Security Engineering with Patterns

Synopsis: For quite some time, in systems and software design, security only came as a second thought or even as a nice-to-have add-on. However, since the breakthrough of the Internet as a virtual backbone for electronic commerce and similar applications, security is now recognized as a fundamental requirement. This book presents a systematic security improvement approach based on the pattern paradigm. The author first clarifies the key concepts of security patterns, defines their semantics and syntax, demonstrates how they can be used, and then compares his model with other security approaches. Based on the author’s model and best practice in security patterns, security novices are now in a position to understand how security experts solve problems and can basically act like them by using the patterns available as building blocks for their designs.

ISBN: 3-540-40731-6
Springer Berlin Heidelberg, Lecture Notes in Computer Science (LNCS), 2003.
Order at Amazon.

Posted in Books | Leave a comment

Information Security Antipatterns in Software Requirements Engineering

Abstract: “Requirements engineering is one of the key activities in the software development process. The rapid expansion of e-commerce and internet applications increases the need for adequate application security. Yet, conventional requirements engineering methodologies rarely mention information security aspects. The information security community, on the other hand, has developed system security requirements specification methodologies. These methodologies, from the software architect’s point of view, are often hard to understand and too general to be applied. By following conventional methodologies and failing to thoroughly understand the security consequences, architects end up with inadequate application security. This paper presents two commonly observed cases – antipatterns. In the first case, an old and well-known (perimeter security) model is applied in a new context without analysis of the security requirements. In the second case, the impact of lacking data sensitivity classification and threat analyses is considered.”

Copy of paper can be found here.

Posted in Patterns | Leave a comment

Information Security Antipatterns in Software Requirements Engineering

“Requirements engineering is one of the key activities in
the software development process. The rapid expansion of
e-commerce and internet applications increases the need
for adequate application security. Yet, conventional
requirements engineering methodologies rarely mention
information security aspects. The information security
community, on the other hand, has developed system
security requirements specification methodologies. These
methodologies, from the software architect’s point of
view, are often hard to understand and too general to be
applied. By following conventional methodologies and
failing to thoroughly understand the security
consequences, architects end up with inadequate
application security. This paper presents two commonly
observed cases – antipatterns. In the first case, an old and
well-known (perimeter security) model is applied in a new
context without analysis of the security requirements. In
the second case, the impact of lacking data sensitivity
classification and threat analyses is considered.”

Full paper here. By Miroslav Kis, Ph.D., CISSP, Member IEEE

Posted in Patterns | Leave a comment

Security Design Patterns

These patterns extend Yoder’s Application Security patterns to the network level. Sasha wrote: “These are a good start, but when we consider the issues that arise when securing a networked application there are others that will apply.”

Enjoy reading.

Posted in Patterns | Leave a comment

A Pattern Language for Key Management

Abstract: Many services in a distributed public network − like the Internet − require secure communications. Security in communications consists of integrity, authenticity, confidentiality and non−repudiability. These aims can be achieved with cryptography. Key management plays a fundamental role in secure communications, as it is the basis of all cryptographic functions.

This paper describes a pattern language for key management. Eleven patterns are described: Alice & Friends, There is somebody eavesdropping, The Real Thing, Signed Envelope, Face−to−Face, Address Book, Sealed Envelope, Sealed and Signed Envelope, Seal Ring Engraver, Key in the Pocket and The Forged Seal Ring. These patterns are designed to answer basic key management requirements in respect of secure communications.

Read Sami’s and Juha’s work here.

Posted in Patterns | Leave a comment

A Pattern Language for Security Models

Abstract: Security is a serious problem in the Internet and it is necessary to build new systems incorporating security as integral part of their design. The use of patterns is a good tool to help designers build secure systems. We discuss three patterns that correspond to the most common models for security: Authorization, Role-Based Access Control, and Multilevel Security. These can be applied in all the levels of the system and we show their use in the definition of a pattern for file authorization.

Basic work regarding fundamental security concepts. A copy can be found here.

Posted in Patterns | Leave a comment

Security Engineering with Patterns (paper)

Abstract: Conducting digital business requires secure network and application architectures. The recently increasing occurrence of severe attacks has shown, however, that we will still need quite some time and effort to reach security standards of IT systems alike the standard already usual in other fields. At present, there is a huge gap between theory and the code of practice. Whereas scientists work on formal approaches for the specification and verification of security requirements, practitioners have to meet the users’ requirements. The Pattern Community recognized this problem, too. Patterns literally capture the experience from experts in a structured way. Thus novices can benefit from know-how and skills of experts. Hence, we propose to apply the pattern approach to the security problem. We show that recent security approaches are not sufficient and describe how Security Patterns contribute to the overall process of security engineering. A Security Pattern System provides linkage between Security Patterns. Thus dependencies between specific security problems can be considered in a comprehensive way.

A copy of the paper can be found here.

Posted in Foundations | Leave a comment

Transformations for Introducing Patterns – A Secure Systems Case Study

From the abstract: transformations between UML models are used to introduce patterns by refinement.

Quite formal but interesting approach for working with patterns – maybe in a tool-driven context. Read the complete paper here.

 

Posted in Foundations | Leave a comment

Metadata and Authorization Patterns

Abstract: We consider the use of metalevels in a hierarchically layered architecture for objectoriented systems and we look at the specification of authorization rules in a specific
metalevel. These constraints can be defined using patterns and are enforced by the lower
levels. We consider a few of those authorization patterns.

The original paper seems to be no longer online. Use this version as provided in googlecode.

Posted in Patterns | Leave a comment

The Object Filter and Access Control Framework

Abstract: The amount of data available in the Internet is growing every day. It has become
necessary to protect and filter out this data for institutional and legislative reasons.
We assume here that data is stored as objects in a distributed environment where the
objects need to be shared. This framework provides first client request authentication.
In many distributed object systems, once authenticated a client can directly access
objects in any way. The Object Filter and Access Control Framework avoids this by
constraining a client to access objects in specified ways defined by the client rights.

Read the complete paper.

Posted in Patterns | Leave a comment