Synopsis: For quite some time, in systems and software design, security only came as a second thought or even as a nice-to-have add-on. However, since the breakthrough of the Internet as a virtual backbone for electronic commerce and similar applications, security is now recognized as a fundamental requirement. This book presents a systematic security improvement approach based on the pattern paradigm. The author first clarifies the key concepts of security patterns, defines their semantics and syntax, demonstrates how they can be used, and then compares his model with other security approaches. Based on the author’s model and best practice in security patterns, security novices are now in a position to understand how security experts solve problems and can basically act like them by using the patterns available as building blocks for their designs.
Springer Berlin Heidelberg, Lecture Notes in Computer Science (LNCS), 2003.
Order at Amazon.
“Requirements engineering is one of the key activities in
the software development process. The rapid expansion of
e-commerce and internet applications increases the need
for adequate application security. Yet, conventional
requirements engineering methodologies rarely mention
information security aspects. The information security
community, on the other hand, has developed system
security requirements specification methodologies. These
methodologies, from the software architect’s point of
view, are often hard to understand and too general to be
applied. By following conventional methodologies and
failing to thoroughly understand the security
consequences, architects end up with inadequate
application security. This paper presents two commonly
observed cases – antipatterns. In the first case, an old and
well-known (perimeter security) model is applied in a new
context without analysis of the security requirements. In
the second case, the impact of lacking data sensitivity
classification and threat analyses is considered.”
Full paper here. By Miroslav Kis, Ph.D., CISSP, Member IEEE
These patterns extend Yoder’s Application Security patterns to the network level. Sasha wrote: “These are a good start, but when we consider the issues that arise when securing a networked application there are others that will apply.”
Abstract: We consider the use of metalevels in a hierarchically layered architecture for objectoriented systems and we look at the specification of authorization rules in a specific
metalevel. These constraints can be defined using patterns and are enforced by the lower
levels. We consider a few of those authorization patterns.
The original paper seems to be no longer online. Use this version as provided in googlecode.
Abstract: The amount of data available in the Internet is growing every day. It has become
necessary to protect and filter out this data for institutional and legislative reasons.
We assume here that data is stored as objects in a distributed environment where the
objects need to be shared. This framework provides first client request authentication.
In many distributed object systems, once authenticated a client can directly access
objects in any way. The Object Filter and Access Control Framework avoids this by
constraining a client to access objects in specified ways defined by the client rights.
Read the complete paper.