Architectural issues can overwhelm even the most heroic coding efforts, and ignoring such issues results in systems that are hard to maintain, vulnerable and exposes several security breaches. This project introduces the new concept of Common Architectural Weaknesses, which are known design and implementation flaws in security architecture of a system resulting in severe vulnerabilities and security breaches. The National Cyber Security Division at US Department of Homeland Security (DHS) and MITRE Corporation support the collection and maintenance of Common Software Weaknesses (CWE). This collection contains over 1,000 software weaknesses, but these vulnerabilities are explicitly categorized into architectural and non-architectural. In this project, we have classified architecture related vulnerabilities. As a result, we have developed a catalogue of Common Architectural Weakness Enumerations (CAWE). A CAWE describes an architectural flaw in a software system resulting in a security vulnerability. We have conducted a case study involving three large-scale open-source systems (Chromium, PHP and Thunderbird) to investigate the occurrence of these CAWEs in real systems.

CAWE Hierarchical View

Hierarchical View

Visualize the architectural weaknesses in a tree.

CAWE List View

List View

Browse a list of architectural weaknesses related to security tactics.

Overview of the catalog:
A Catalog of Security Architecture Weaknesses. In 2017 IEEE International Conference on Software Architecture (ICSA), 2017.

An Empirical study of the common architectural weaknesses across three large-scale open-source systems (Chromium, PHP and Thunderbird)
Understanding Software Vulnerabilities Related to Architectural Security Tactics: An Empirical Investigation of Chromium, PHP and Thunderbir In 2017 IEEE International Conference on Software Architecture (ICSA), 2017.


If you publish material based on the datasets obtained from this repository, then, in your acknowledgments, please note the assistance you received by using this repository. This will help others to obtain the same data sets and replicate your experiments. We suggest the following pseudo-APA reference format for referring to this repository:

Below, you can find the BiBTeX citation as well:

@misc{CAWEStudy,
   title={Understanding Software Vulnerabilities Related to Architectural Security Tactics: An Empirical Investigation of Chromium, PHP and Thunderbird},
   author={Santos, Joanna C. S. and Peruma, Anthony and Mirakhorli, Mehdi and Galster, Matthias and Veloz Vidal, Jairo and Sejfia, Adriana},
   booktitle={2017 IEEE International Conference on Software Architecture (ICSA)},
   pages={69-78},
   year={2017},
   organization={IEEE}
}

@misc{CAWE,
   title={A Catalog of Security Architecture Weaknesses},
   author={Santos, Joanna C. S. and Tarrit, Katy and Mirakhorli, Mehdi},
   booktitle={2017 IEEE International Conference on Software Architecture (ICSA)},
   year={2017},
   organization={IEEE}
}