The Use of Security Tactics in Open Source Software Projects

Jungwoo Ryoo, Bryan Malone, Phillip A. Laplante, Priya Anand

Research output: Contribution to journalArticle

6 Citations (Scopus)

Abstract

Despite the best intentions of software architects, it is often the case that individual developers do not faithfully implement the original security design decisions. Such a scenario sometimes leads to a situation in which while an architect claims the use of a secure architecture in the form of some tactic, the corresponding source code does not support the claim. To bridge this gap, the first critical step is to verify whether the source code reflects at least some of the structural or behavioral features required for a tactic. In this study, we examine the extent of this discrepancy between an architect's vision of what security tactics need to be adopted in the software and the actual implementation. We accomplish this research goal by 1) exploring an architect's intention to use security tactics, 2) checking whether the tactic is manifested in the design, and finally 3) recovering the evidence of efforts to implement the design in the source code. To avoid limitations to accessing documentation and source code, we use open source projects to conduct our research.

Original languageEnglish (US)
Article number7362260
Pages (from-to)1195-1204
Number of pages10
JournalIEEE Transactions on Reliability
Volume65
Issue number3
DOIs
StatePublished - Sep 1 2016

Fingerprint

Open source software

All Science Journal Classification (ASJC) codes

  • Safety, Risk, Reliability and Quality
  • Electrical and Electronic Engineering

Cite this

@article{f630ade100da483eb99f0bbddca028c2,
title = "The Use of Security Tactics in Open Source Software Projects",
abstract = "Despite the best intentions of software architects, it is often the case that individual developers do not faithfully implement the original security design decisions. Such a scenario sometimes leads to a situation in which while an architect claims the use of a secure architecture in the form of some tactic, the corresponding source code does not support the claim. To bridge this gap, the first critical step is to verify whether the source code reflects at least some of the structural or behavioral features required for a tactic. In this study, we examine the extent of this discrepancy between an architect's vision of what security tactics need to be adopted in the software and the actual implementation. We accomplish this research goal by 1) exploring an architect's intention to use security tactics, 2) checking whether the tactic is manifested in the design, and finally 3) recovering the evidence of efforts to implement the design in the source code. To avoid limitations to accessing documentation and source code, we use open source projects to conduct our research.",
author = "Jungwoo Ryoo and Bryan Malone and Laplante, {Phillip A.} and Priya Anand",
year = "2016",
month = "9",
day = "1",
doi = "10.1109/TR.2015.2500367",
language = "English (US)",
volume = "65",
pages = "1195--1204",
journal = "IEEE Transactions on Reliability",
issn = "0018-9529",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
number = "3",

}

The Use of Security Tactics in Open Source Software Projects. / Ryoo, Jungwoo; Malone, Bryan; Laplante, Phillip A.; Anand, Priya.

In: IEEE Transactions on Reliability, Vol. 65, No. 3, 7362260, 01.09.2016, p. 1195-1204.

Research output: Contribution to journalArticle

TY - JOUR

T1 - The Use of Security Tactics in Open Source Software Projects

AU - Ryoo, Jungwoo

AU - Malone, Bryan

AU - Laplante, Phillip A.

AU - Anand, Priya

PY - 2016/9/1

Y1 - 2016/9/1

N2 - Despite the best intentions of software architects, it is often the case that individual developers do not faithfully implement the original security design decisions. Such a scenario sometimes leads to a situation in which while an architect claims the use of a secure architecture in the form of some tactic, the corresponding source code does not support the claim. To bridge this gap, the first critical step is to verify whether the source code reflects at least some of the structural or behavioral features required for a tactic. In this study, we examine the extent of this discrepancy between an architect's vision of what security tactics need to be adopted in the software and the actual implementation. We accomplish this research goal by 1) exploring an architect's intention to use security tactics, 2) checking whether the tactic is manifested in the design, and finally 3) recovering the evidence of efforts to implement the design in the source code. To avoid limitations to accessing documentation and source code, we use open source projects to conduct our research.

AB - Despite the best intentions of software architects, it is often the case that individual developers do not faithfully implement the original security design decisions. Such a scenario sometimes leads to a situation in which while an architect claims the use of a secure architecture in the form of some tactic, the corresponding source code does not support the claim. To bridge this gap, the first critical step is to verify whether the source code reflects at least some of the structural or behavioral features required for a tactic. In this study, we examine the extent of this discrepancy between an architect's vision of what security tactics need to be adopted in the software and the actual implementation. We accomplish this research goal by 1) exploring an architect's intention to use security tactics, 2) checking whether the tactic is manifested in the design, and finally 3) recovering the evidence of efforts to implement the design in the source code. To avoid limitations to accessing documentation and source code, we use open source projects to conduct our research.

UR - http://www.scopus.com/inward/record.url?scp=84985919818&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84985919818&partnerID=8YFLogxK

U2 - 10.1109/TR.2015.2500367

DO - 10.1109/TR.2015.2500367

M3 - Article

AN - SCOPUS:84985919818

VL - 65

SP - 1195

EP - 1204

JO - IEEE Transactions on Reliability

JF - IEEE Transactions on Reliability

SN - 0018-9529

IS - 3

M1 - 7362260

ER -