View-1008: Architectural Concepts
Software designers may find this view useful as the weaknesses are organized by known security tactics, aiding the designer in embedding security throughout the design process instead of discovering weaknesses after the software has been built.
Educators may use this view as reference material when discussing security by design or architectural weaknesses, and the types of mistakes that can be made.
The top level categories in this view represent the individual tactics that are part of a secure-by-design approach to software development. The weaknesses that are members of each category contain information about how each is introduced relative to the software's architecture. Three different modes of introduction are used: Omission - caused by missing a security tactic when it is necessary. Commission - refers to incorrect choice of tactics which could result in undesirable consequences. Realization - appropriate security tactics are adopted but are incorrectly implemented.
This view is under development, and subsequent releases will focus on reviewing the individual weaknesses to verify their inclusion in this view and adding any applicable ChildOf relationships. Comments about revisions are welcome.
REF-9 A Catalog of Security Architecture Weaknesses.
REF-10 Understanding Software Vulnerabilities Related to Architectural Security Tactics: An Empirical Investigation of Chromium, PHP and Thunderbird.