A SECURITY DESIGN PATTERN TAXONOMY BASED ON ATTACK PATTERNS - Findings of a Systematic Literature Review

Andreas Wiesauer, Johannes Sametinger

Abstract

Security design patterns are proven solutions to security problems in a given context with constructive measures of how to design certain parts of a software system. The literature contains numerous definitions, examples, and taxonomies of such patterns. There are also a few quality criteria for them. We suggest a new taxonomy based on attack patterns in order to enhance applicability of security design patterns especially for non-experts in software security. We further suggest a combined consideration of attack patterns, security design patterns and test cases for the validation and evaluation of security design patterns.

References

  1. Barnum, S. (2008). Common Attack Pattern Enumeration and Classification (CAPEC) Schema Description. Cigital Inc., http://capec.mitre.org/about/ documents.html.
  2. Barnum, S. and Sethi, A. (2006). Introduction to attack patterns. Technical report, U.S. Dept. of Homeland Security, https://buildsecurityin.uscert.gov/daisy/bsi/articles/knowledge/attack/585- BSI.html.
  3. Brereton, P., Kitchenham, B. A., Budgen, D., Turner, M., and Khalil, M. (2007). Lessons from applying the systematic literature review process within the software engineering domain. Journal of Systems and Software, 80(4):571-583.
  4. Buschmann, F., Henney, K., and Schmidt, D. C. (2007). Pattern-Oriented Software Architecture Volume 4: A Pattern Language for Distributed Computing. Wiley & Sons.
  5. Fernandez, E. B., Fonoage, M., VanHilst, M., and Marta, M. (2008). The secure three-tier architecture pattern. In Proc. of International Conference on Complex, Intelligent and Software Intensive Systems, pages 555-560, Los Alamitos, CA, USA. IEEE Computer Society.
  6. Fernandez, E. B. and Pan, R. (2001). A pattern language for security models. In Proceedings of PLoP 2001 Conference.
  7. Fernandez, E. B. and Yuan, X. (2007). Securing analysis patterns. In ACM-SE 45: Proceedings of the 45th annual southeast regional conference, pages 288-293, New York, NY, USA. ACM.
  8. Gamma, E., Helm, R., Johnson, R., and Vlissides, J. (1995). Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley.
  9. Hafiz, M., Adamczyk, P., and Johnson, R. E. (2007). Organizing security patterns. IEEE Software, 24(4):52-60.
  10. Hafiz, M. and Johnson, R. E. (2006). Security patterns and their classification schemes.
  11. Halkidis, S. T., Chatzigeorgiou, A., and Stephanides, G. (2004). A qualitative evaluation of security patterns. In Proceedings of the 6th International Conference on Information and Communications Security (ICICS), pages 132-144, Malaga, Spain. Springer.
  12. Heyman, T., Yskout, K., Scandariato, R., and Joosen, W. (2007). An analysis of the security patterns landscape. In SESS 7807: Proceedings of the Third International Workshop on Software Engineering for Secure Systems, page 3, Washington, DC, USA. IEEE Computer Society.
  13. Hoglund, G. and McGraw, G. (2004). Exploiting Software - How to Break Code. Addison Wesley.
  14. Horvath, V. and Dörges, T. (2008). From security patterns to implementation using petri nets. In SESS 7808: Proceedings of the fourth international workshop on Software engineering for secure systems, pages 17-24, New York, NY, USA. ACM.
  15. Howard, M. and Lipner, S. (2006). The Security Development Lifecycle. Microsoft Press.
  16. Kienzle, D. M. and Elder, M. C. (2001). Final technical report: Security patterns for web application development. Technical report, http://www.scrypt.net/c˜eler/securitypatterns/final
  17. Kienzle, D. M., Elder, M. C., Tyree, D., and Edwards-Hewitt, J. (2002). Security patterns repository version 1.0. Technical report, http://www.scrypt.net/˜celer/securitypatterns/ repository.pdf.
  18. Kitchenham, B. (2004). Procedures for undertaking systematic reviews. Technical report, Computer Science Department, Keele University (TR/SE-0401) and National ICT Australia Ltd (0400011T.1).
  19. Markus Schumacher, Eduardo Fernandez-Buglioni, D. H. F. B. P. S. (2005). Security Patterns. Integrating Security and Systems Engineering (Wiley Series in Software Design Patterns). Wiley & Sons.
  20. McGraw, G. (2006). Software Security: Building Security in. Addison-Wesley.
  21. Romanosky, S. (2001). Security design patterns. Technical report, http://www.cgisecurity.com/lib/ securityDesignPatterns.pdf.
  22. Schumacher, M. (2002). Security patterns. Informatik Spektrum, Juni 2002:220-223.
  23. Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., and Sommerlad, P. (2006). Security Patterns : Integrating Security and Systems Engineering (Wiley Software Patterns Series). John Wiley & Sons.
  24. Steel, C., Nagappan, R., and Lai, R. (2005). Core Security Patterns: Best Practices and Strategies for J2EE(TM), Web Services, and Identity Management. Prentice Hall PTR.
  25. Trowbridge, D., Cunningham, W., Evans, M., Brader, L., and Slater, P. (2004). Describing the Enterprise Architectural Space. Microsoft, http://msdn.microsoft.com/enus/library/ ms978655.aspx.
  26. Viega, J. and McGraw, G. (2001). Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley Professional.
  27. Weiss, M. and Mouratidis, H. (2008). Selecting security patterns that fulfill security requirements. In IEEE International Conference on Requirements Engineering, pages 169-172. IEEE Computer Society.
  28. Yoder, J. and Barcalow, J. (1997). Architectural patterns for enabling application security. In Proceedings of the 4th Conference on Patterns Language of Programming (PLoP'97).
  29. Yoshioka, N., Washizaki, H., and Maruyama, K. (2008). A survey on security patterns. Progress in Informatics, (5):35-47.
Download


Paper Citation


in Harvard Style

Wiesauer A. and Sametinger J. (2009). A SECURITY DESIGN PATTERN TAXONOMY BASED ON ATTACK PATTERNS - Findings of a Systematic Literature Review . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009) ISBN 978-989-674-005-4, pages 387-394. DOI: 10.5220/0002232503870394


in Bibtex Style

@conference{secrypt09,
author={Andreas Wiesauer and Johannes Sametinger},
title={A SECURITY DESIGN PATTERN TAXONOMY BASED ON ATTACK PATTERNS - Findings of a Systematic Literature Review},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)},
year={2009},
pages={387-394},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002232503870394},
isbn={978-989-674-005-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)
TI - A SECURITY DESIGN PATTERN TAXONOMY BASED ON ATTACK PATTERNS - Findings of a Systematic Literature Review
SN - 978-989-674-005-4
AU - Wiesauer A.
AU - Sametinger J.
PY - 2009
SP - 387
EP - 394
DO - 10.5220/0002232503870394