Software Security by Design

Security-by-Design is an important approach to ensure software security and reliability. It has been developing already for more than 50 years, but its principles and techniques are still not well known among wide society of software developers. To make the approach more familiar and popular we need to reestablish its goals and problems, to classify and explain its techniques, and formulate trends of its future development. This paper reformulates the main principles of Security-by-Design, provides some examples of security design patterns and anti-patterns, and also explores relations between the approach and software architecture analysis methods, hardening techniques, and safe programming languages.

1. Cavoukin, A. and Dixon, M. Privacy and security by design: An enterprise architecture approach. Information and Privacy Commissioner, Canada, Tech. Rep., 9, 2013.

2. Johnsson, D.B., Deogun, D., and Sawano, D. Secure By Design. Manning Publications, 2019. ISBN: 9781617294358.

3. Dijkstra, E.W.A Discipline of Programming. Prentice Hall, Upper Saddle River, 1976. ISBN: 9780132158718/

4. Gries, D. The Science of Programming. Springer, Heidelberg, 1987. DOI: 10.1007/978-1-4612-5983-1.

5. Kourie, D.G., Watson, B.W. The Correctness-by-Construction Approach to Programming. Springer, Heidelberg, 2012. DOI: 10.1007/978-3-642-27919-5.

6. OWASP Application Security Verification Standard, v. 4.0.3. 2021.

7. Dougherty, C., Sayre, K., Seacord, R.C., Svoboda, D., and Togashi, K. Secure Design Patterns. Technical Report CMU/SEI-2009-TR-010, Software Engineering Institute, 2009. DOI: 10.1184/R1/6583640.v1.

8. Fernandez-Buglioni, E. Security Patterns in Practice: Designing Secure Architectures Using Software Patterns, 2013. ISBN: 9781119998945.

9. Washizaki, H., Xia, T., Kamata, N., Fukazawa, Y., Kanuka, H., and Yamaoto, D. Taxonomy and Literature Survey of Security Pattern Research. Proc. of 2018 IEEE Conference on Application, Information and Network Security (AINS), pp. 87-92, 2018. DOI: 10.1109/AINS.2018.8631465.

10. Jaeger, T. Operating System Security. Synthesis Lectures on Information Security, Privacy, and Trust. Springer, 2008. DOI: 10.1007/978-3-031-02333-0.

11. Pearce, M., Zeadally, S., and Hunt, R. Virtualization: Issues, security threats, and solutions. ACM Computing Surveys, 45(2), Article 17, 2013. DOI: 10.1145/2431211.2431216.

12. Rushby, J. Design and Verification of Secure Systems. 8-th ACM Symposium on Operating System Principles, pp. 12-21, Asilomar, CA, December 1981. DOI: 10.1145/800216.80658.

13. Rushby, J. Partitioning in Avionics Architectures: Requirements, Mechanisms, and Assurance. NASA Contractor Report CR-1999-209347, NASA Langley Research Center, June 1999.

14. Aeronautical Radio, Inc. (ARINC). Avionics Application Software Standard Interface, Part 0, Overview of ARINC 653, ARINC 653P0-2, August 2019.

15. DeLong, R.J., Rudina, E. MILS Architectural Approach Supporting Trustworthiness of the IIoT Solutions. Whitepaper, Industrial Internet Consortium, 2021.

16. Patra, P.K., and Pradhan, P.L. Hardening of UNIX Operating System. International Journal of Computer and Communication Technology 1(1), Article 9, 2010. DOI: 10.47893/ijcct.2010.1008.

17. Open AADL. URL: http://www.openaadl.org/ (доступ 05.12.2024).

18. Santos, J.C.S., Tarrit, K., and Mirakhorli, M. A catalog of security architecture weaknesses. In 2017 IEEE International Conference on Software Architecture Workshops (ICSAW), pp. 220-223, 2017. DOI: 10.1109/ICSAW.2017.25.

19. MITRE. Common Weakness Enumeration, 2022. URL: https://cwe.mitre.org/index.html (доступ 01.11.2024).

20. MITRE. Common Vulnerabilities and Exposures, 2024. URL: https://www.cve.org (доступ 01.11.2024).

21. Microsoft Security Development Lifecycle.

22. URL: https://www.microsoft.com/en-us/securityengineering/sdl/ (доступ 01.11.2024).

23. Microsoft Threat Modeling Tool.

24. URL: https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool (доступ 01.11.2024)

25. Almorsy, M., Grundy, J., and Ibrahim, A.S. Automated software architecture security risk analysis using formalized signatures. Proc. of 35-th International Conference on Software Engineering (ICSE), pp. 662-671, San Francisco, CA, USA, 2013. DOI: 10.1109/ICSE.2013.6606612.

26. Frydman, M., Ruiz, G., Heymann, E., César, E., and Miller, B.P. Automating Risk Analysis of Software Design Models. The Scientific World Journal, June 2014, pp. 248-259. DOI: 10.1155/2014/805856.

27. Nafees, T., Coull, N., Ferguson, I., and Sampson, A. Vulnerability Anti-Patterns: a Timeless Way to Capture Poor Software Practices (Vulnerabilities). Proc. of 24-th Conference on Pattern Languages of Programs. The Hillside Group, ACM, 23, 2017.

28. Seifermann, S., Heinrich, R., and Reussner, R. Data-Driven Software Architecture for Analyzing Confidentiality. Proc. of IEEE International Conference on Software Architecture (ICSA), pp. 1-10. Hamburg, Germany, 2019. DOI: 10.1109/ICSA.2019.00009.

29. IDRIS. URL: https://www.idris-lang.org/ (доступ 05.12.2024).

30. Siu, K., Moitra, A., Li, M., Durling, M., Herencia-Zapana, H., and Interrante, J. Architectural and Behavioral Analysis for Cyber Security. In 2019 IEEE/AIAA 38th Digital Avionics Systems Conference (DASC), San Diego, CA, USA, 2019, pp. 1-10. DOI: 10.1109/DASC43569.2019.9081652.

31. VERDICT Project. URL: https://ge-high-assurance.github.io/VERDICT/ (доступ 05.12.2024).