{"title":"架构安全工具套件- ARCHSEC","authors":"Bernhard J. Berger, K. Sohr, R. Koschke","doi":"10.1109/SCAM.2019.00035","DOIUrl":null,"url":null,"abstract":"Architectural risk analysis is a risk management process for identifying security flaws at the level of software architectures and is used by large software vendors, to secure their products. We present our architectural security environ- ment (ARCHSEC) that has been developed at our institute during the past eight years in several research projects. ARCHSEC aims to simplify architectural risk analysis, making it easier for small and mid-sized companies to get started. With ARCHSEC, it is possible to graphically model or to reverse engineer software security architectures. The regained software architectures can then be inspected manually or au- tomatically analyzed w.r.t. security flaws, resulting in a threat model, which serves as a base for discussion between software and security experts to improve the overall security of the software system in question, beyond the level of implementation bugs. In the evaluation part of this paper, we demonstrate how we use ARCHSEC in two of our current research projects to analyze business applications. In the first project we use ARCHSEC to identify security flaws in business process diagrams. In the second project, ARCHSEC is integrated into an audit environment for software security certification. ARCHSEC is used to identify security flaws and to visualize software systems to improve the effectiveness and efficiency of the certification process.","PeriodicalId":431316,"journal":{"name":"2019 19th International Working Conference on Source Code Analysis and Manipulation (SCAM)","volume":"53 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":"{\"title\":\"The Architectural Security Tool Suite — ARCHSEC\",\"authors\":\"Bernhard J. Berger, K. Sohr, R. Koschke\",\"doi\":\"10.1109/SCAM.2019.00035\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Architectural risk analysis is a risk management process for identifying security flaws at the level of software architectures and is used by large software vendors, to secure their products. We present our architectural security environ- ment (ARCHSEC) that has been developed at our institute during the past eight years in several research projects. ARCHSEC aims to simplify architectural risk analysis, making it easier for small and mid-sized companies to get started. With ARCHSEC, it is possible to graphically model or to reverse engineer software security architectures. The regained software architectures can then be inspected manually or au- tomatically analyzed w.r.t. security flaws, resulting in a threat model, which serves as a base for discussion between software and security experts to improve the overall security of the software system in question, beyond the level of implementation bugs. In the evaluation part of this paper, we demonstrate how we use ARCHSEC in two of our current research projects to analyze business applications. In the first project we use ARCHSEC to identify security flaws in business process diagrams. In the second project, ARCHSEC is integrated into an audit environment for software security certification. ARCHSEC is used to identify security flaws and to visualize software systems to improve the effectiveness and efficiency of the certification process.\",\"PeriodicalId\":431316,\"journal\":{\"name\":\"2019 19th International Working Conference on Source Code Analysis and Manipulation (SCAM)\",\"volume\":\"53 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-09-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"5\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2019 19th International Working Conference on Source Code Analysis and Manipulation (SCAM)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/SCAM.2019.00035\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 19th International Working Conference on Source Code Analysis and Manipulation (SCAM)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SCAM.2019.00035","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Architectural risk analysis is a risk management process for identifying security flaws at the level of software architectures and is used by large software vendors, to secure their products. We present our architectural security environ- ment (ARCHSEC) that has been developed at our institute during the past eight years in several research projects. ARCHSEC aims to simplify architectural risk analysis, making it easier for small and mid-sized companies to get started. With ARCHSEC, it is possible to graphically model or to reverse engineer software security architectures. The regained software architectures can then be inspected manually or au- tomatically analyzed w.r.t. security flaws, resulting in a threat model, which serves as a base for discussion between software and security experts to improve the overall security of the software system in question, beyond the level of implementation bugs. In the evaluation part of this paper, we demonstrate how we use ARCHSEC in two of our current research projects to analyze business applications. In the first project we use ARCHSEC to identify security flaws in business process diagrams. In the second project, ARCHSEC is integrated into an audit environment for software security certification. ARCHSEC is used to identify security flaws and to visualize software systems to improve the effectiveness and efficiency of the certification process.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
