How dataflow diagrams impact software security analysis : an empirical experiment

Start Page
952
End Page
963
Citation
31st IEEE International Conference on Software Analysis, Evolution and Reengineering, SANER 2024
Contribution to Conference
31st IEEE International Conference on Software Analysis, Evolution and Reengineering, SANER 2024  
Publisher DOI
10.1109/SANER60148.2024.00103
Scopus ID
2-s2.0-85183368134
Publisher
IEEE
ISBN
9798350330663
Models of software systems are used throughout the software development lifecycle. Dataflow diagrams (DFDs), in particular, are well-established resources for security analysis. Many techniques, such as threat modelling, are based on DFDs of the analysed application. However, their impact on the performance of analysts in a security analysis setting has not been explored before. In this paper, we present the findings of an empirical experiment conducted to investigate this effect. Following a within-groups design, participants were asked to solve security-relevant tasks for a given microservice application. In the control condition, the participants had to examine the source code manually. In the model-supported condition, they were additionally provided a DFD of the analysed application and traceability information linking model items to artefacts in source code. We found that the participants (n = 24) performed significantly better in answering the analysis tasks correctly in the model-supported condition (41 % increase in analysis correctness). Further, participants who reported using the provided traceability information performed better in giving evidence for their answers (315% increase in correctness of evidence). Finally, we identified three open challenges of using DFDs for security analysis based on the insights gained in the experiment.
Subjects
analysis
dataflow diagrams
empirical experiment
microservices
model-based
security
DDC Class
005: Computer Programming, Programs, Data and Security