Assessing the Impact of Refactoring on Security-Critical Object-Oriented Designs

Alshammari, Bandar; Fidge, Colin; Corney, Diane

doi:10.1109/apsec.2010.30

Cited by 17 publications

(9 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This paper builds on previous work that shows that refactoring can have a substantial effect on security metrics when applied to a software design [3]. We extend this work by using the search-based refactoring platform, Code-Imp, guided by security metrics to test if the security of source code can be improved in an automated fashion.…”

Section: Discussionmentioning

confidence: 99%

“…The security metrics we use in this paper are those defined by Alshammari et al [1,3,4]. These metrics are based on the information flow within a program or software design and cover such areas as data encapsulation, cohesion, coupling, composition, extensibility, inheritance and design size.…”

Section: Overview Of Security Metricsmentioning

confidence: 99%

“…They chose two principles to measure the security of designs from the perspective of information flow: grant least privilege [6] which means that each program component will have access to only the parts that it legitimately requires, and reduce attack surface [7] which means to reduce the amount of code running with an unauthenticated user. In a follow-up study that is more closely related to our work [3], Alshammari et al looked at the effect on their security metrics of applying refactorings to program designs. While this can provide static insight into the properties of the refactorings, it does not automate the improvement of the program as our approach does.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Improving Software Security Using Search-Based Refactoring

Ghaith

Cinnéide

2012

Search Based Software Engineering

View full text Add to dashboard Cite

Abstract. Security metrics have been proposed to assess the security of software applications based on the principles of "reduce attack surface" and "grant least privilege." While these metrics can help inform the developer in choosing designs that provide better security, they cannot on their own show exactly how to make an application more secure. Even if they could, the onerous task of updating the software to improve its security is left to the developer. In this paper we present an approach to automated improvement of software security based on search-based refactoring. We use the search-based refactoring platform, Code-Imp, to refactor the code in a fully-automated fashion. The fitness function used to guide the search is based on a number of software security metrics. The purpose is to improve the security of the software immediately prior to its release and deployment. To test the value of this approach we apply it to an industrial banking application that has a strong security dimension, namely Wife. The results show an average improvement of 27.5% in the metrics examined. A more detailed analysis reveals that 15.5% of metric improvement results in real improvement in program security, while the remaining 12% of metric improvement is attributable to hitherto undocumented weaknesses in the security metrics themselves.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Overview Of Security Metricsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Improving Software Security Using Search-Based Refactoring

Ghaith

Cinnéide

2012

Search Based Software Engineering

View full text Add to dashboard Cite

show abstract

“…Bandar uses the code refactoring rules in context of security assessment and recalculated the metric values on the basis of security assessment guidelines inspired from refactoring rules to validate the results for security. Bandar picks only 16 refactoring activities and reframe his observation for security restructuring 15 . Another work developed by Maruyama that aims to improve the security of a given program's code by identifying vulnerabilities by using design set of secure refactoring rules 16 .…”

Section: Formulation Of Rulesmentioning

confidence: 99%

Security Improvement of Object Oriented Design using Refactoring Rules

Khan¹,

Khan²

2015

IJMECS

View full text Add to dashboard Cite

Abstract-The main component of study is to confirm that how developed security model are helpful for security improvement of object oriented designs. Software refactoring is an essential activity during development and maintenance. It promotes the reengineering measures for improving quality and security of software. The researcher made an effort in this regard to develop security improvement guideline using refactoring activities for object oriented deign. The developed guidelines are helpful to control design complexity for improved security. A case study is adopted from refactoring example by fowler to implement the Security Improvement Guidelines (SIG). The developed Security Quantification Model (SQM OODC ) is being used to calculate the quantified value of security at each step. The proposed model SQM OODC calculates the effective security index by ensuring that revised version of object oriented design is being influenced through security improvement guidelines. There is some possibility that original code segment may have some security flaws, anomalies and exploitable entities or vulnerable information that may influence security at design stage. SIG is helpful to cease the security flaws, anomalies, exploitable entities into refactored code segment. Each refactored steps of case study match the prediction of the impact for refactoring rules on security and the impact study for security through SQM OODC model legalize the effectiveness of developed model and security improvement guidelines. The validated results of statistical analysis with different case studies of object oriented designs reflect the usefulness and acceptability of developed models and guidelines.

show abstract

“…However, these approaches do not allow enterprise systems' designers to assess the overall security of a given system based on its architecture. Recent studies conducted by Alshammari et al [7], [8], [15] had defined several security metrics for UML class designs, and described a tool for automatically evaluating such metrics [16]. The defined metrics assess the potential flow of security-critical data by measuring the accessibility of such data based on the security design principles of -granting least privilege‖ [17]- [19] and -reducing the size of the attack surface‖ [20], [14].…”

Section: Related Workmentioning

confidence: 99%

An Assessment Model for Security-Critical Enterprise Systems

Alshammari¹

2014

IJIET

View full text Add to dashboard Cite

Abstract-This paper presents a model for assessing security of enterprise systems. It focuses on the structural properties of enterprise systems' architectures in order to quantify their overall security. The model is built on the well-known three-tier architecture model and aims to identify the ways in which security-critical data values may be transferred between various components of the system's architecture. This paper extends the three-tier architecture model to add a fourth layer which defines a set of low-level security metrics developed based on systems' structural characteristics, such as data accessibility, coupling, cohesion and complexity. These metrics then are linked to relevant components of the three layers in the three-tier architecture model and hence defining a single security metric for each component. By combining security metrics of each layer's components, a single security index is defined that forms the security value of each layer. Finally, the entire system's security is summarised as a single security value. These metrics allow different architecture of the same system, or different systems with similar functionalities, to be compared for their relative security at a number of different abstraction levels at an early stage of development for any enterprise system. Index Terms-Security models, three-tier architecture, security metrics, enterprise systems. I. INTRODUCTIONMuch existing software is designed with poor consideration of information security which makes it vulnerable to many threats including malicious attacks [1]. Software patches are one of the suggested solutions for many of the security attacks facing software [1] but they are expensive to develop and deploy, and do not solve basic design weaknesses in the program code. Another solution to achieve a secure product is by following a trustworthy security process [2]. Security processes, in general, consider many aspects of system design, coding, testing, and auditing [2] (e.g., international security standards such as the Common Criteria [3] or the Trusted Computer Criteria [4]). Another common approach for achieving a secure computer program is by following certain coding guidelines which focus on the level of individual program statements (e.g., to avoid/detect buffer overflows [5]). However, these solutions do not always work effectively and may, in general, even introduce new vulnerabilities to existing software [1].The most promising approach is the one which is capable of quantifying security of a given system at an early stage of development (i.e., security metrics). Several types of metrics Manuscript received September 14, 2013; revised November 25, 2013. B. M. Alshammari is with the Information Technology Department, University of Aljouf, Saudi Arabia (e-mail: bmshammeri@ju.edu.sa).have been defined in the literature which aim to measure security of programs. These include metrics which assess security at the abstract system architecture level [6], at the design phase [7], [8], and at the low level of program cod...

show abstract

Assessing the Impact of Refactoring on Security-Critical Object-Oriented Designs

Cited by 17 publications

References 11 publications

Improving Software Security Using Search-Based Refactoring

Improving Software Security Using Search-Based Refactoring

Security Improvement of Object Oriented Design using Refactoring Rules

An Assessment Model for Security-Critical Enterprise Systems

Contact Info

Product

Resources

About