Addressing the knowledge transfer problem in secure software development through anti-patterns

  • Tayyaba Nafees

Student thesis: Doctoral Thesis


There is a distinct communication gap between software engineering and cybersecurity communities when it comes to addressing reoccurring security problems, known as vulnerabilities. Many vulnerabilities are caused by software errors that occur due to developers’ common mistakes. Insecure software development practices are common due to a variety of factors, which include inefficiencies within existing knowledge transfer mechanisms based on vulnerability databases (VDBs) and pattern-based approaches, software developers perceiving security as an afterthought, and lack of consideration of security as part of the Software Development Lifecycle (SDLC). The resulting communication gap also prevents developers and security experts from successfully sharing essential security knowledge.

This thesis identifies the major issues in the transfer of vulnerability knowledge (vulnerability databases (VDBs)) using the existing pattern based approaches, which prohibits developers from finding causes of vulnerabilities (errors) and mitigating them; Experts of both domains struggle to understand each other’s security perspectives due to lack of understanding and sharing of common terms, languages and procedures.

To address these issues, a hybrid pattern-based approach, Vulnerability Anti-pattern (VAPs), has been developed consisting of two types that encapsulates knowledge of existing vulnerabilities to bridge the communication gap between security experts and software developers. A catalogue of VAPs based on the most commonly occurring vulnerabilities has been created that assists software developers in developing an awareness of how malicious hackers can exploit errors in software.

The evaluation was performed through a series of experimental studies to measure the effectiveness of VAP in order to raise awareness of poor security practices that lead to vulnerabilities. Whilst the results indicate the improvement of developers’ awareness of vulnerabilities and encouraging them to create secure software systems.
Date of Award20 Mar 2019
Original languageEnglish
SupervisorNatalie Coull (Supervisor) & Ian Ferguson (Supervisor)

Cite this