• Home
• Patterns
• Forum

Overview

• Security Pattern Books & Collections
• Security Patterns Online (links to security pattern related papers in chronological order). Last updated: July 15, 2008.
• 2009, 2008, 2007, 2006, 2005, 2004, 2003, 2002, 2001, 2000, 1999, 1998, 1997

Security Pattern Books & Collections

Security Patterns: Integrating Security and Systems Engineering

Synopsis: Most security books are targeted at security engineers and specialists. Few show how to build security into software. None breakdown the different concerns facing security at different levels of the system: the enterprise, architectural and operational layers. Security Patterns addresses the full spectrum of security in systems design, using best practice solutions to show how to integrate security in the broader engineering process. Essential for designers building large-scale systems who want best practice solutions to typical security problems. A real world case study illustrate how to use the patterns in specific domains.

J2EE, Web Services and Identity Management

A group at SUN (Chris Steel, Ramesh Nagappan, Ray Lai) offers a set of architectural security patterns for J2EE-based applications, Web services and identity management. They have an outline of their patterns available. See the official web-site for more information.

Technical Guide to Security Design Patterns

The Opengroup published a technical guide that contains security design patterns. The catalog contains available system patterns and protected system patterns. It can be downloaded from the Opengroup website.

Pattern Contributions at Conferences & Workshops

We are aware of the following contributions which focus on security (and somehow related) patterns. In order to reflect the evolution of security patterns they are presented in chronological order (most recent patterns first).

2009

• Cristea Ana Daniela, Octavian Prostean, Thomas Muschalik, and Ovidiu Tirian, AN ACCESS CONTROL PATTERN BASED ON QUALIFICATIONS TO GRAND ACCESS TO PHYSIC RESOURCES, The 3rd European DAAAM International Young Researchers and Scientists Conference, 25-28th November 2009, Vienna, Austria

2008

• N. Yoshioka, H. Washizaki, K. Maruyama, A survey on security patterns, Progress in Informatics, No. 5 pp. 35-47, (2008)

2007

• E.B. Fernandez, J. Ballesteros, A.C. Desouza-Doucet, M.M. Larrondo-Petrie, Security Patterns for Physical Access Control Systems
• E.B. Fernandez, M. VanHilst, J.C. Pelaez, Patterns for WiMax security
• E.B. Fernandez, J.C. Pelaez and M.M. Larrondo-Petrie, Security patterns for Voice over IP Networks
• E.B. Fernandez, M.M. Larrondo-Petrie, A.E. Escobar, Contexts and Context-Based Access Control
• G. Dallons, P. Massonet J.-F. Molderez C., Ponsard A. Arenas, An Analysis of the Chinese Wall Pattern for Guaranteeing Confidentiality in Grid based Virtual Organisations
• A. Kubo, H. Washizaki, Y. Fukazawa, Extracting Relations among Security Patterns

2006

• L.-H. Netland, Y. Espelid, and K. Mughal, Security Pattern for Input Validation, in Proc. VikingPLoP 2006, Helsingør.
• Roland Erber, Christian Schläger, Günther Pernul, Patterns for Authentication and Authorisation Infrastructures
• Sasha Romanosky, Alessandro Acquisti, Jason Hong, Lorrie Faith Cranor, Batya Friedman, Privacy Patterns for Online Interactions, Conference on Pattern Languages of Programs, PLoP 2006.
• M. Hafiz, A Collection of Privacy Design Patterns, Conference on Pattern Languages of Programs, PLoP 2006.
• M. Hafiz, R. E. Johnson, Security Patterns and their Classification Schemes
• M. Weiss, Credential Delegation: Towards Grid Security Patterns, accepted for Nordic Pattern Languages of Programs Conference (VikingPLoP), 2006
• P. Morrison and E.B.Fernandez, Securing the Broker pattern, Procs. of the 11th European Conf. on Pattern Languages of Programs (EuroPLoP 2006), July 2006.
• E. B. Fernandez, T. Sorgente, and M. M. Larrondo-Petrie, Even more patterns for secure operating systems, Conference on Pattern Languages of Programs, PLoP 2006.
• E.B.Fernandez and Guenther Pernul, Patterns for Session-Based Access Control, Conference on Pattern Languages of Programs, PLoP 2006.
• P. Morrison and E.B.Fernandez, Credentials, Conference on Pattern Languages of Programs, PLoP 2006.

2005

• E.B.Fernandez and T. Sorgente, "A pattern language for secure operating system architectures", Proceedings of the 5th Latin American Conference on Pattern Languages of Programs, Campos do Jordao, Brazil, August 16-19, 2005, 68-88.
• E.B.Fernandez and Ajoy Kumar, "A security pattern for rule-based intrusion detection", Proceedings of the Nordic Conference on Pattern Languages of Programs, Viking PLoP 2005, Otaniemi, Finland, 23-25 September 2005.
• N. Delessy, and E.B.Fernandez, Patterns for the eXtensible Access Control Markup Language, in Proceedings of the 12th Pattern Languages of Programs Conference (PLoP2005), Monticello, Illinois, USA, 7-10 September 2005.
• M. Sadicoff, M. M. Larrondo-Petrie, and E.B.Fernandez, Privacy-Aware Network Client Pattern, in Proceedings of the 12th Pattern Languages of Programs Conference (PLoP2005), Monticello, Illinois, USA, 7-10 September 2005.
• A Pattern Language of Software Licensing (EuroPLoP)

2004

• The Security Architecture of qmail (PLoP)
• Patterns for Application Firewalls (PLoP)

2003

• Several security patterns were workshopped at EuroPLoP 2003:
• Security Taxonomy Pattern Language
• Security Paradigm Pattern Language
• More patterns for operating systems access control
• Security Patterns for Agent Systems
• Firewall Patterns
• Reverse Proxy Patterns
• Remote Authenticator / Authorizer (PLoP)
• A Pattern Language for Firewalls (PLoP)

2002

• A dedicated workshop for security patterns patterns at EuroPLoP: Security & Access
• Controlled Access Patterns
• Pattern Language for Cryptographic Key Management
• A Password Pattern Language
• Enterprise Security Patterns
• Security Pattern and Security Standards
• Security Pattern Repository for web applications, template tutorial, and a whitepaper.
• Information Assurance for Enterprise Engineering (PLoP)
• Information Security Antipatterns in Software Requirements Engineering (PLoP)
• ...

2001

• APLRAC: A Pattern Language for Designing and Implementing Role-Based Access Control, EuroPLoP 2001 and KoalaPLoP 2001
• Transformations for Introducing Patterns - A Secure Systems Case Study, ETAPS 2001
• A Pattern Language for Security Models, PLoP 2001
• Security Engineering with Patterns, PLoP 2001
• A Pattern Language for Key Management, PLoP 2001
• Design Patterns in Security, SecurityPortal.com 2001
• Security Design Patterns, Sasha Romanosky, 2001
• Security Bug Pattern (Link Broken, it was http://www.andreas.org/SecurityBugPattern), "...many security problems could be avoided by knowing about these patterns and avoiding them during the design of the system ..."

2000

• The Object Filter and Access Control Framework, PLoP 2000
• Metadata and Authorization Patterns and a presentation about Security Patterns

1999

• The Authenticator Pattern, PLoP 1999

1998

• Tropyc: A Pattern Language for Cryptographic Software, PLoP 1998

1997

• Architectural Patterns for Enabling Application Security, PLoP 1997

We don't claim that this list is complete. Thus any hints on more work about security patterns are highly appreciated. You can submit new security patterns by e-mail. Please provide the title, author and a link to the document. Please let us also know, if there is a broken link.

© 1997-2010. The material provided on this page is copyrighted by the authors.