Architectural Solutions to Mitigate Security Vulnerabilities in Software Systems
Authors: 
Priya Anand, Jungwoo RyooAuthors Info & Claims
Priya Anand, Jungwoo RyooAuthors Info & ClaimsARES '18: Proceedings of the 13th International Conference on Availability, Reliability and Security
Article No.: 5, Pages 1 - 5
Abstract
Security issues emerging out of the constantly evolving software applications became a huge challenge to software security experts. In this paper, we propose a prototype to detect vulnerabilities by identifying their architectural sources and also use security patterns to mitigate the identified vulnerabilities. We emphasize the need to consider architectural relations to introduce an effective security solution. In this research, we focused on the taint-style vulnerabilities that can induce injection-based attacks like XSS, SQLI in web applications. With numerous tools available to detect the taint-style vulnerabilities in the web applications, we scanned for the presence of repetition of a vulnerable code pattern in the software. Very importantly, we attempted to identify the architectural source files or modules by developing a tool named ArT Analyzer. We conducted a case study on a leading health-care software by applying the proposed architectural taint analysis and identified the vulnerable spots. We could identify the architectural roots for those vulnerable spots with the use of our tool ArT Analyzer. We verified the results by sharing it with the lead software architect of the project. By adopting an architectural solution, we avoided changes to be done on 252 different lines of code by merely introducing 2 lines of code changes at the architectural roots. Eventually, this solution was integrated into the latest updated release of the health-care software.
References
[1]
L. Bass, P. Clements, R. Kazman, Software Architecture in Practice, Reading, MA:Addison-Wesley, 2003.
[2]
Devanbu, Premkumar T., and Stuart Stubblebine. "Software engineering for security: a roadmap." Proceedings of the Conference on the Future of Software Engineering. ACM, 2000.
[3]
Xiao, Lu, Yuanfang Cai, and Rick Kazman. "Titan: A toolset that connects software architecture with quality analysis." In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 763--766. ACM, 2014.
[4]
Mo, Ran, Yuanfang Cai, Rick Kazman, and Lu Xiao. "Hotspot patterns: The formal definition and automatic detection of architecture smells." In Software Architecture (WICSA), 2015 12th Working IEEE/IFIP Conference on, pp. 51--60. IEEE, 2015.
[5]
Almorsy, Mohamed, John Grundy, and Amani S. Ibrahim. "Automated software architecture security risk analysis using formalized signatures." Proceedings of the 2013 International Conference on Software Engineering. IEEE Press, 2013.
[6]
Jansen, Anton, and Jan Bosch. "Software architecture as a set of architectural design decisions." In Software Architecture, 2005. WICSA 2005. 5th Working IEEE/IFIP Conference on, pp. 109--120. IEEE, 2005.
[7]
Ryoo, Jungwoo, Rick Kazman, and Priya Anand. "Architectural Analysis for Security." IEEE Security Privacy 13, no. 6 (2015): 52--59.
[8]
Xiao, Lu, Yuanfang Cai, and Rick Kazman. "Design rule spaces: A new form of architecture insight." In Proceedings of the 36th International Conference on Software Engineering, pp. 967--977. ACM, 2014.
[9]
McGraw, Gary. Software security: building security in. Vol. 1. Addison-Wesley Professional, 2006.
[10]
M. Whitman and H. Mattord, Principles of information security. Cengage Learning, 2011.
[11]
Jovanovic, Nenad, Christopher Kruegel, and Engin Kirda. "Pixy: A static analysis tool for detecting web application vulnerabilities." Security and Privacy, 2006 IEEE Symposium on. IEEE, 2006.
[12]
Jovanovic, Nenad, Christopher Kruegel, and Engin Kirda. "Static analysis for detecting taint-style vulnerabilities in web applications." Journal of Computer Security 18.5 (2010): 861--907.
[13]
Anand, Priya, and Jungwoo Ryoo. "SPAAS âĂŞ Security Patterns As Architectural Solution to fix Cross-Site Scripting Vulnerabilities in Web Applications." Software Security and Assurance (ICSSA), International Conference on. IEEE, 2015.
[14]
Win, Khin Than, Willy Susilo, and Yi Mu. "Personal health record systems and their security protection." Journal of medical systems 30.4 (2006): 309--315.
[15]
http://www.open-emr.org/wiki/index.php/OpenEMR_Wiki
[16]
Baldwin, Carliss Young, and Kim B. Clark. Design rules: The power of modularity. Vol. 1. MIT press, 2000.
Recommendations
Securing web applications from injection and logic vulnerabilities
Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Extracting Information about Security Vulnerabilities from Web Text
WI-IAT '11: Proceedings of the 2011 IEEE/WIC/ACM International Conferences on Web Intelligence and Intelligent Agent Technology - Volume 03The Web is an important source of information about computer security threats, vulnerabilities and cyber attacks. We present initial work on developing a framework to detect and extract information about vulnerabilities and attacks from Web text. Our ...
Matching attack patterns to security vulnerabilities in software-intensive system designs
Fortifying software applications from attack is often an effort that occurs late in the software development process. Applying patches to fix vulnerable applications in the field is a common approach to securing applications. Abstract representations of ...
Comments
Information & Contributors
Information
Published In
August 2018
603 pages
ISBN:9781450364485
DOI:10.1145/3230833
Copyright © 2018 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
In-Cooperation
- Universität Hamburg: Universität Hamburg
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 27 August 2018
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ARES 2018
ARES 2018: International Conference on Availability, Reliability and Security
August 27 - 30, 2018
Hamburg, Germany
Acceptance Rates
ARES '18 Paper Acceptance Rate 128 of 260 submissions, 49%;
Overall Acceptance Rate 228 of 451 submissions, 51%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 165Total Downloads
- Downloads (Last 12 months)6
- Downloads (Last 6 weeks)0
Reflects downloads up to 03 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in