Secure By Design

OVERVIEW

Architectural issues can overwhelm even the most heroic coding efforts, and ignoring such issues results in systems that are hard to maintain, vulnerable and exposes several security breaches. As part of this project, we developed  the new concept of Common Architectural Weaknesses, which are known design and implementation flaws in security architecture of a system resulting in severe vulnerabilities and security breaches. The National Cyber Security Division at the US Department of Homeland Security (DHS) and MITRE Corporation support the collection and maintenance of Common Software Weaknesses (CWE). This collection contains over 1,000 software weaknesses, but these vulnerabilities are explicitly categorized into architectural and non-architectural. In this project, we have classified architecture related vulnerabilities. As a result, we have developed a catalogue of Common Architectural Weakness Enumerations (CAWE). A CAWE describes an architectural flaw in a software system resulting in a security vulnerability.

PUBLICATIONS

  • SANTOS, J. C. S.; SULOGLU, S.; YE, J.; MIRAKHORLI, M; “Towards an Automated Approach for Detecting Architectural Weaknesses in Critical Systems”. In: Proceedings of the 1st International Workshop on Engineering and Cybersecurity of Critical Systems(EnCyCriS 2020), Seoul, South Korea. 2020.
  • SANTOS, J. C. S.; MOSHTARI, S.; MIRAKHORLI, M; ” An Automated Approach to Recover the Use-case View of an Architecture”. In: Proceedings of the 2020 IEEE International Conference on Software Architecture – New and Emerging Ideas(ICSA-NEMI Track), Salvador, Brazil. 2020. (doi: 10.1109/ICSA-C50368.2020.00020)
  • SANTOS, J. C. S.; SEJFIA, A.; CORRELLO, T.; GADENKANAHLLI, S.; MIRAKHORLI, M; “Achilles’ Heel of Plug-and-Play Software Architectures: A Grounded Theory Based Approach”. In: Proceedings of the 2019 ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering(ESEC/FSE), Tallinn, Estonia. 2019. (doi: 10.1145/3338906.3338969)
  • SANTOS, J. C. S.; TARRIT, K.; SEJFIA, A.; MIRAKHORLI, M; GALSTER, M. “An Empirical Study of Tactical Vulnerabilities”. Journal of Systems and Software. 2019. (doi: 10.1016/j.jss.2018.10.030)
  • SANTOS, J. C. S.; PERUMA, A.; MIRAKHORLI, M; GALSTER, M.; VELOZ, J. P.; SEJFIA, A. “Understanding Software Vulnerabilities Related to Architectural Security Tactics: An Empirical Investigation of Chromium, PHP and Thunderbird”. In: Proceedings of the 2017 IEEE International Conference on Software Architecture(ICSA), Gothenburg, Sweden. 2017. (doi: 10.1109/ICSA.2017.39)  Best Paper Award
  • SANTOS, J. C. S.; TARRIT, K.; MIRAKHORLI, M; “A Catalog of Security Architecture Weaknesses”. In: Proceedings of the 2017 IEEE International Conference on Software Architecture Workshops(ICSAW), Gothenburg, Sweden. 2017. (doi: 10.1109/ICSAW.2017.25)