Loading [MathJax]/extensions/MathMenu.js
Understanding Software Vulnerabilities Related to Architectural Security Tactics: An Empirical Investigation of Chromium, PHP and Thunderbird | IEEE Conference Publication | IEEE Xplore
Access provided by:

MIT Libraries

Sign Out
Access provided by:

MIT Libraries

Sign Out
ADVANCED SEARCH
Conferences >2017 IEEE International Confe...

Understanding Software Vulnerabilities Related to Architectural Security Tactics: An Empirical Investigation of Chromium, PHP and Thunderbird

PDF
Joanna C. S. Santos; Anthony Peruma; Mehdi Mirakhorli; Matthias Galstery; Jairo Veloz Vidal; Adriana Sejfia
All Authors

Abstract:

To satisfy security requirements, software architects often adopt security tactics. These architectural tactics provide mechanisms for resisting, detecting, reacting to a...Show More

Metadata

Abstract:

To satisfy security requirements, software architects often adopt security tactics. These architectural tactics provide mechanisms for resisting, detecting, reacting to and recovering from attacks. Consequently, flaws in the implementation of security tactics or their deterioration during software evolution and maintenance can introduce severe vulnerabilities that could be exploited by attackers. However, we currently lack an in-depth understanding of the types and impact of vulnerabilities related to security tactics. Therefore, in this paper, we conduct a first-of-its-kind in-depth case study involving three large-scale open-source systems. We investigate the most common types of vulnerabilities associated with security tactics, how frequently they may occur over time, and how fixing them differs from fixing vulnerabilities that are not related to security tactics. Key findings are (i) most tactic-related vulnerabilities were related to the tactics "Validate Inputs" and "Authorize Actors", (ii) vulnerabilities related to tactics have a similar distribution over time and software releases as vulnerabilities that are not related to tactics, (iii) fixing tactic-related vulnerabilities is not necessarily more complex than fixing vulnerabilities that are not related to security tactics. This study highlights the importance of ensuring an appropriate implementation of security-related design decisions in code to avoid vulnerabilities rooted in the architecture.
Published in: 2017 IEEE International Conference on Software Architecture (ICSA)
Date of Conference: 03-07 April 2017
Date Added to IEEE Xplore: 18 May 2017
ISBN Information:
DOI: 10.1109/ICSA.2017.39
Conference Location: Gothenburg, Sweden
Contents

I. Introduction

Software engineers face a constantly growing pressure to build secure software by design [9], where systems have to be designed from the ground up to be secure and resistant to attacks. To achieve this goal, software architects work with various stakeholders to identify security requirements and adopt appropriate architectural solutions to address these requirements. These architectural solutions are often based on security tactics [10]. Bass et al. [5] provide a comprehensive list of such tactics and define security tactics as reusable solutions to satisfy security quality attributes regarding resisting attacks (e.g., tactic “Authenticate Actors”), detecting attacks (e.g., tactic “Detect Intrusion”), reacting to attacks (e.g., tactic “Revoke Access”), and recovering from attacks (e.g., tactic “Audit”). As argued by Cervantes et al. [8], strategic, system-wide architectural approaches result in the highest security and lowest maintenance costs.

Contact IEEE to Subscribe
More Like This
The Use of Security Tactics in Open Source Software Projects

IEEE Transactions on Reliability

Published: 2016

Security Risk Visualization for Open-Source Software based on Vulnerabilities, Repositories, and Dependencies

2023 Eleventh International Symposium on Computing and Networking (CANDAR)

Published: 2023

Show More

References

References is not available for this document.

IEEE Account

Purchase Details

Profile Information

Need Help?

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
© Copyright 2025 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.