Papers
Topics
Authors
Recent
Detailed Answer
Quick Answer
Concise responses based on abstracts only
Detailed Answer
Well-researched responses based on abstracts and relevant paper content.
Custom Instructions Pro
Preferences or requirements that you'd like Emergent Mind to consider when generating responses
Gemini 2.5 Flash
Gemini 2.5 Flash 42 tok/s
Gemini 2.5 Pro 53 tok/s Pro
GPT-5 Medium 17 tok/s Pro
GPT-5 High 13 tok/s Pro
GPT-4o 101 tok/s Pro
Kimi K2 217 tok/s Pro
GPT OSS 120B 474 tok/s Pro
Claude Sonnet 4 36 tok/s Pro
2000 character limit reached

How Dataflow Diagrams Impact Software Security Analysis: an Empirical Experiment (2401.04446v1)

Published 9 Jan 2024 in cs.SE

Abstract: Models of software systems are used throughout the software development lifecycle. Dataflow diagrams (DFDs), in particular, are well-established resources for security analysis. Many techniques, such as threat modelling, are based on DFDs of the analysed application. However, their impact on the performance of analysts in a security analysis setting has not been explored before. In this paper, we present the findings of an empirical experiment conducted to investigate this effect. Following a within-groups design, participants were asked to solve security-relevant tasks for a given microservice application. In the control condition, the participants had to examine the source code manually. In the model-supported condition, they were additionally provided a DFD of the analysed application and traceability information linking model items to artefacts in source code. We found that the participants (n = 24) performed significantly better in answering the analysis tasks correctly in the model-supported condition (41% increase in analysis correctness). Further, participants who reported using the provided traceability information performed better in giving evidence for their answers (315% increase in correctness of evidence). Finally, we identified three open challenges of using DFDs for security analysis based on the insights gained in the experiment.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (33)
  1. doi:10.1145/3167132.3167285.
  2. Microsoft Corporation, Microsoft threat modeling tool 2016 (2016). URL https://www.microsoft.com/en-us/download/details.aspx?id=49168
  3. doi:10.1109/MSP.2005.119.
  4. doi:10.1145/1321631.1321692.
  5. doi:10.1145/1858996.1859001.
  6. doi:10.1007/978-3-319-30806-7_4.
  7. doi:10.1109/ICSA.2019.00028.
  8. doi:10.1109/APSEC.2017.53.
  9. doi:10.1109/IT48810.2020.9070652.
  10. doi:10.1016/j.jss.2019.07.008.
  11. doi:10.1007/978-3-319-67425-4_12.
  12. doi:10.1016/j.jss.2023.111722.
  13. doi:10.1007/978-3-642-48354-7_9.
  14. doi:10.1007/978-3-319-72817-9_4.
  15. doi:10.1109/MSR59073.2023.00030.
  16. doi:10.1109/TSE.2002.1027796.
  17. doi:10.1007/978-1-4757-3304-4.
  18. doi:10.1007/978-3-642-29044-2.
  19. doi:10.1145/1414004.1414055.
  20. doi:10.1007/s10664-017-9523-3.
  21. doi:https://doi.org/10.1002/spe.1009.
  22. doi:https://doi.org/10.1016/j.jvlc.2014.12.004.
  23. doi:10.1145/1774088.1774576.
  24. doi:10.1145/2699696.
  25. doi:10.1109/TSE.2006.59.
  26. doi:10.1016/j.infsof.2011.07.002.
  27. doi:10.1109/TSE.2009.69.
  28. doi:10.1016/j.jss.2005.09.014.
  29. doi:10.1145/1082983.1083308.
  30. doi:10.1016/j.jss.2004.11.022.
  31. doi:10.1023/B:EMSE.0000048323.40484.e0.
  32. doi:10.1016/j.jss.2021.111090.
  33. doi:10.1145/3387940.3392221.
Citations (4)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
List To Do Tasks Checklist Streamline Icon: https://streamlinehq.com

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up
Lightbulb On Streamline Icon: https://streamlinehq.com

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now