Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
125 tokens/sec
GPT-4o
47 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

How Dataflow Diagrams Impact Software Security Analysis: an Empirical Experiment (2401.04446v1)

Published 9 Jan 2024 in cs.SE

Abstract: Models of software systems are used throughout the software development lifecycle. Dataflow diagrams (DFDs), in particular, are well-established resources for security analysis. Many techniques, such as threat modelling, are based on DFDs of the analysed application. However, their impact on the performance of analysts in a security analysis setting has not been explored before. In this paper, we present the findings of an empirical experiment conducted to investigate this effect. Following a within-groups design, participants were asked to solve security-relevant tasks for a given microservice application. In the control condition, the participants had to examine the source code manually. In the model-supported condition, they were additionally provided a DFD of the analysed application and traceability information linking model items to artefacts in source code. We found that the participants (n = 24) performed significantly better in answering the analysis tasks correctly in the model-supported condition (41% increase in analysis correctness). Further, participants who reported using the provided traceability information performed better in giving evidence for their answers (315% increase in correctness of evidence). Finally, we identified three open challenges of using DFDs for security analysis based on the insights gained in the experiment.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (33)
  1. doi:10.1145/3167132.3167285.
  2. Microsoft Corporation, Microsoft threat modeling tool 2016 (2016). URL https://www.microsoft.com/en-us/download/details.aspx?id=49168
  3. doi:10.1109/MSP.2005.119.
  4. doi:10.1145/1321631.1321692.
  5. doi:10.1145/1858996.1859001.
  6. doi:10.1007/978-3-319-30806-7_4.
  7. doi:10.1109/ICSA.2019.00028.
  8. doi:10.1109/APSEC.2017.53.
  9. doi:10.1109/IT48810.2020.9070652.
  10. doi:10.1016/j.jss.2019.07.008.
  11. doi:10.1007/978-3-319-67425-4_12.
  12. doi:10.1016/j.jss.2023.111722.
  13. doi:10.1007/978-3-642-48354-7_9.
  14. doi:10.1007/978-3-319-72817-9_4.
  15. doi:10.1109/MSR59073.2023.00030.
  16. doi:10.1109/TSE.2002.1027796.
  17. doi:10.1007/978-1-4757-3304-4.
  18. doi:10.1007/978-3-642-29044-2.
  19. doi:10.1145/1414004.1414055.
  20. doi:10.1007/s10664-017-9523-3.
  21. doi:https://doi.org/10.1002/spe.1009.
  22. doi:https://doi.org/10.1016/j.jvlc.2014.12.004.
  23. doi:10.1145/1774088.1774576.
  24. doi:10.1145/2699696.
  25. doi:10.1109/TSE.2006.59.
  26. doi:10.1016/j.infsof.2011.07.002.
  27. doi:10.1109/TSE.2009.69.
  28. doi:10.1016/j.jss.2005.09.014.
  29. doi:10.1145/1082983.1083308.
  30. doi:10.1016/j.jss.2004.11.022.
  31. doi:10.1023/B:EMSE.0000048323.40484.e0.
  32. doi:10.1016/j.jss.2021.111090.
  33. doi:10.1145/3387940.3392221.
Citations (4)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now