Software Security Vulnerabilities Seen As Feature Interactions

The security of software applications is an important domain, and one that mixes formalisms (e.g. when dealing with cryptography and security protocols) with very ad hoc, low level practical solutions. In this paper, we look at a subset of the "security" field: the production of secure, general purpose software from a software engineering viewpoint. We call this simply "software security". We show that, when we analyze this particular subset of the field, many if not most problems turn out to be instances of feature interactions problems. We illustrate our claim by looking at three of the top ten most common vulnerabilities in Web application as published by OWASP (the three that are in fact software security issues) and show that in each instance, we can express the problem as a feature interactions problem. We also reach the same conclusion with one of the latest generalized software security vulnerability, "ClickJacking".