The Community for Technology Leaders
RSS Icon
Subscribe
Genova, Italy Italy
Mar. 5, 2013 to Mar. 8, 2013
ISBN: 978-1-4673-5833-0
pp: 285-294
ABSTRACT
Security is getting more and more important for the software development process as the advent of more complex, connected and extensible software entails new risks. In particular, multi-tier business applications, e.g., based on the Service-Oriented Architecture (SOA), are vulnerable to new attacks, which may endanger the business processes of an organization. These applications consist often of legacy code, which is now exported via Web Services, although it has originally been developed for internal use only. The last years showed great progress in the area of static code analysis for the detection of common low level security bugs, such as buffer overflows and cross-site scripting vulnerabilities. However, there is still a lack of tools that allow an analyst to assess the implemented security architecture of an application. In this paper, we propose a technique that automatically extracts the implemented security architecture of Java-based business applications from the source code. In addition, we carry out threat modeling on this extracted architecture to detect security flaws. We evaluate and discuss our approach with the help of two commercial real-world case studies, one taken from the e-government domain and the other one from logistics.
INDEX TERMS
threat modeling, reverse engineering, software security, static analysis
CITATION
Bernhard J. Berger, Karsten Sohr, Rainer Koschke, "Extracting and Analyzing the Implemented Security Architecture of Business Applications", CSMR, 2013, 2011 15th European Conference on Software Maintenance and Reengineering, 2011 15th European Conference on Software Maintenance and Reengineering 2013, pp. 285-294, doi:10.1109/CSMR.2013.37
21 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool