ABSTRACT
Since their introduction, security patterns had the promise to aid non-security experts to design secure software, yet in practice adoption and thus impact of security patterns remains limited. We believe one of the reasons is that existing security patterns are a mixture of security advice and advice on software design, such as encapsulation for maintainability. To address this, we propose a new security pattern catalogue in which we approach patterns from a security-centric perspective instead of a generic software engineering perspective. More specifically, we treat security as a first-class citizen while relying as much as possible on the vast body of knowledge from the security domain. Furthermore, our catalogue is structured to enable easy navigation for identifying relevant security problems and selecting appropriate solutions. In order to ensure a consistent level of abstraction and allow easier combination of multiple patterns, we describe our catalogue in a uniform description language and metamodel. An initial evaluation shows that our catalogue has good coverage of common security problems and solutions, indicating the catalogue's potential, but further evaluation is required to evaluate its impact in practice.
- Iván Arce, Neil Daswani, Jim Delgrosso, Danny Dhillon, Christoph Kern, Tadayoshi Kohno, Carl Landwehr, Gary McGraw, Brook Schoenfield, Margo Seltzer, Diomidis Spinellis, Izar Tarandach, and Jacob West. 2014. Avoiding the Top 10 Software Security Design Flaws. Technical Report. IEEE.Google Scholar
- Michaela Bunke. 2015. Software-Security Patterns: Degree of Maturity. In Proceedings of the 20th European Conference on Pattern Languages of Programs - EuroPLoP '15. Google ScholarDigital Library
- Eduardo B. Fernandez. 2013. Security Patterns in Practice - Designing Secure Architectures Using Software Patterns. John Wiley & Sons.Google ScholarDigital Library
- Erich Gamma, Richard Helm, Ralph Johnson, and John Vlissidis. 1994. Design Patterns - Elements of Reusable Object-Oriented Software. Addison-Wesley.Google ScholarDigital Library
- Hui Guan, Hongji Yang, and Jun Wang. 2016. An Ontology-Based Approach to Security Pattern Selection. International Journal of Automation and Computing 13, 2 (April 2016), 168--182. Google ScholarDigital Library
- Gary McGraw. 2006. Software Security: Building Security In. Addison-Wesley Professional.Google ScholarDigital Library
- Anas Motii, Brahim Hamid, Agnès Lanusse, and Jean-Michel Bruel. 2015. Guiding the Selection of Security Patterns Based on Security Requirements and Pattern Classification. In Proceedings of the 20th European Conference on Pattern Languages of Programs (EuroPLoP '15). Association for Computing Machinery, New York, NY, USA. Google ScholarDigital Library
- OWASP. 2021. OWASP Top 10. https://owasp.org/Top10/.Google Scholar
- Markus Schumacher, Eduardo Fernandez-Buglioni, Duane Hybertson, Frank Buschmann, and Peter Sommerlad. 2006. Security Patterns - Integrating Security and Systems Engineering. John Wiley & Sons.Google ScholarDigital Library
- Adam Shostack. 2014. Threat Modeling - Designing for Security. John Wiley & Sons.Google Scholar
- Paulo Silva. 2017. OWASP API Security Top 10 2019 - The Ten Most Critical API Security Risks. Technical Report.Google Scholar
- Christopher Steel, Ramesh Nagappan, and Ray Lai. 2006. Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management. Pearson Education, Inc.Google Scholar
- Alexander van den Berghe and Koen Yskout. 2021. Security Pattern Catalogue. https://securitypatterns.distrinet-research.be/.Google Scholar
- Alexander van den Berghe, Koen Yskout, and Wouter Joosen. 2018. Security Patterns 2.0: Towards Security Patterns Based on Security Building Blocks. In SEAD'18:IEEE/ACM 1st International Workshop on Security Awareness from Design to Deployment. Gothenburg, Sweden, 45--48. Google ScholarDigital Library
- Andrew van der Stock, Brian Glas, Neil Smithline, and Torsten Gigler. 2017. OWASP Top 10 - 2017: The Ten Most Critical Web Application Security Risks. Technical Report. OWASP.Google Scholar
- Joseph Yoder and Jeffrey Barcalow. 1998. Architectural Patterns for Enabling Application Security. In Pattern Languages of Programs Conference (PLoP).Google Scholar
- Koen Yskout, Riccardo Scandariato, and Wouter Joosen. 2012. Does Organizing Security Patterns Focus Architectural Choices?. In 2012 34th International Conference on Software Engineering (ICSE). 617--627. Google ScholarCross Ref
- Koen Yskout, Riccardo Scandariato, and Wouter Joosen. 2015. Do Security Patterns Really Help Designers?. In IEEE/ACM 37th IEEE International Conference on Software Engineering. 292--302. Google ScholarCross Ref
Recommendations
Security patterns 2.0: towards security patterns based on security building blocks
SEAD '18: Proceedings of the 1st International Workshop on Security Awareness from Design to DeploymentSecurity patterns are intended to package reusable security solutions and have received considerable research attention in the two decades since their introduction. Practitioners seem less intent to use these security patterns while designing software, ...
A qualitative analysis of software security patterns
Software security, which has attracted the interest of the industrial and research community during the last years, aims at preventing security problems by building software without the so-called security holes. One way to achieve this goal is to apply ...
Evaluating the degree of security of a system built using security patterns
ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and SecurityA variety of methodologies to build secure systems have been proposed. However, most of them do not say much about how to evaluate the degree of security of their products. In fact, we have no generally-accepted ways to measure if the product of some ...
Comments