Achieving and maintaining certain quality attributes of software-intensive systems is challenging, especially when these systems undergo change. In particular, information security is more difficult to maintain and degrades more rapidly than other non-functional attributes, often with catastrophic consequences. Security patterns are a well-established method for preventing and mitigating malicious attacks or unintentional failures. However, these patterns depend on contextual factors such as attacker behaviour and run-time configurations that are not explicitly addressed at design time, but evolve along with other software components or change dynamically in production. Security issues can arise after the initial development phases if software architects do not adequately document such contextual information in their designs. Existing approaches handle security-related information during the software design phase, but fail to consider the effects of evolving system architecture and environment due to implicit assumptions. Security pattern analysis needs to incorporate such contextual information to provide accurate security predictions. In this paper, we propose a novel approach for modelling security patterns and related contextual information within software architectures. This model-based documentation facilitates the analysis of the expected functionality of applied security patterns at an architectural abstraction level. We demonstrate how these architectural improvements support the maintenance of security by enabling architects to anticipate, track, and act upon the impact of evolutionary changes on the system. To validate our modelling approach, we apply it to a common case study.
Zur Publikation