Organizing Security Patterns Related to Security and Pattern Recognition Requirements

Software security is an emerging area in software development. More and more vulnerabilities are published and highlight the endangerment of systems. Hence, software designers and programmers are increasingly faced with the need to apply security solutions to software systems. Security patterns are best practices to handle recurring security problems. The abundance of documented security patterns calls for meaningful classifications to ease searching and assessing the right pattern for a security problem at hand. Existing classifications for security patterns consider only a small number of patterns and their purpose is often focused on implementation issues. Therefore, we identify missing aspects in existing classifications and the similarities between design and security pattern classifications. Based on that, we introduce two new classification schemes. The first is based on application domains formed by a literature survey on security patterns published in the period of 1997 to mid-2012 to cover the whole bandwidth of existing security patterns. The second is based on a subset of the collected patterns that are concerned with software and combines pattern-recognition needs and security aspects. Keywords-Security Patterns, Design Patterns.

[1]  Betty H. C. Cheng,et al.  Using Security Patterns to Model and Analyze Security Requirements , 2012 .

[2]  Eduardo B. Fernández,et al.  Improving the Classification of Security Patterns , 2009, 2009 20th International Workshop on Database and Expert Systems Application.

[3]  Eduardo B. Fernandez,et al.  The credentials pattern , 2006, PLoP '06.

[4]  Eduardo B. Fernandez,et al.  A pattern for the WS-Trust standard for web services , 2010, AsianPLoP '10.

[5]  Eduardo B. Fernandez,et al.  The secure blackboard pattern , 2008 .

[6]  Andrew P. Moore,et al.  A pattern for increased monitoring for intellectual property theft by departing insiders , 2011, PLoP '11.

[7]  Markus Schumacher Firewall Patterns , 2003, EuroPLoP.

[8]  Mario Piattini,et al.  Security Patterns Related to Security Requirements , 2006, WOSIS.

[9]  E. Fernández,et al.  Reverse Engineering to Detect Security Patterns in Code , 2007 .

[10]  Eduardo B. Fernandez,et al.  Patterns for the eXtensible Access Control Markup Language , 2005 .

[11]  Barbara Kitchenham,et al.  Procedures for Performing Systematic Reviews , 2004 .

[12]  Ricardo Dahab,et al.  Tropyc: A Pattern Language for Cryptographic Software , 1998 .

[13]  Robert C. Seacord,et al.  Secure Design Patterns , 2009 .

[14]  James O. Coplien,et al.  Pattern languages of program design , 1995 .

[15]  Bernard Rous,et al.  The ACM digital library , 2001, CACM.

[16]  Sami Lehtonen,et al.  Pattern Language for Cryptographic Key Management , 2002, EuroPLoP.

[17]  Munawar Hafiz Secure Pre-forking - A Pattern for Performance and Security , 2005 .

[18]  B. J. Ferro Castro,et al.  Pattern-Oriented Software Architecture: A System of Patterns , 2009 .

[19]  Eduardo B. Fernández,et al.  A Multi-Dimensional Classification for Users of Security Patterns , 2008, J. Res. Pract. Inf. Technol..

[20]  Aaldert Hofman,et al.  Security Paradigm Pattern Language , 2003, EuroPLoP.

[21]  Eduardo B. Fernandez,et al.  Patterns for session-based access control , 2006, PLoP '06.

[22]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[23]  Glen Zorn,et al.  Point-to-Point Tunneling Protocol (PPTP) , 1999, RFC.

[24]  Sami Lehtonen,et al.  A Pattern Language for Key Management , 2001 .

[25]  Paul Dyson,et al.  Patterns for Managing Internet-Technology Systems , 2003, EuroPLoP.

[26]  Markus Schumacher,et al.  Security Engineering with Patterns , 2003, Lecture Notes in Computer Science.

[27]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[28]  Hironori Washizaki,et al.  A survey on security patterns , 2008 .

[29]  Alexander Chatzigeorgiou,et al.  Architectural Risk Analysis of Software Systems Based on Security Patterns , 2008, IEEE Transactions on Dependable and Secure Computing.

[30]  Sargon Hasso,et al.  A Theoretically-based Process for Organizing Design Patterns ⁄ , 2005 .

[31]  Eduardo B. Fernandez,et al.  A pattern language for security models , 2001 .

[32]  Titos Saridakis,et al.  Design Patterns for Fault Containment , 2003, EuroPLoP.

[33]  Thomas Heyman,et al.  An Analysis of the Security Patterns Landscape , 2007, Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007).

[34]  Peter Sommerlad Reverse Proxy Patterns , 2003, EuroPLoP.

[35]  Alexander Chatzigeorgiou,et al.  A qualitative analysis of software security patterns , 2006, Comput. Secur..

[36]  Haralambos Mouratidis,et al.  Security Patterns for Agent Systems , 2003 .

[37]  M. Hafiz A collection of privacy design patterns , 2006, PLoP '06.

[38]  Eduardo B. Fernandez,et al.  Two security patterns: least privilege and security logger and auditor , 2011, AsianPLoP '11.

[39]  Pearl Brereton,et al.  Performing systematic literature reviews in software engineering , 2006, ICSE.

[40]  Wouter Joosen,et al.  A system of security patterns , 2006 .

[41]  Álvaro Enrique Arenas,et al.  An analysis of the chinese wall pattern for guaranteeing confidentiality in grid-based virtual organisations , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[42]  Eduardo B. Fernández,et al.  Security Patterns for Physical Access Control Systems , 2007, DBSec.

[43]  Eduardo B. Fernandez,et al.  Patterns for the secure and reliable execution of processes , 2008 .

[44]  Ralph E. Johnson,et al.  Organizing Security Patterns , 2007, IEEE Software.

[45]  Per Håkon Meland,et al.  Secure Software Design in Practice , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[46]  Keiko Hashizume,et al.  Symmetric encryption and XML encryption patterns , 2009, PLoP '09.

[47]  Eduardo B. Fernández,et al.  More Patterns for Operating System Access Control , 2003, EuroPLoP.

[48]  Eduardo B. Fernandez,et al.  Security Patterns for Voice over IP Networks , 2007 .

[49]  Eduardo B. Fernandez,et al.  Even more patterns for secure operating systems , 2006, PLoP '06.

[50]  Annett Laube,et al.  Security Patterns for Capturing Encryption-Based Access Control to Sensor Data , 2008, 2008 Second International Conference on Emerging Security Information, Systems and Technologies.

[51]  Dirk Riehle Password Patterns , 2002, EuroPLoP.

[52]  Eduardo B. Fernandez,et al.  The Authenticator Pattern , 1999 .

[53]  Ronald A. Olsson,et al.  Reverse Engineering of Design Patterns from Java Source Code , 2006, 21st IEEE/ACM International Conference on Automated Software Engineering (ASE'06).

[54]  Eduardo B. Fernández,et al.  Securing the Broker Pattern , 2006, EuroPLoP.

[55]  Annett Laube,et al.  A Security Pattern for Untraceable Secret Handshakes , 2009, 2009 Third International Conference on Emerging Security Information, Systems and Technologies.

[56]  Ramesh Nagappan,et al.  Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management , 2005 .

[57]  Aaldert Hofman,et al.  Control the Actor-Based Access Rights , 2002, EuroPLoP.

[58]  Rudolf K. Keller,et al.  Pattern-based reverse-engineering of design components , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[59]  Ralph Johnson,et al.  Evolution of the MTA architecture: the impact of security , 2008 .

[60]  Scott Henninger,et al.  Software pattern communities: current practices and challenges , 2007, PLOP '07.

[61]  Lothar Wendehals Improving Design Pattern Instance Recognition by Dynamic Analysis , 2003 .

[62]  Alexander M. Ernst Enterprise architecture management patterns , 2008 .

[63]  Liping Zhao,et al.  APLRAC: A Pattern Language for Designing and Implementing Role-Based Access Control , 2001, EuroPLoP.

[64]  Lutz Prechelt,et al.  Design recovery by automated search for structural design patterns in object-oriented software , 1996, Proceedings of WCRE '96: 4rd Working Conference on Reverse Engineering.

[65]  Kristof Elof Sorensen Session Patterns , 2002, EuroPLoP.

[66]  Hidehiko Tanaka,et al.  Web security patterns for analysis and design , 2008, PLoP '08.

[67]  Mourad Debbabi,et al.  Security Design Patterns: Survey and Evaluation , 2006, 2006 Canadian Conference on Electrical and Computer Engineering.

[68]  Nobukazu Yoshioka,et al.  A security pattern for data integrity in P2P systems , 2010, PLOP '10.

[69]  Jie Wu,et al.  Patterns for access control in distributed systems , 2007, PLOP '07.

[70]  Kenneth R. van Wyk,et al.  Bridging the Gap between Software Development and Information Security , 2005, IEEE Secur. Priv..

[71]  Spyros T. Halkidis,et al.  A Practical Evaluation of Security Patterns , 2006 .

[72]  Joseph W. Yoder,et al.  Architectural Patterns for Enabling Application Security , 1998 .

[73]  Eduardo B. Fernández,et al.  Classifying Security Patterns , 2008, APWeb.

[74]  Jason Hong,et al.  Privacy patterns for online interactions , 2006, PLoP '06.

[75]  Qusay H. Mahmoud Security Policy: A Design Pattern for Mobile Java Code , 2000 .

[76]  John Crupi,et al.  Core J2EE Patterns: Best Practices and Design Strategies , 2001 .