Security vulnerabilities are increasingly due to software. While we focus much of our attention today on code-level vulnerabilities, such as buffer overflows, we should be paying more attention to design-level vulnerabilities. Independently designed and implemented components may individually behave properly, but when put together, unanticipated interactions may occur. An unanticipated interaction between two software components is an opportunity for an attacker to exploit.