ASE: A comprehensive pattern-driven security methodology for distributed systems

Incorporating security features is one of the most important and challenging tasks in designing distributed systems. Over the last decade, researchers and practitioners have come to recognize that the incorporation of security features should proceed by means of a systematic approach, combining principles from both software and security engineering. Such systematic approaches, particularly those implying some sort of process aligned with the development life-cycle, are termed security methodologies. One of the most important classes of such methodologies is based on the use of security patterns. While the literature presents a number of pattern-driven security methodologies, none of them are designed specifically for general distributed systems. Going further, there are also currently no methodologies with mixed specific applicability, e.g. for both general and peer-to-peer distributed systems. In this paper we aim to fill these gaps by presenting a comprehensive pattern-driven security methodology specifically designed for general distributed systems, which is also capable of taking into account the specifics of peer-to-peer systems. Our methodology takes the principle of encapsulation several steps further, by employing patterns not only for the incorporation of security features (via security solution frames), but also for the modeling of threats, and even as part of its process. We illustrate and evaluate the presented methodology via a realistic example -- the development of a distributed system for file sharing and collaborative editing. In both the presentation of the methodology and example our focus is on the early life-cycle phases (analysis and design).

[1]  Eduardo B. Fernández,et al.  A comprehensive pattern-oriented approach to engineering security methodologies , 2015, Inf. Softw. Technol..

[2]  Eduardo B. Fernández,et al.  Securing distributed systems using patterns: A survey , 2012, Comput. Secur..

[3]  Kenneth R. van Wyk,et al.  Bridging the Gap between Software Development and Information Security , 2005, IEEE Secur. Priv..

[4]  Eduardo B. Fernández,et al.  Decomposing Distributed Software Architectures for the Determination and Incorporation of Security and Other Non-functional Requirements , 2013, 2013 22nd Australian Software Engineering Conference.

[5]  Eduardo B. Fernández,et al.  An extensible pattern-based library and taxonomy of security threats for distributed systems , 2014, Comput. Stand. Interfaces.

[6]  Mario Piattini,et al.  Systematic design of secure Mobile Grid systems , 2011, J. Netw. Comput. Appl..

[7]  Michael Weiss,et al.  Modeling Secure Systems Using an Agent-oriented Approach and Security Patterns , 2006, Int. J. Softw. Eng. Knowl. Eng..

[8]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[9]  Hironori Washizaki,et al.  Abstract security patterns , 2008 .

[10]  Till Schümmer,et al.  Patterns for Managing Shared Objects in Groupware Systems , 2004 .

[11]  Nobukazu Yoshioka,et al.  A security pattern for data integrity in P2P systems , 2010, PLOP '10.

[12]  Luis A. Guerrero,et al.  A pattern system for the development of collaborative applications , 2001, Inf. Softw. Technol..

[13]  Eduardo B. Fernández,et al.  Eliciting Security Requirements through Misuse Activities , 2008, 2008 19th International Workshop on Database and Expert Systems Applications.

[14]  Eduardo B. Fernández,et al.  Secure Middleware Patterns , 2012, CSS.

[15]  Peter Tandler,et al.  Architectural patterns for collaborative applications , 2006, Int. J. Comput. Appl. Technol..

[16]  Eduardo B. Fernandez,et al.  A Methodology to Develop Secure Systems Using Patterns , 2006 .

[17]  Eduardo B. Fernández,et al.  A Pattern-Driven Security Process for SOA Applications , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[18]  Eduardo Fernández-Medina,et al.  The practical application of a process for eliciting and designing security in web service systems , 2009, Inf. Softw. Technol..

[19]  Abhijit Belapurkar,et al.  Distributed Systems Security: Issues, Processes and Solutions , 2009 .

[20]  John Grundy,et al.  Automated software architecture security risk analysis using formalized signatures , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[21]  Valérie Issarny,et al.  Security Benefits from Software Architecture , 1997, COORDINATION.

[22]  Eduardo B. Fernández,et al.  Engineering Security into Distributed Systems: A Survey of Methodologies , 2012, J. Univers. Comput. Sci..

[23]  Donald Firesmith,et al.  Engineering Security Requirements , 2003, J. Object Technol..

[24]  Haralambos Mouratidis,et al.  Integrating Security and Software Engineering: Advances and Future Visions , 2006 .

[25]  S.T. Redwine,et al.  Processes for producing secure software , 2004, IEEE Security & Privacy Magazine.