A Data-Driven Approach to Evaluate the Security of System Designs
How can security metrics help architects measure and minimize a system's attack surface during the design phase — rather than after deployment?
Carleton University (M.A.Sc. Thesis)
Carleton University · 2021
While several design-level security metrics exist to evaluate vulnerabilities in system design, it is unclear which metrics provide a sound scientific basis for their characterization. Lack of security knowledge among average development teams and the lack of tool support are additional challenges that compound this problem.
How can security metrics help architects measure and minimize a system's attack surface during the design phase — rather than after deployment?
The Approach
We present a data-driven approach for the security evaluation of system designs to address these challenges. The approach aims to incrementally improve system security and decision-making at design time. We integrate the attack surface metric — which we found to be sound in our evaluation of widely-used security metrics — and leverage external data sources to characterize the structural security posture of software systems.
The Transformation
Several tools are developed to automate the approach, forming a cohesive toolkit that enables system architects and developers to evaluate and improve the security of their designs. The approach supports the architecture design phase of the SDLC in terms of security evaluation and assurance activities.