Abstract

As software systems become increasingly prevalent in our digitalized world, the security of these systems becomes a critical concern. Cybercriminals continually exploit vulnerabilities in software, making it essential for software developers to consider the security of the software system while planning. Since existing approaches focus on identifying vulnerabilities from an attacker’s perspective, there is a research gap in modeling security from a defender’s perspective. This thesis addresses this gap by contributing a modeling language called the Fortress Modeling Language (FML). FML uses security dimensions to model the defender’s perspective. A security dimension is a part of a software architecture view that refers to defined security aspects, like for example authentication. Further, it consists of multiple security concerns, which are to be covered by the security dimension, and provides the link between the security concerns, requirements, and corresponding security design concepts. The concept of security dimensions is based on the concept of “security views” defined by Sinkovec [Sin22]. This thesis presents the FML metamodel and an example for realization as well as an evaluation of FML. For the evaluation, experts from industry and research were surveyed about FML in a semi-structured expert interview to investigate whether FML is suitable as a modeling language for the security of a software system. The results of the evaluation show that despite some criticism, the experts have considered the language to be overall suitable. The discussion of the results indicates that FML offers a promising first draft for modeling the security of software systems. Therefore, FML can serve as a foundation for upcoming security modeling languages. It can be used as a starting point for future improvements and shows a new way to model the security of system architectures.

tba

Resources

• Thesis report