Welcome to securitypatterns.org

The main objective of this Website is to bring together security patterns enthusiasts, to provide a forum for security patterns and to improve the overall work on security patterns.

In the past, we have identified security patterns as a very powerful concept, that helps to solve recurring security problems in a proven, successful way. Consider this as a call for particpation: please send in suggestions how you could contribute to keep the site up-to-date. It’s possible to get an account for writing your own articles on this site. Send a message to brainstorming (at) securitypatterns.org or subscribe to the mailing list. See also the current pattern collection.

Posted in General | Leave a comment

New Security Patterns book by Ed Fernandez: Foreword

The new book on Security Patterns is prepared for print. I’m happy that Ed chose me as shepherd for the book. I’ve just finished the Foreword:

“Security is simple. We use a little bit of cryptography, add some firewalls and passwords
– done! In theory…

When I started work in the field of security in the mid 1990s, I met many people who
thought they could easily secure their applications. They used certain ingredients of security measures and applied them to whatever problem they had. Even worse: sometimes they didn’t use existing ingredients, but build their own – making the same errors made in hundreds of previous projects. And practice proved them wrong: security was never simple – there’s always at least one loophole. There’s always an unexpected side-effect. There’s always something that you miss if you are not an expert. Front page news regularly proves that we obviously never learn.

Key reasons for insecure applications are:

  • Lack of time, due to aggressive deadlines and tight budgets
  • Lack of knowledge – IT experts are usually not security experts
  • Lack of priorities – functionality and performance usually come top

That’s why we are literally doomed to failure. Hackers have an easy job entering a system,
stealing or changing data and leaving without a trace. Sometimes the victim doesn’t
even know that something really bad happened until his new designs are somehow copied
by a competitor, or supposedly protected customer data is published on public web sites.
Or a journalist gets a hint of a fantastic new story. Even worse, modern applications are
becoming more and more complex – think of recent trends like mobility and cloud computing. Borders disappear and the means of protecting known areas is difficult.

In traditional engineering we have hundreds of years of knowledge that has evolved
over time. We know how to build bridges that survive rain, wind and earthquakes. We
know how to build solid cars that give you a good chance of surviving a crash. We know
of proven solutions to problems in specific contexts. Written down, these are called a
patterns , paradigms that have also been applied to software engineering for quite some time. Towards the end of the 1990s we saw work on patterns that were dedicated to security problems. The pattern community came together and collected the work in progress, resulting in one of the first comprehensive security pattern collections, which captured security expertise for getting it done the right way.

It was obvious that the work was not completed by the publication of a few books. Besides
mining additional knowledge and writing more patterns, an interesting question is
how to apply them effectively. Both of these issues are answered with this new book from
Eduardo Fernandez, a pioneer of computer science and security patterns. He has continued
the work that we started ten years ago, and I’m honored that I could be his sparring
partner while he wrote it.

The result is the most up-to-date guide for software engineers who want to understand
how to build reliable applications. It provides guidance for applying the captured expertise
of security pattern in your day-to-day work. Security is still not easy, but it is much
easier when you understand the benefits, liabilities and dependencies of specific solutions.”

Posted in Books, General | Leave a comment

Peter Sommerlad

Prof. Peter Sommerlad is director of IFS Institute for Software at FHO/HSR Rapperswil, Switzerland. Peter is co-author of the books POSA Vol.1 and Security Patterns and contributed to “97 things every programmer should know”. His goal is to make software simpler by Decremental Development: Refactoring software down to 10% its size with better architecture, testability and quality and functionality. To reach that goal his team and students create IDE tooling based on Eclipse, mainly for C++ and Scala.

Source is Peter’s Wiki.

Posted in Who is Who | Leave a comment

Pattern Contributions at Conferences & Workshops

We are aware of the following contributions which focus on security (and somehow related) patterns. In order to reflect the evolution of security patterns they are presented in chronological order (most recent patterns first).

Posted in Patterns | Comments Off

Security Patterns Foundations

Besides patterns, a lot of background and modeling research has been done. In this section, we publish such “meta” information which doesn’t present new patterns, but provides new insight about security patterns as engineering tool.

Posted in Foundations | Leave a comment

Dr. Eduardo B. Fernandez

Ed has pioneered the field of Security Patterns. He frequently publishes patterns and books on our beloved topic. Ed’s bio on his Website:

“Since 1984 I have been a Professor of Computer Science and Engineering at FAU. Before that, I worked at the University of Chile, IBM Corp., and the University of Miami. I have also consulted for a variety of companies. I have written several books and book chapters, 40 journal papers, and over 200 conference papers. I have directed 9 Ph.D. Dissertations and 37 MS theses. I have lectured all over the world, including places such as Santiago, Chile, Buenos Aires, Argentina, Shanghai, Shenyang, and Beijing, China, Munich and Regensburg, Germany, Genoa and Pisa, Italy, Johannesburg, South Africa, and many others. I am currently writing a textbook on computer security.”

Posted in Who is Who | Leave a comment

A Survey on Security Patterns

Abstract: Security has become an important topic for many software systems. Security patterns are reusable solutions to security problems. Although many security patterns and techniques for using them have been proposed, it is still difficult to adapt security patterns to each phase of software development. This paper provides a survey of approaches to security patterns. As a result of classifying these approaches, a direction for the integration and future research topics is illustrated.

Nice survey on the topic, give it a try.

Posted in Foundations | Leave a comment

Understanding Security with Patterns

Nice introduction to Security Patterns: Tutorial T39 @ OOPSLA 2006 by Peter Sommerlad.

Posted in Presentations | Leave a comment

Security Patterns: Integrating Security and Systems Engineering

Most security books are targeted at security engineers and specialists. Few show how to build security into software. None breakdown the different concerns facing security at different levels of the system: the enterprise, architectural and operational layers. Security Patterns addresses the full spectrum of security in systems design, using best practice solutions to show how to integrate security in the broader engineering process. Essential for designers building large-scale systems who want best practice solutions to typical security problems. A real world case study illustrate how to use the patterns in specific domains.

Pattern work from day 1 up rewritten and unified by the pattern community. The book captures security expert knowledge. Desperately needed since so many software projects still fail badly.

ISBN: 0-470-85884-2
John Wiley & Sons, December 2005. Order at Amazon.

 

Posted in Books | Leave a comment

Best Practices and Strategies for J2EE, Web Services, and Identity Management

A group at SUN (Chris Steel, Ramesh Nagappan, Ray Lai – boys, we miss SUN Microsystems!) offers a set of architectural security patterns for J2EE-based applications, Web services and identity management. They have an outline of their patterns available. See the official Website for more information.

ISBN: 0-131-46307-1
Prentice Hall International, Dezember 2005. Order at Amazon.

Posted in Books | Leave a comment