A Multi-Dimensional Classification for Users of Security Patterns

Michael VanHilst, Eduardo B. Fernandez, Fabrício Braz

Abstract

This paper presents a classification for security patterns that addresses the needs of users. The approach uses a matrix defined by dividing the problem space along multiple dimensions, and allows patterns to occupy regions, defined my multiple cells in the matrix. It supports filtering for narrow or wide pattern selection, allows navigation along related axes of concern, and identifies gaps in the problem space that lack pattern coverage. Results are preliminary but highlight differences with existing classifications.

References

  1. Common Criteria, http://www.commoncriteriaportal.org/
  2. Blakley, B., Heath, C., members of The Open Group Security Forum: Technical Guide: Security Design Patterns. The Open Group, UK, April 2004.
  3. Delessy, N., Fernandez, E.B.: Patterns for the eXtensible Access Control Markup Language. Proc. 12th Pattern Languages of Programs Conference, Monticello, Illinois, USA, (2005) http://hillside.net/plop/2005/proceedings/
  4. Fernandez, E.B., Yuan, X.: Semantic Analysis Patterns. Proc. 19th Int. Conf. on Conceptual Modeling (2000), 183-195 http://www.cse.fau.edu/ed/SAPpaper2.pdf
  5. Fernandez, E.B., Larrondo-Petrie, M.M., Sorgente, T., VanHilst, M.: A Methodology to Develop Secure Systems Using Patterns. In: Mouratidis, H., Giorgini, P. (Eds.): Integrating Security and Software Engineering: Advances and Future Vision. IDEA Press (2006) 107- 126
  6. Fernandez, E.B., VanHilst, M., Larrondo Petrie, M.M., Huang, S.: Defining Security Requirements through Misuse Actions. In: Ochoa, S.F., Roman, G.-C. (Eds.): Advanced Software Engineering: Expanding the Frontiers of Software Technology, International Federation for Information Processing, Springer (2006) 123-137
  7. Fernandez, E.B., VanHilst, M., Pelaez, J.C.: Patterns for WiMax Security. Proc. EuroPLoP (2007) http://hillside.net/europlop/home.html
  8. Fernandez, E.B., Washizaki, H., Yoshioka, N., Kubo, A., Fukazawa, Y.: Classifying Security Patterns. Proc. 10th Asia-Pacific Web Conference, Shenyang, China, April 26-28 (2008)
  9. German D., Cowan, D.: Towards a Unified Catalog of Hypermedia Design Patterns. Proc. 33rd Hawaii International Conference on System Sciences, Maui, Hawaii, (2000)
  10. Federal Information Security Management Act (FISMA), March 18, 2007, http://iase.disa.mil/fisma/index.html
  11. Senate Banking Committee: Gramm-Leach-Bliley Act, Monday, November 1 (1999) http://www.senate.gov/banking/conf/fincon.pdf
  12. Hafiz, M., Adamczyk, P., Johnson, R.E.: Organizing Security Patterns. IEEE Software, 24(4), July/August (2007) 52-60
  13. United States Department of Health and Human Services, Office of Civil Rights: Health Insurance Portability and Accountability Act of 1996. http://www.hhs.gov/ocr/hipaa/
  14. Hoglan, G., McGraw, G.: Exploiting Software: How to Break Code. Addison-Wesley (2004)
  15. Howard, M., LeBlanc, D.: Writing Secure Code, (2nd Ed.). Microsoft Press (2003)
  16. Howard, M., Lipner, S.: The Security Development Lifecycle. Microsoft Press (2006)
  17. Leveson, N.: A New Accident Model for Engineering Safer Systems. Safety Science, 42(4), April (2004) 237-270
  18. Lipner, S., Howard, M.: The Trustworthy Computing Development Lifecycle, http://msdn2.microsoft.com/en-us/library/ms995349.aspx, March (2005)
  19. McGraw, G.: Software Security: Building Security. Addison-Wesley (2006)
  20. Nagaratnam, N., Nadalin, A., Hondo, M., McIntosh, M., Austel, P.: Business-Driven Application Security: from Modeling to Managing Secure Applications. IBM Systems Journal, 44(4) (2005) 847-867
  21. The OWASP Testing Project. http://www.modsecurity.org/archive/OWASPTesting_PhaseOne.pdf
  22. Pelaez, J.C., Fernandez, E.B.: Network Forensics in Wireless VoIP Networks, Proc. 4th Latin American and Caribbean Conference for Engineering and Technology. Mayaguez, Puerto Rico, (2006)
  23. Pelaez, J.C., Fernandez, E.B., Larrondo-Petrie, M.M., Wieser, C.: Attack Patterns in VoIP. Proc. 14th Pattern Languages of Programs Conference, Monticello, Illinois, USA, (2007)
  24. One Hundred Seventh Congress of the United States of America: Sarbanes-Oxley Act of 2002. http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf
  25. Schumacher, M., Ackermann, R., Steinmetz, R.: Towards Security at All Stages of a System's Life Cycle. Proc. Int. Conf. on Software, Telecommunications, and Computer Networks (2000) 11-19
  26. Schumacher, M., Roedig, U.: Security Engineering with Patterns. Proc. 8th Pattern Languages of Programs Conference (2001)
  27. Schumacher, M., Fernandez, E.B., Hybertson, D., Buschmann, F., Sommerlad, P.: Security Patterns: Integrating Security and Systems Engineering. Wiley (2006)
  28. Steel, C., Nagappan, R., Lai, R.: Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management. Prentice Hall (2005)
  29. Systems Security Engineering - Capability Maturity Model, http://www.sse-cmm.org
  30. Trowbridge, D., Cunningham, W., Evans, M., Brader, L., Describing the Enterprise Architectural Space. MSDN (2004) http://msdn2.microsoft.com/en-us/library/ms978655.aspx
  31. Viega, J., McGraw, G.: Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley (2001)
Download


Paper Citation


in Harvard Style

VanHilst M., Fernandez E. and Braz F. (2008). A Multi-Dimensional Classification for Users of Security Patterns . In Proceedings of the 6th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2008) ISBN 978-989-8111-44-9, pages 89-98. DOI: 10.5220/0001741300890098


in Bibtex Style

@conference{wosis08,
author={Michael VanHilst and Eduardo B. Fernandez and Fabrício Braz},
title={A Multi-Dimensional Classification for Users of Security Patterns},
booktitle={Proceedings of the 6th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2008)},
year={2008},
pages={89-98},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001741300890098},
isbn={978-989-8111-44-9},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 6th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2008)
TI - A Multi-Dimensional Classification for Users of Security Patterns
SN - 978-989-8111-44-9
AU - VanHilst M.
AU - Fernandez E.
AU - Braz F.
PY - 2008
SP - 89
EP - 98
DO - 10.5220/0001741300890098