Software Engineering Institute | Carnegie Mellon University

SEI Insights


SEI Architecture Technology User Network (SATURN) News and Updates

SATURN 2015: The Architectural Analysis for Security (AAFS) Method

Posted on by in

Jungwoo Ryoo, Pennsylvania State University, and Rick Kazman, University of Hawaii and Carnegie Mellon Software Engineering Institute

by Jacob Tate, Mount St. Mary's University

In his talk titled "Architectural Analysis for Security (AAFS)," Jungwoo Ryoo explained that there is an absence of security practices in software architecture. His research concerns developing and implementing a methodology to test and secure software systems starting at the design phase. The architectural analysis is basically a structured way of discovering these security issues. It has frequently been common to implement methods like this after the design of the system, and Dr. Ryoo warned against this.

The method that he and his team developed has the following three steps: tactic-oriented analysis, pattern-oriented analysis, and vulnerability-oriented analysis. The first two steps should be conducted during the design phase by talking to an architect and identifying exactly how the system is designed and what patterns exist. The vulnerability-oriented analysis is usually concerned with software weaknesses, so this step usually deals with the actual code.

This method is not built completely from scratch, however. There are repositories that record vulnerabilities, and these can be useful resources. For example, the CWE categorizes various vulnerabilities and attacks such as SQL injection and XSS or cross-site scripting. Architects should take these types of security threats into account during the architecting or design phase. The future of this research project will focus on implementing this methodology on more case studies and then mapping between the patterns that are found and the CWE entries.

How do you ensure security in your architecture? Would you like to be involved in a case study? Leave a comment and let us know what you think! Also, look for an article in an IEEE publication concerning this research topic.

About the Author

Bill Pollak

Contact Bill Pollak
Visit the SEI Digital Library for other publications by Bill
View other blog posts by Bill Pollak



We welcome comments with a wide range of opinions and views. To keep the conversation focused on topic, we reserve the right to moderate comments.

Add a Comment


Type the characters you see in the picture above.