UCSC Digital Library >
Bachelor of Computer Science (BCS) >
SCS Individual/Group Project - Final Thesis (2017) >
Please use this identifier to cite or link to this item:
|Title: ||A Framework for Secure Software Engineering: A Knowledge Modeling based Approach for inferring Association between Source Code and Software Design Artifacts|
|Authors: ||Abeyrathna, K.A.I.|
|Issue Date: ||2017|
The popular approaches in securing software systems are operating system security, anti-virus, and firewalls. These approaches build security around the software system instead of integrating within the software system. However, it is not adequate since the root cause of software vulnerabilities reside within the software system. As a result, current approaches for Software Development have given a major focus on the integration of Security with the development process to develop secure and reliable software systems. Secure Software Engineering process integrates security in each phase of the software development lifecycle. A disconnected set of security-specific practices and tools are available to be used in each phase. Architecture-level security flaws arise in the design phase while security specific bugs are caused in the implementation level. Whenever a security issue in one phase is not resolved, it can be propagated to security ramifications in another phase. The unresolved architecture-level security flaws will create security bugs at the implementation level. A connectivity between the security bugs and architecture-level security flaws needs to be identified to solve the root cause of the security bug arise as a ramification.
This dissertation proposes a semi-automated approach to infer the association between security bugs and architecture-level security flaws by implementing a framework named Conexus as a proof of concept. The proposing approach uses static code analysis to identify the security bugs with respect to OWASP Top 10 vulnerability types and threat modeling to identify the architecture-level security flaws with respect to STRIDE threat categorization model. The identified security bugs and architecture-level security flaws are used as the input to the Conexus framework and the association between the two categories is derived using a Knowledge modeling based mechanism. The security controls violated by each STRIDE threat category and OWASP Top 10 vulnerability type are used in the Knowledge Base to identify the association between threat categories and bug categories through a semantic similarity matching model. Depending on the results generated from the Conexus framework, a software developer can revise the design to make a secure design followed by a secure code to eliminate and reduce security vulnerabilities in a software application.|
|Appears in Collections:||SCS Individual/Group Project - Final Thesis (2017)|
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.