Using Design Structure Matrices (DSM) as security controls for software architectures
Author: Pierre Parrend, Timothé Mazzucotelli, Florent Colin
RESEARCH REPORT n°1, ARK:69427/03
Saturday, 20th May, 2017
4P-Factory E-Laboratory: the factory of the future
Design Structure Matrices; Security Information Systems Architecture; Software Security; Secure Software Development Methodologies; Security and privacy in Complex Systems; Security Metrics and Measurement
Building secure software is often seen as a task mainly focused on development and penetration testing. However, it requires ensuring that the system embeds robust architecture principles, on which security features and proper code can rely. Few solutions for creating and monitoring such architectures exist, and those existing are dedicated to mission- and life-critical systems. Mainstream technologies, such as web platforms, host ever increasing critical application and data, and need suitable tools for enforcing relevant architecture-level monitoring. We propose to apply the Design Structure Matrix (DSM) model to represent and analyze the structure of complex applications. DSM is both an efficient analysis tool and a convenient tool for visualising complex systems. It supports the translation of software architectures into graphs, which prove to be efficient tools for structural analysis. Guidelines for secure architectures are expressed, first qualitatively, then in a quantitative manner, as constraints on these graphs. The Archan tool for supporting DSM-based architecture monitoring is presented. Our approach is illustrated for pedagogical stakes using two toy examples, and validated on a middle-scale project for managing sensitive medical data. Archan thus enforces sound architectural principles, which are a pre-requisite for building secure systems.