Software Engineering Institute

While software security is an increasing concern for software and system architects, few architects approach this quality concern strategically. Architects and developers typically focus on functionality, and they often apply security as a Band-Aid solution after developing an application. In this presentation, we report on three case studies of real-world projects—two industrial and one open source—for which we attempted to measure the consequences of three architectural approaches to security. These architectural approaches differ on the degree of adoption of security frameworks for the development projects: “no adoption,” where no security frameworks are used; “partial adoption,” where security frameworks are introduced in the middle of the lifetime of a software application; and “full adoption,” where one or more security frameworks are adopted from the beginning of the development process. We conducted the case studies by interviewing architects about the security tactics implemented in their projects and by scanning the systems to identify their vulnerabilities using a commercial security scanner (IBM’s AppScan). The results of our case studies indicate that a strategic, system-wide, architectural approach to security, implemented through the partial or full adoption of security frameworks, results in the best outcome from both security and maintenance cost perspectives.