Automated software architecture security risk analysis using formalized signatures

Mohamed Almorsy, John Grundy, Amani S. Ibrahim

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

35 Citations (Scopus)


Reviewing software system architecture to pinpoint potential security flaws before proceeding with system development is a critical milestone in secure software development lifecycles. This includes identifying possible attacks or threat scenarios that target the system and may result in breaching of system security. Additionally we may also assess the strength of the system and its security architecture using well-known security metrics such as system attack surface, Compartmentalization, least-privilege, etc. However, existing efforts are limited to specific, predefined security properties or scenarios that are checked either manually or using limited toolsets. We introduce a new approach to support architecture security analysis using security scenarios and metrics. Our approach is based on formalizing attack scenarios and security metrics signature specification using the Object Constraint Language (OCL). Using formal signatures we analyse a target system to locate signature matches (for attack scenarios), or to take measurements (for security metrics). New scenarios and metrics can be incorporated and calculated provided that a formal signature can be specified. Our approach supports defining security metrics and scenarios at architecture, design, and code levels. We have developed a prototype software system architecture security analysis tool. To the best of our knowledge this is the first extensible architecture security risk analysis tool that supports both metric-based and scenario-based architecture security analysis. We have validated our approach by using it to capture and evaluate signatures from the NIST security principals and attack scenarios defined in the CAPEC database.

Original languageEnglish
Title of host publication2013 35th International Conference on Software Engineering, ICSE 2013 - Proceedings
Number of pages10
Publication statusPublished - 2013
Externally publishedYes
EventInternational Conference on Software Engineering 2013 - San Francisco, United States of America
Duration: 18 May 201326 May 2013
Conference number: 35th


ConferenceInternational Conference on Software Engineering 2013
Abbreviated titleICSE 2013
CountryUnited States of America
CitySan Francisco


  • Architecture Security Risk analysis
  • Common attack patterns enumeration and classification (CAPEC)
  • Formal attack patterns specification
  • Software security

Cite this