search menu icon-carat-right cmu-wordmark

The Architectural Analysis for Security (AAFS) Method

April 2015 Presentation
Jungwoo Ryoo (Pennsylvania State University), Rick Kazman (University of Hawaii)

This talk proposes several ways to evaluate the security readiness of an architecture: vulnerability-, tactics-, and pattern-based architectural analysis techniques.


Software Engineering Institute

This presentation was created for a conference series or symposium and does not necessarily reflect the positions and views of the Software Engineering Institute.


Security is a quality attribute that has both architectural and coding implications—it is necessary to get both right to create and maintain secure systems. But most of the existing research on making systems secure has focused on coding, and there is little direction or insight into how to create a secure architecture. In this talk we propose several ways to analyze and evaluate the security readiness of an architecture: vulnerability-based (VoAA), tactics-based (ToAA), and pattern-based architectural analysis (PoAA) techniques. We first compare the strengths and weaknesses of each approach. Next, we show that these different approaches are complementary to each other. Finally, we describe how to combine these analysis techniques in a single analysis method to obtain the best outcomes. We employ our blended analysis technique in a case study to demonstrate the feasibility of our architectural-security analysis method.