A Taxonomy of Functional Security Features and How They Can Be Located
2025Konferenz / Journal
Autor*innen
Alena Naiakshina M. Angela Sasse Riccardo Scandariato Thorsten Berger Sven Peldszus Asli Yardim Catherine Tony Simon Schneider Kevin Hermann
Research Hub
Research Hub D: Benutzerfreundlichkeit
Research Challenges
RC 7: Building Secure Systems
RC 10: Engineers and Usability
Abstract
Abstract Security must be considered in almost every software system. Unfortunately, selecting and implementing security features remains a challenge due to the wide variety of security threats and possible countermeasures. While security standards are intended to help developers, they are usually too abstract and vague to help implementing security features, or they merely help configuring such. A resource that describes security features at an abstraction Level that lies between high-level (i.e., rather too general) and low-level (i.e., rather too specific) security standards could facilitate secure systems development. This resource should support the selection of appropriate security features to achieve high-level security goals, allow easy retrieval of relevant low-level details, and provide pointers to suitable ways to realize the security features. To realize security features, developers typically use external security libraries or frameworks, to minimize implementation mistakes. Even when using libraries, developers still make mistakes when writing code to integrate them, often resulting in security vulnerabilities. When security incidents occur or the system needs to be audited or maintained, it is essential to know what security features have been implemented and, more importantly, where they are located. This task, commonly referred to as feature location, is often tedious and error-prone. While dedicated feature location techniques exist, they require significant manual effort or adherence to strict development processes, preventing their use. Therefore, we have to support long-term tracking of implemented security features.