Exploratory Evaluation of Secure Design Methodologies Between Security and Code Quality
Resumo
This paper investigates the impacts of secure design methodologies on the structural quality and presence of vulnerabilities in systems developed in Java. We analyzed 333 popular GitHub repositories, classified according to four security approaches: Security by Design, Defense in Depth, Runtime Security and Zero Trust Architecture. Using static analysis techniques, we evaluated vulnerabilities based on the CWE taxonomy, in addition to code quality metrics such as coupling (CBO), cohesion (LCOM) and cyclomatic complexity. The results indicate that the adoption of secure design practices, although relevant for risk mitigation, can negatively impact the modularity of the system. In particular, approaches such as Security by Design presented higher levels of coupling and lower cohesion. We also observed that the combination of multiple security practices did not necessarily result in a lower number of vulnerabilities, suggesting an increase in complexity without proportional benefit. These findings highlight the importance of balanced architectural decisions that consider the commitments between security and internal software quality.
Referências
Len Bass, Paul Clements, and Rick Kazman. 2021. Software Architecture in Practice (4 ed.). Addison-Wesley Professional.
X. Chengjie, W. Guojun, W. Honghua, J. Yinjie, and M. Dai. 2015. Design of Cloud Safety Monitoring Management Platform of Saline Alkali Industry. In 2015 International Conference on Intelligent Transportation, Big Data and Smart City. 294–297. DOI: 10.1109/ICITBS.2015.79
Mahdi Fahmideh, John Grundy, Aakash Ahmad, Jun Shen, Jun Yan, Davoud Mougouei, Peng Wang, Aditya Ghose, Anuradha Gunawardana, Uwe Aickelin, and Babak Abedin. 2023. Engineering Blockchain-based Software Systems: Foundations, Survey, and Future Directions. ACM Comput. Surv. 55, 6 (2023), Article 110. DOI: 10.1145/3530813
Marco Antônio Filó, Mariza Bigonha, and Wellington Ferreira. 2024. Evaluating Thresholds for Object-Oriented Software Metrics. Journal of the Brazilian Computer Society 30, 1 (2024), 1–25.
Jenny T. Liang et al. 2023. A Qualitative Study on the Implementation Design Decisions of Developers. In 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE). 435–447.
Abdechakour Mechri, Mohamed Amine Ferrag, and Merouane Debbah. 2025. SecureQwen: Leveraging LLMs for vulnerability detection in python codebases. Computers & Security 148 (2025), 104151. DOI: 10.1016/j.cose.2024.104151
Tareq Abed Mohammed and Ahmed Burhan Mohammed. 2020. Security Architectures for Sensitive Data in Cloud Computing. In Proceedings of the 6th International Conference on Engineering & MIS 2020 (ICEMIS’20). DOI: 10.1145/3410352.3410828
Z. Peng, T. Liu, and L. Mai. 2020. Design and Implementation of Dormitory Management System based on SSM framework. In 2020 International Conference on Information Science, Parallel and Distributed Systems (ISPDS). 321–325. DOI: 10.1109/ISPDS51347.2020.00074
Francisco Ponce, Jacopo Soldani, Carla Taramasco, Hernan Astudillo, and Antonio Brogi. 2024. Triaging Microservice Security Smells, with TriSS. In Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering (EASE ’24). Association for Computing Machinery, New York, NY, USA, 698–706. DOI: 10.1145/3661167.3661282
Nathan Semertzidis, Fabio Zambetta, and Florian Mueller. 2023. Brain-Computer Integration: A Framework for the Design of Brain-Computer Interfaces from an Integrations Perspective. ACM Trans. Comput.-Hum. Interact. 30, 6 (2023), Article 86. DOI: 10.1145/3603621
Claes Wohlin, Per Runeson, Martin Höst, Magnus C. Ohlsson, Björn Regnell, and Anders Wesslén. 2012. Experimentation in Software Engineering. Vol. 236. Springer, Berlin.
H. Zhang, S. Li, Z. Jia, C. Zhong, and C. Zhang. 2019. Microservice Architecture in Reality: An Industrial Inquiry. In 2019 IEEE International Conference on Software Architecture (ICSA). 51–60. DOI: 10.1109/ICSA.2019.00014
