Leveraging Security Patterns To Address Security Vulnerabilities In Software Systems
Open Access
- Author:
- Anand, Priya
- Graduate Program:
- Information Sciences and Technology
- Degree:
- Doctor of Philosophy
- Document Type:
- Dissertation
- Date of Defense:
- May 03, 2021
- Committee Members:
- Peng Liu, Committee Member & Major Field Represnt
Jungwoo Ryoo, Chair & Major Field Represnt
Rick Kazman, Special Member
Phillip Laplante, Committee Member & Related Areas Repres
Dinghao Wu, Committee Member & Major Field Represnt
Mary Beth Rosson, Program Head/Chair
Member Committee, Committee Member & Special Represent - Keywords:
- Security Patterns
Vulnerability Scanning
Architectural Analysis - Abstract:
- Attackers continue to exploit security vulnerabilities in software systems despite recent advances in information security research. Although security researchers have striven to prevent unauthorized access, use, disclosure, modification, manipulation, or destruction of data, many software systems are still plagued by vulnerabilities. Systems need security implementation at both the architectural level and the local level, which means security must be built into the system in the design phase. Applying security patterns would be one way to accomplish this task. Security patterns provide solutions to recurring security problems in software and define ways to express security requirements and solutions concisely. Little research has been done to match security patterns with specific system vulnerabilities. This dissertation research is aimed primarily at filling that gap. A step-by-step methodology is proposed and evaluated in this dissertation to demonstrate security pattern selection and implementation in a software system that has completed its initial Software Development Life Cycle (SDLC). The guiding principle is to identify an appropriate security pattern from an existing pattern catalog. The collection is comprised of 96 unique security patterns taken from existing pattern catalogues, including the details of the potential application of those patterns by relating them to a broad classification of vulnerabilities from the OWASP (Open Web Application Security Project) list. This dissertation research presents a methodology named i-PASS (implementing Patterns as Architectural Security Solutions) to help practitioners architecturally adopt security patterns in the software systems. A new tool was developed as part of this dissertation research to help make pattern implementation a relatively easy task for the software developer community. The tool is called SPAAS -- Security Patterns As Architectural Solution. It automates the process of implementing a selected security pattern in a software system at an architectural level. SPAAS assesses potential vulnerabilities and applies possible fixes by implementing the selected security patterns. It also checks the effectiveness of security patterns that have already been implemented in the system and reports the results. The research focuses on taint-style vulnerabilities that can induce injection-based attacks such as SQL – Injection (SQLI) and Cross-Site Scripting (XSS) in web applications. Unlike other tools used to detect taint-style vulnerabilities, SPAAS scans only for the repetition of a vulnerable code pattern in the software. Three case studies were conducted on leading open-source healthcare software systems using the iPASS methodology. The resulting solutions were presented to each software architect. The solution for the first case study (OpenEMR) was integrated into the latest release of the software. This dissertation research emphasizes and highlights the need to adopt security patterns at the architectural level in order to produce effective security solutions.