluate the inspection guidelines for detecting Security Design flaws. To this aim, we present a catalog of 19 Security Design flaws and conduct empirical studies with master and doctoral students. This paper contributes with: (i) a catalog of Security Design flaws, (ii) an empirical evaluation of the inspection guidelines with master students, and (iii) a replicated evaluation with doctoral students. We also account for the shortcomings of the inspection guidelines and make suggestions for their improvement with respect to the generalization of guidelines, catalog re-organization, and format of documentation. We record similar precision, recall, and productivity in both empirical studies and discuss the potential for automating the Security Design flaw detection.
-
Towards Automated Security Design Flaw Detection
2019 34th IEEE ACM International Conference on Automated Software Engineering Workshop (ASEW), 2019Co-Authors: Laurens Sion, Katja Tuma, Riccardo Scandariato, Koen Yskout, Wouter JoosenAbstract:Efficiency of Security-by-Design has become an important goal for organizations implementing software engineering practices such as Agile, DevOps, and Continuous Integration. Software architectures are (often manually) analyzed at Design time for potential Security Design flaws, based on natural language descriptions of Security weaknesses (e.g., CWE, CAPEC). The use of natural language hinders the application of such knowledge bases in an automated fashion. In this paper, we analyze an existing catalog of 19 Security Design flaws in order to identify conceptual, technology-independent requirements on architectural models that enable automatically detecting these flaws. This constitutes the first step towards automated assessment of Design-level Security. Our findings are illustrated on an IoT-based smart home system.
Kevin Borders - One of the best experts on this subject based on the ideXlab platform.
-
analyzing websites for user visible Security Design flaws
Symposium On Usable Privacy and Security, 2008Co-Authors: Laura Falk, Atul Prakash, Kevin BordersAbstract:An increasing number of people rely on secure websites to carry out their daily business. A survey conducted by Pew Internet states 42% of all internet users bank online. Considering the types of secure transactions being conducted, businesses are rigorously testing their sites for Security flaws. In spite of this testing, some Design flaws still remain that prevent secure usage. In this paper, we examine the prevalence of user-visible Security Design flaws by looking at sites from 214 U.S. financial institutions. We specifically chose financial websites because of their high Security requirements. We found a number of flaws that may lead users to make bad Security decisions, even if they are knowledgeable about Security and exhibit proper browser use consistent with the site's Security policies. To our surprise, these Design flaws were widespread. We found that 76% of the sites in our survey suffered from at least one Design flaw. This indicates that these flaws are not widely understood, even by experts who are responsible for web Security. Finally, we present our methodology for testing websites and discuss how it can help systematically discover user-visible Security Design flaws.
-
SOUPS - Analyzing websites for user-visible Security Design flaws
Proceedings of the 4th symposium on Usable privacy and security - SOUPS '08, 2008Co-Authors: Laura Falk, Atul Prakash, Kevin BordersAbstract:An increasing number of people rely on secure websites to carry out their daily business. A survey conducted by Pew Internet states 42% of all internet users bank online. Considering the types of secure transactions being conducted, businesses are rigorously testing their sites for Security flaws. In spite of this testing, some Design flaws still remain that prevent secure usage. In this paper, we examine the prevalence of user-visible Security Design flaws by looking at sites from 214 U.S. financial institutions. We specifically chose financial websites because of their high Security requirements. We found a number of flaws that may lead users to make bad Security decisions, even if they are knowledgeable about Security and exhibit proper browser use consistent with the site's Security policies. To our surprise, these Design flaws were widespread. We found that 76% of the sites in our survey suffered from at least one Design flaw. This indicates that these flaws are not widely understood, even by experts who are responsible for web Security. Finally, we present our methodology for testing websites and discuss how it can help systematically discover user-visible Security Design flaws.
