This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
2013 17th European Conference on Software Maintenance and Reengineering
Extracting and Analyzing the Implemented Security Architecture of Business Applications
Genova, Italy Italy
March 05-March 08
ISBN: 978-1-4673-5833-0
Security is getting more and more important for the software development process as the advent of more complex, connected and extensible software entails new risks. In particular, multi-tier business applications, e.g., based on the Service-Oriented Architecture (SOA), are vulnerable to new attacks, which may endanger the business processes of an organization. These applications consist often of legacy code, which is now exported via Web Services, although it has originally been developed for internal use only. The last years showed great progress in the area of static code analysis for the detection of common low level security bugs, such as buffer overflows and cross-site scripting vulnerabilities. However, there is still a lack of tools that allow an analyst to assess the implemented security architecture of an application. In this paper, we propose a technique that automatically extracts the implemented security architecture of Java-based business applications from the source code. In addition, we carry out threat modeling on this extracted architecture to detect security flaws. We evaluate and discuss our approach with the help of two commercial real-world case studies, one taken from the e-government domain and the other one from logistics.
Index Terms:
threat modeling,reverse engineering,software security,static analysis
Citation:
Bernhard J. Berger, Karsten Sohr, Rainer Koschke, "Extracting and Analyzing the Implemented Security Architecture of Business Applications," csmr, pp.285-294, 2013 17th European Conference on Software Maintenance and Reengineering, 2013
Usage of this product signifies your acceptance of the Terms of Use.