Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type


Publication Date


Identifying the Architectural Roots of Vulnerabilities

  • February 2016
  • By Rick Kazman, Carol Woody
  • In this podcast, Rick Kazman and Carol Woody discuss an approach for identifying architecture debt in a large-scale industrial software project by modeling software architecture as design rule spaces.
  • Software Architecture Vulnerability Analysis
  • Publisher: Software Engineering Institute
  • The greater number of architectural flaws a file is implicated in, the greater number of security bugs it experiences. Design flaws don’t care. They are going to make everything worse.
  • Watch

  • Listen

    Loading Podcast.....
  • Related

  • Abstract

    In our studies of many large-scale software systems, we have observed that defective files seldom exist alone. They are usually architecturally connected, and their architectural structures exhibit significant design flaws that propagate bugginess among files. We call these flawed structures the architecture roots, a type of technical debt that incurs high maintenance penalties. Removing the architecture roots of bugginess requires refactoring, but the benefits of refactoring have historically been difficult for architects to quantify or justify. In this podcast, Rick Kazman and Carol Woody discuss an approach to model and analyze software architecture as a set of design rule spaces). Using data extracted from the project’s development artifacts, this approach identifies the files implicated in architecture flaws and suggest refactorings based on removing these flaws. 

  • Transcript
  • Audio

About the Speaker

  • Rick Kazman

    Dr. Rick Kazman focuses on software architecture, software engineering economics, design and development tools, and software visualizations. In addition to his research at the SEI, he is also a faculty member at the University of Hawaii.

  • Carol Woody

    Carol Woody has been a senior member of the technical staff since 2001 and is the technical manager of the Cybersecurity Engineering Team, whose research focuses on security and software assurance for highly complex networked systems throughout the development and acquisition lifecycles.