Does organizing security patterns focus architectural choices?

Security patterns can be a valuable vehicle to design secure software. Several proposals have been advanced to improve the usability of security patterns. They often describe extra annotations to be included in the pattern documentation. This paper presents an empirical study that validates whether those proposals provide any real benefit for software architects. A controlled experiment has been executed with 90 master students, who have performed several design tasks involving the hardening of a software architecture via security patterns. The results show that annotations produce benefits in terms of a reduced number of alternatives that need to be considered during the selection of a suitable pattern. However, they do not reduce the time spent in the selection process.

[1]  Thomas Heyman,et al.  An Analysis of the Security Patterns Landscape , 2007, Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007).

[2]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[3]  Ralph E. Johnson,et al.  Organizing Security Patterns , 2007, IEEE Software.

[4]  Wouter Joosen,et al.  Architecting software with security patterns , 2008 .

[5]  Jeffrey C. Carver,et al.  A checklist for integrating student empirical studies with research and teaching goals , 2010, Empirical Software Engineering.

[6]  Maritta Heisel,et al.  Analysis and Component-based Realization of Security Requirements , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[7]  Walter F. Tichy,et al.  Hints for Reviewing Empirical Work in Software Engineering , 2000, Empirical Software Engineering.

[8]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[9]  Ralph Johnson,et al.  Security Patterns and their Classification Schemes , 2006 .

[10]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[11]  Mourad Debbabi,et al.  Security Design Patterns: Survey and Evaluation , 2006, 2006 Canadian Conference on Electrical and Computer Engineering.

[12]  John A. Zachman,et al.  A Framework for Information Systems Architecture , 1987, IBM Syst. J..

[13]  Mario Piattini,et al.  Security Patterns Related to Security Requirements , 2006, WOSIS.

[14]  Anton Naumenko,et al.  The Place and Role of Security Patterns in Software Development Process , 2006, WOSIS.

[15]  Per Runeson,et al.  Using Students as Experiment Subjects – An Analysis on Graduate and Freshmen Student Data , 2003 .

[16]  Ramesh Nagappan,et al.  Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management , 2005 .

[17]  Eduardo B. Fernández,et al.  Classifying Security Patterns , 2008, APWeb.

[18]  Michael Weiss,et al.  Modelling Security Patterns Using NFR Analysis , 2007 .

[19]  Eduardo B. Fernández,et al.  A Multi-Dimensional Classification for Users of Security Patterns , 2008, J. Res. Pract. Inf. Technol..

[20]  Paul Clements,et al.  Software architecture in practice , 1999, SEI series in software engineering.

[21]  Hironori Washizaki,et al.  A survey on security patterns , 2008 .