Author:

Abstract:

Secure development processes integrate security-related concerns into the software development life-cycle by augmenting existing software engineering processes with security-related activities. Some of these activities refer to secure design principles, yet quite surprisingly, they do not provide an explicit method to apply them in practice. Consequently, these principles are often neglected by software engineers, resulting in potentially high-risk threats to systems.In this dissertation, we address this problem for the prominent security design principle of least privilege in the architectural design phase, where consequences are serious. Concretely, this work turns implicit knowledge about the security design principle of least privilege into explicit architectural know-how and ensures that this principle can be systematically applied.To achieve this, we model the concept of architectural-level least privilege violation. Based on this model, we provide a method to analyze a software architecture for three classes of least privilege violations. Finally, we solve violations in each class by providing eight re-factoring transformations. We also leverage our models to analyze violations against the security design principle of separation of duties (SoD).We conducted the validation of this approach with four realistic case studies, where we observe that the number of violations is proportional to the size of the case study. These case studies are, in order of increasing size, a chat system, a conference management system, a publishing system, and a banking system.The approach used in this dissertation contributes to the security field. In particular, we outline a method that is be useful to study other security design principles.