Indicator-based architecture-level security evaluation in a service-oriented environment

Antonino, Pablo Oliveira; Duszynski, Slawomir; Jung, Christian; Rudolph, Manuel

doi:10.1145/1842752.1842795

Cited by 11 publications

(8 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One of the studies in this field is by Antonino et al [42] who define an evaluation technique for measuring the security of an existing service-oriented architecture. This evaluation technique is based on two types of metrics: severity and credibility.…”

Section: A Software Security Metricsmentioning

confidence: 99%

“…This evaluation technique is based on two types of metrics: severity and credibility. Severity relates to the value of tagged security artifacts while credibility is the probability of correctly assigning a tag to its relevant system component [42].Further work in this area was conducted by Liu et al who proposed a model called the "User System Interaction Effect (USIE)" [43]. The USIE model is responsible for providing a systematic approach to identify security defects from the architecture of a service-oriented system [43].…”

mentioning

confidence: 99%

See 1 more Smart Citation

Developing Secure Systems: A Comparative Study of Existing Methodologies

Alshammari¹,

Fidge²,

Corney³

2016

LNSE

View full text Add to dashboard Cite

Abstract-With the increasing demand for developing high-quality and more reliable systems, the process of developing trustworthy computer software is a challenging one. In this paper, we review various approaches to producing more secure systems. This includes established general principles for designing secure systems. It also provides an introduction to general software quality measurements including existing software security metrics. This paper also includes a comparison of the various security metrics for developing secure systems (i.e., architectural, design, and code-level metrics). Lastly, the paper examines the approach of refactoring, illustrates its objectives, and shows how refactoring is generally used for enhancing the quality of existing programs from the perspective of information security. At the end of this paper, we provide a discussion of these three approaches and how they can be used to provide guidance for future secure software development processes.Index Terms-Security design principles, object-orientation, security metrics, secure refactoring. I. INTRODUCTIONMuch existing software is designed with poor consideration of information security which makes it vulnerable to many threats including malicious attacks [1]. Software patches are one of the suggested solutions for many of the security attacks facing software [1] but they are expensive to develop and deploy and do not solve basic design weaknesses in the program code. Another solution to achieve a secure product is by following a trustworthy security process [2]. Security processes, in general, consider many aspects of system design, coding, testing, and auditing [2] (e.g., international security standards such as the Common Criteria [3] or the Trusted Computer Criteria [4]).Another common approach for achieving a secure computer program is by following certain coding guidelines which focus on the level of individual program statements (e.g., to avoid/detect buffer overflows [5]). However, these solutions do not always work effectively and may, in general, even introduce new vulnerabilities to existing software [1]. Adding security features to systems after they have been developed and deployed has been a major cause of many system vulnerabilities [6]. Therefore, applying security principles from the early stages of the software development life cycle (SDLC) would be a better solution [1] and allow a Manuscript received October 10, 2014; revised January 5, 2015. Bandar M. Alshammari is with Aljouf University, Saudi Arabia (e-mail: bmshammeri@ju.edu.sa).Colin J. Fidge is with Queensland University of Technology, Australia (e-mail: c.fidge@qut.edu.au).Diane Corney is with Oracle, Australia (e-mail: diane.corney@oracle.com).more coherent system to be produced [6].Developing a secure system requires a good overall design which takes security into account from the beginning. A suggested methodology by Fernandez [1] incorporates security principles into each stage of the SDLC. It makes sure that each stage complies with these principles th...

show abstract

Section: A Software Security Metricsmentioning

confidence: 99%

mentioning

confidence: 99%

Developing Secure Systems: A Comparative Study of Existing Methodologies

Alshammari¹,

Fidge²,

Corney³

2016

LNSE

View full text Add to dashboard Cite

show abstract

Section: Related Workmentioning

confidence: 99%

“…One of the studies in this field is by Antonino et al [12] who define an evaluation technique for measuring the security of an existing service-oriented architecture. This evaluation technique is based on two types of metrics: severity and credibility.…”

Section: Related Workmentioning

confidence: 99%

“…This evaluation technique is based on two types of metrics: severity and credibility. Severity relates to the value of tagged security artifacts while credibility is the probability of correctly assigning a tag to its relevant system component [12].Further work in this area was conducted by Liu et al who proposed a model called the -User System Interaction Effect (USIE)‖ [13]. The USIE model is responsible for providing a systematic approach to identify security defects from the architecture of a service-oriented system [13].…”

mentioning

confidence: 99%

See 1 more Smart Citation

An Assessment Model for Security-Critical Enterprise Systems

Alshammari¹

2014

IJIET

View full text Add to dashboard Cite

Abstract-This paper presents a model for assessing security of enterprise systems. It focuses on the structural properties of enterprise systems' architectures in order to quantify their overall security. The model is built on the well-known three-tier architecture model and aims to identify the ways in which security-critical data values may be transferred between various components of the system's architecture. This paper extends the three-tier architecture model to add a fourth layer which defines a set of low-level security metrics developed based on systems' structural characteristics, such as data accessibility, coupling, cohesion and complexity. These metrics then are linked to relevant components of the three layers in the three-tier architecture model and hence defining a single security metric for each component. By combining security metrics of each layer's components, a single security index is defined that forms the security value of each layer. Finally, the entire system's security is summarised as a single security value. These metrics allow different architecture of the same system, or different systems with similar functionalities, to be compared for their relative security at a number of different abstraction levels at an early stage of development for any enterprise system. Index Terms-Security models, three-tier architecture, security metrics, enterprise systems. I. INTRODUCTIONMuch existing software is designed with poor consideration of information security which makes it vulnerable to many threats including malicious attacks [1]. Software patches are one of the suggested solutions for many of the security attacks facing software [1] but they are expensive to develop and deploy, and do not solve basic design weaknesses in the program code. Another solution to achieve a secure product is by following a trustworthy security process [2]. Security processes, in general, consider many aspects of system design, coding, testing, and auditing [2] (e.g., international security standards such as the Common Criteria [3] or the Trusted Computer Criteria [4]). Another common approach for achieving a secure computer program is by following certain coding guidelines which focus on the level of individual program statements (e.g., to avoid/detect buffer overflows [5]). However, these solutions do not always work effectively and may, in general, even introduce new vulnerabilities to existing software [1].The most promising approach is the one which is capable of quantifying security of a given system at an early stage of development (i.e., security metrics). Several types of metrics Manuscript received September 14, 2013; revised November 25, 2013. B. M. Alshammari is with the Information Technology Department, University of Aljouf, Saudi Arabia (e-mail: bmshammeri@ju.edu.sa).have been defined in the literature which aim to measure security of programs. These include metrics which assess security at the abstract system architecture level [6], at the design phase [7], [8], and at the low level of program cod...

show abstract

Automated Reusable Tests for Mitigating Secure Pattern Interpretation Errors

Cunha

Pombo

2023

IEEE Access

View full text Add to dashboard Cite

Indicator-based architecture-level security evaluation in a service-oriented environment

Cited by 11 publications

References 10 publications

Developing Secure Systems: A Comparative Study of Existing Methodologies

Developing Secure Systems: A Comparative Study of Existing Methodologies

An Assessment Model for Security-Critical Enterprise Systems

Automated Reusable Tests for Mitigating Secure Pattern Interpretation Errors

Contact Info

Product

Resources

About