A Business-Oriented Methodology to Evaluate the Security of Software Architecture Quantitatively

Abstract

Software architecture security design is a key stage in developing business-oriented system, such as business-critical system, ICT system and AI system. Many typical accidents also remind us that the security of software architecture even plays a more important role than the code security in most software systems. However, there are very few researches which focus on the security of software architecture. Especially, we don’t find a systematic and feasible quantitative method to evaluate the security of software architecture. To fill this gap, we launched a research project focusing on software architecture security since 2019 and try to provide a series of quantitative methods for evaluating the security of software architecture. In this paper, a business-oriented quantitative method was proposed to evaluate the security of software architecture from the view of business-critical security insurance. In our method, both business dependency graph (BDG) and multi-hierarchical dependency graph (MHDG) are defined and constructed first for describing businesses and their relationships, and system components and their relationships; then, attack points and business key-points are identified and labeled on BDG and MHDG; and further, all potential attack paths and effective attack paths in the system based on MHDG are detected; and finally, a set of security indicators is defined and used to evaluate the security of software architecture quantitatively. For more effective experiments, we use software architectures with different styles and different evolution versions. Experimental results show that our method can reflect effectively the security characteristics of software architecture with different styles, can find the security changes of different architecture evolution versions for the same system, and can perform quantitative evaluation of software architecture security efficiently.