Towards a pattern language for security risk analysis of web applications

This article introduces a pattern language for security risk analysis of web applications in an example driven manner. The example patterns presented include a composite pattern and three basic patterns, namely a security requirements pattern, a web application design pattern and a risk analysis modelling pattern. The pattern language is intended to be used as a guideline to capture the security risk picture of a web application, especially in the early phase of the software development life cycle. The overall aim is to support light weighted security risk analysis for web applications.

[1]  Michael A. Jackson,et al.  Problem Frames - Analysing and Structuring Software Development Problems , 2000 .

[2]  Yan Li Conceptual Framework for Security Testing , Security Risk Analysis and their Combinations , 2012 .

[3]  Richard F. Paige,et al.  Fault trees for security system design and analysis , 2003, Comput. Secur..

[4]  Eduardo B. Fernández,et al.  A Methodology for Secure Software Design , 2004, Software Engineering Research and Practice.

[5]  Philippe Kruchten,et al.  The 4+1 View Model of Architecture , 1995, IEEE Softw..

[6]  Bjørnar Solhaug,et al.  Model-driven risk analysis of evolving critical infrastructures , 2014, J. Ambient Intell. Humaniz. Comput..

[7]  Maritta Heisel,et al.  A Pattern System for Security Requirements Engineering , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[8]  Prashant Jain,et al.  The Three-Tier Architecture Pattern Language Design Fest , 2001, EuroPLoP.

[9]  Antonio Maña,et al.  Security Patterns, Towards a Further Level , 2009, SECRYPT.

[10]  Robert C. Seacord,et al.  Secure Design Patterns , 2009 .

[11]  Maritta Heisel,et al.  A Pattern-Based Method to Develop Secure Software , 2011 .

[12]  Max Jacobson,et al.  A Pattern Language: Towns, Buildings, Construction , 1981 .

[13]  Maritta Heisel,et al.  A Security Engineering Process based on Patterns , 2007 .

[14]  Eoin Woods,et al.  Experiences Using Viewpoints for Information Systems Architecture: An Industrial Experience Report , 2004, EWSA.

[15]  Eduardo Fernandez-Buglioni,et al.  Security Patterns in Practice: Designing Secure Architectures Using Software Patterns , 2013 .

[16]  Eduardo B. Fernández,et al.  Eliciting Security Requirements through Misuse Activities , 2008, 2008 19th International Workshop on Database and Expert Systems Applications.

[17]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[18]  Stephen Withall Software Requirement Patterns , 2007 .

[19]  Robert J. Ellison,et al.  Attack Trees , 2009, Encyclopedia of Biometrics.

[20]  Jakub Miler,et al.  RISK IDENTIFICATION PATTERNS FOR SOFTWARE PROJECTS , 2004 .

[21]  Chen-Ching Liu,et al.  Vulnerability Assessment of Cybersecurity for SCADA Systems Using Attack Trees , 2007, 2007 IEEE Power Engineering Society General Meeting.

[22]  Richard Anthony,et al.  Large-Scale Software Architecture: A Practical Guide using UML , 2002 .

[23]  B. F. Castro Buschmann, Frank; Meunier, Regine; Rohnert, Hans; Sommerlad, Peter; Stal, Michael. Pattern-oriented software architecture: a system of patterns, John Wiley & Sons Ltd, 1996 , 1997 .

[24]  Joseph W. Yoder,et al.  Architectural Patterns for Enabling Application Security , 1998 .

[25]  Richard N. Taylor,et al.  Software architecture: foundations, theory, and practice , 2009, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[26]  Eduardo B. Fernandez,et al.  Security patterns in practice : designing secure architectures using software patterns , 2013 .

[27]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[28]  Dirk Riehle Composite design patterns , 1997, OOPSLA '97.

[29]  Ramesh Nagappan,et al.  Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management , 2005 .

[30]  Ketil Stølen,et al.  Model-Driven Risk Analysis - The CORAS Approach , 2010 .

[31]  Hironori Washizaki,et al.  A survey on security patterns , 2008 .

[32]  Ketil Stølen,et al.  SACS: a pattern language for safe adaptive control software , 2011, PLoP '11.

[33]  Peter Sommerlad,et al.  Pattern-Oriented Software Architecture Volume 1: A System of Patterns , 1996 .

[34]  Giuseppe Menga,et al.  Patterns for Three-Tier Client/Server Applications , 1996 .