Description

Security is a key quality attribute in modern software systems. However when it comes to the underlying architecture of a software system one can see, that the architectural description (AD) of the whole system is often divided into its software architecture description and its security architecture description (SAD). Besides the redundancy between the AD and the SAD in the complete architectural description, this workflow can lead to inconsistencies and synchronization issues that increase the complexity; especially for stakeholders or other participating persons that are not familiar in the security field.

The paradigm of Security-Centric Architecture Modeling (SCAM) [1] addresses these problems. SCAM tries to bridge the gap between security architecture and software architecture to have integrated views of the AD and the Security Architecture Description (SAD) in one architectural model by introducing a conceptual architecture model with elements such as Architectural Models (AM), its Architectural Model Elements (AME), Architectural Security Requirements (ASR) and other conceptual ideas. However, the SCAM approach is currently only defined as an informal conceptual model, without an explicit metamodel on the M2 Layer. Additionally there is no UML-based realization.

This bachelor thesis aims to address this gap by formalizing the conceptual SCAM Architecture as an M2-Level metamodel an implement it as a UML profile to support integrated security architecture modeling following the SCAM approach. With this in mind, this work will contribute to answer the RQ1 of the SCAM fundamental paper ”A Guided Modeling Approach for Secure System Design”, which asks how SAD and ADs can be separated, without maintaining them independently.

References

[1] A. R. Sabau, “A Guided Modeling Approach for Secure System Design,” 2024 IEEE 21st International Conference on Software Architecture Companion (ICSA-C), Hyderabad, India, 2024, pp. 105-110, doi: 10.1109/ICSA-C63560.2024.00026.