Please use this identifier to cite or link to this item: https://dl.ucsc.cmb.ac.lk/jspui/handle/123456789/3939
Title: A Framework for Secure Software Engineering: A Knowledge Modeling based Approach for inferring Association between Source Code and Software Design Artifacts
Authors: Abeyrathna, K.A.I.
Dahanayake, B.N.
Samarage, C.S.
Issue Date: 2017
Abstract: Abstract The popular approaches in securing software systems are operating system security, anti-virus, and firewalls. These approaches build security around the software system instead of integrating within the software system. However, it is not adequate since the root cause of software vulnerabilities reside within the software system. As a result, current approaches for Software Development have given a major focus on the integration of Security with the development process to develop secure and reliable software systems. Secure Software Engineering process integrates security in each phase of the software development lifecycle. A disconnected set of security-specific practices and tools are available to be used in each phase. Architecture-level security flaws arise in the design phase while security specific bugs are caused in the implementation level. Whenever a security issue in one phase is not resolved, it can be propagated to security ramifications in another phase. The unresolved architecture-level security flaws will create security bugs at the implementation level. A connectivity between the security bugs and architecture-level security flaws needs to be identified to solve the root cause of the security bug arise as a ramification. This dissertation proposes a semi-automated approach to infer the association between security bugs and architecture-level security flaws by implementing a framework named Conexus as a proof of concept. The proposing approach uses static code analysis to identify the security bugs with respect to OWASP Top 10 vulnerability types and threat modeling to identify the architecture-level security flaws with respect to STRIDE threat categorization model. The identified security bugs and architecture-level security flaws are used as the input to the Conexus framework and the association between the two categories is derived using a Knowledge modeling based mechanism. The security controls violated by each STRIDE threat category and OWASP Top 10 vulnerability type are used in the Knowledge Base to identify the association between threat categories and bug categories through a semantic similarity matching model. Depending on the results generated from the Conexus framework, a software developer can revise the design to make a secure design followed by a secure code to eliminate and reduce security vulnerabilities in a software application.
URI: http://hdl.handle.net/123456789/3939
Appears in Collections:SCS Individual/Group Project - Final Thesis (2017)

Files in This Item:
File Description SizeFormat 
BCS.pdf1.9 MBAdobe PDFView/Open


Items in UCSC Digital Library are protected by copyright, with all rights reserved, unless otherwise indicated.