Abstract security patterns for requirements specification and analysis of secure systems

security patterns for requirements specification and analysis of secure systems Eduardo B. Fernandez 1 , Nobukazu Yoshioka 2 , Hironori Washizaki 3 , and Joseph Yoder 4 Dept. of Computer Science and Engineering, Florida Atlantic University, USA ed@cse.fau.edu GRACE Center, National Institute of Informatics, Tokyo, Japan nobukazu@nii.ac.jp Waseda University, Tokyo, Japan washizaki@waseda.jp The Refactory, Inc, Urbana, IL, USA joe@joeyoder.com Abstract. During the requirements and analysis stages of software developDuring the requirements and analysis stages of software development, the primary goal is to define precise requirements rather than being concerned with the details of software realizations. Security is a semantic aspect of applications and their constraints on the application should de described at this moment. From a security point of view we only want to indicate which specific security controls are needed, rather than getting involved with low-level design and implementation details. Therefore, at these stages, it is useful to have a set of patterns which define abstract security mechanisms. These patterns should specify only the fundamental characteristics of the security mechanism or service, not specific software aspects. We present the concept of Abstract Security Pattern (ASP), which describes a conceptual security mechanism that realizes one or more security policies able to handle a threat or comply with a securityrelated regulation or institutional policy. We present a detailed example of an ASP. We relate ASPs to each other using pattern diagrams as well as to Security Solution Frames and tactics. Finally, we discuss their value for defining security requirements and for building secure systems.

[1]  Ying Liu,et al.  The Account Analysis Pattern , 2002, EuroPLoP.

[2]  Peter Sommerlad,et al.  Pattern-Oriented Software Architecture , 1996 .

[3]  Eduardo B. Fernández,et al.  Eliciting Security Requirements through Misuse Activities , 2008, 2008 19th International Workshop on Database and Expert Systems Applications.

[4]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[5]  Eduardo B. Fernández,et al.  Improving the Classification of Security Patterns , 2009, 2009 20th International Workshop on Database and Expert Systems Application.

[6]  Robert C. Seacord,et al.  Secure Design Patterns , 2009 .

[7]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[8]  Indrakshi Ray,et al.  An aspect-based approach to modeling access control concerns , 2004, Inf. Softw. Technol..

[9]  Ivar Jacobson,et al.  The unified modeling language reference manual , 2010 .

[10]  Jean Vanderdonckt,et al.  A methodology for designing information security feedback based on User Interface Patterns , 2009, Adv. Eng. Softw..

[11]  Joseph W. Yoder,et al.  Architectural Patterns for Enabling Application Security , 1998 .

[12]  Ramesh Nagappan,et al.  Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management , 2005 .

[13]  Eduardo Fernandez-Buglioni,et al.  Security Patterns in Practice: Designing Secure Architectures Using Software Patterns , 2013 .

[14]  Pierangela Samarati,et al.  Research Directions in Data and Applications Security XVIII , 2004, IFIP International Federation for Information Processing.

[15]  B FernandezEduardo,et al.  An extensible pattern-based library and taxonomy of security threats for distributed systems , 2014 .

[16]  Eduardo B. Fernández,et al.  An extensible pattern-based library and taxonomy of security threats for distributed systems , 2014, Comput. Stand. Interfaces.

[17]  Michael Weiss,et al.  Modeling Secure Systems Using an Agent-oriented Approach and Security Patterns , 2006, Int. J. Softw. Eng. Knowl. Eng..

[18]  Martin Gogolla,et al.  Object Constraint Language , 2009, Encyclopedia of Database Systems.

[19]  Eduardo B. Fernández,et al.  A Pattern System for Access Control , 2004, DBSec.

[20]  Hironori Washizaki,et al.  Abstract security patterns , 2008 .

[21]  Eduardo B. Fernández,et al.  Security solution frames and security patterns for authorization in distributed, collaborative systems , 2015, Comput. Secur..

[22]  Martin Fowler,et al.  Analysis patterns - reusable object models , 1996, Addison-Wesley series in object-oriented software engineering.

[23]  Eduardo B. Fernandez,et al.  A Comprehensive Pattern-Driven Security Methodology for Distributed Systems , 2014, 2014 23rd Australian Software Engineering Conference.

[24]  Helen M. Edwards,et al.  Problem frames: analyzing and structuring software development problems , 2002, Softw. Test. Verification Reliab..

[25]  Maritta Heisel,et al.  A Pattern System for Security Requirements Engineering , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).