A security specific knowledge modelling approach for secure software engineering

The paradigm shift of 'Build Security In' has emerged in recent decades with the underpinning idea that software security has to be an integral part of all the phases of the software development lifecycle. As a result, each phase of the lifecycle is associated with security specific best practices such as threat modelling and static code analysis. It was observed that various artefacts (i.e., security requirements, architectural flaws, bug reports, security test cases) generated as a result of security best practices tend to be disconnected from each other. This creates a significant barrier to ensure that the security issues identified in the architectural level are incorporated in the implementation level. In order to address this issue, this paper presents a knowledge-modelling based approach to semantically infer the associations between architectural level security flaws and code level security bugs, which is manually tedious. Threat modelling and static analysis are used to identify security flaws, and security bugs, respectively. The case study based experimental results reveal that the architectural security flaws have a significant impact on originating security bugs in the code level.