Analyzing Structural Security Posture to Evaluate System Design Decisions
How can we evaluate a system's structural security posture early in the design phase — before vulnerabilities become costly to fix?
The 21st IEEE International Conference on Software Quality, Reliability, and Security (QRS 2021)
IEEE · 2021
A common challenge is the rush to market that commercial development teams face, leaving very little time to design software that is secure as well as functional. The average development team lacks the know-how and the tools to create secure software. There has not been sufficient motivation for developers to produce secure software — if an application fails due to a security flaw, the application's vendor is not subject to legal penalties, unlike the construction company for a bridge that collapses due to a mechanical design flaw.
How can we evaluate a system's structural security posture early in the design phase — before vulnerabilities become costly to fix?
The Approach
We propose an approach applied in the early requirements and design phases to address three issues:
To enhance the developer's security knowledge of the system, we introduce the notion of structural security posture, which uses a collection of metrics to assess a system's security based on its structural view
To guide the identification of vulnerabilities, we leverage external security data sources
To address the issue of resource intensiveness, we offer a tool for evaluating and analyzing a system's structural security posture
The Transformation
We illustrate how our approach facilitates the evaluation of design decisions to improve security using a concrete example. The approach is carried out at the architecture design stage early in the SDLC, when it is less costly to make changes, and when the negative impacts of poor design decisions that become multiplied at the code level can be avoided.