Humberto Cervantes
Professor of Software Engineering at Universidad Autonoma Metropolitana - Iztapalapa

Dr. Humberto Cervantes is a professor and researcher at Universidad Autónoma Metropolitana–Iztapalapa in Mexico City. His primary research interests include software architecture development methods and their adoption in industrial settings. Dr. Cervantes is also a consultant for software development companies in topics related to software architecture. He holds the Software Architecture Professional and ATAM Evaluator certificates from the SEI. He is the co-author of the book "Designing Software Architectures: A Practical Approach".

Approaching Security from an Architecture First Perspective

While software security is an increasing concern for software and system architects, few architects approach this quality concern strategically. Architects and developers typically focus on functionality, and they often apply security as a Band-Aid solution after developing an application. In this presentation, we report on three case studies of real-world projects—two industrial and one open source—for which we attempted to measure the consequences of three architectural approaches to security. These architectural approaches differ on the degree of adoption of security frameworks for the development projects: “no adoption,” where no security frameworks are used; “partial adoption,” where security frameworks are introduced in the middle of the lifetime of a software application; and “full adoption,” where one or more security frameworks are adopted from the beginning of the development process. We conducted the case studies by interviewing architects about the security tactics implemented in their projects and by scanning the systems to identify their vulnerabilities using a commercial security scanner (IBM’s AppScan). The results of our case studies indicate that a strategic, system-wide, architectural approach to security, implemented through the partial or full adoption of security frameworks, results in the best outcome from both security and maintenance cost perspectives.