RESEARCH
Software systems are increasing in complexity, with attendant increases in the number of vulnerabilities they contain. Remediating these vulnerabilities, ideally during the early requirements and design phases, has been highly resource-intensive, and is often omitted due to lack of knowledge, time, and/or funds. We propose an approach, applied in these early phases, to address the following issues: 1) to enhance the developer's security knowledge of the system, we introduce the notion of structural security posture, which uses a collection of metrics to assess a system’s security based on its structural view, 2) to guide the identification of vulnerabilities, we leverage external security data sources, and 3) to address the issue of resource intensiveness, we offer a tool for evaluating and analyzing a system's structural security posture. We illustrate how our approach facilitates the evaluation of design decisions to improve security using an example.