Results 1 - 10
of
127
Security Engineering with Patterns
- Lecture Notes in Computer Science, LNCS 2754
, 2002
"... Conducting digital business requires secure network and application architectures. The recently increasing occurrence of severe attacks has shown, however, that we will still need quite some time and effort to reach security standards of IT systems alike the standard already usual in other fields. ..."
Abstract
-
Cited by 57 (2 self)
- Add to MetaCart
Conducting digital business requires secure network and application architectures. The recently increasing occurrence of severe attacks has shown, however, that we will still need quite some time and effort to reach security standards of IT systems alike the standard already usual in other fields. At present, there is a huge gap between theory and the code of practice. Whereas scientists work on formal approaches for the specification and verification of security requirements, practitioners have to meet the users' requirements. The Pattern Community recognized this problem, too. Patterns literally capture the experience from experts in a structured way. Thus novices can benefit from know-how and skills of experts. Hence, we propose to apply the pattern approach to the security problem. We show that recent security approaches are not sufficient and describe how Security Patterns contribute to the overall process of security engineering. A Security Pattern System provides linkage between Security Patterns. Thus dependencies between specific security problems can be considered in a comprehensive way.
The Authenticator Pattern
- Proceedings of Pattern Language of Programs (PloP'99
"... Credential provides secure portable means of recording authentication and authorization information for use in distributed systems. Example Suppose we are building an instant messaging service to be used by members of a university community. Students, teachers and staff of the university may communi ..."
Abstract
-
Cited by 35 (1 self)
- Add to MetaCart
(Show Context)
Credential provides secure portable means of recording authentication and authorization information for use in distributed systems. Example Suppose we are building an instant messaging service to be used by members of a university community. Students, teachers and staff of the university may communicate with each other, while outside parties are excluded, perhaps for reasons of privacy. Members of the community may use computers on school grounds, or their own systems, so the client software is made available to the community and is installed on the computers of their choice. Any community member may use any computer with the client software installed. The client software communicates with servers run by the university in order to locate active participants and to exchange messages with them. In this environment, it is important to establish that the user of the client software is a member of the community, so that communications are kept private to the community. Further, when a student graduates, or an employee leaves the university, it must be possible to revoke their communications rights. Each member needs to be uniquely and correctly identified, and a member's identity should not be forgeable.
A pattern system for access control
- IN RESEARCH DIRECTIONS IN DATA AND APPLICATIONS SECURITY XVIII, C. FARKAS AND P. SAMARATI (EDS.), PROCS OF THE 18TH. ANNUAL IFIP WG 11.3 WORKING CONFERENCE ON DATA AND APPLICATIONS SECURITY
, 2004
"... In order to develop trustworthy information systems, security aspects should be considered from the early project stages. This is particularly true for authorization and access control services, which decide which users can access which parts of the system and in what ways. Software patterns have b ..."
Abstract
-
Cited by 27 (5 self)
- Add to MetaCart
In order to develop trustworthy information systems, security aspects should be considered from the early project stages. This is particularly true for authorization and access control services, which decide which users can access which parts of the system and in what ways. Software patterns have been used with success to encapsulate best practices in software design. A good collection of patterns is an invaluable aid in designing new systems by inexperienced developers and is also useful to teach and understand difficult problems. Following in this direction, this paper presents a pattern system to describe authorization and access control models. First, we present a set of patterns that include a basic authorization pattern that is the basis for patterns for the wellestablished discretionary and role-based access control models. Metadata access control models have appeared recently to address the high flexibility requirements of open, heterogeneous systems, such as enterprise or e-commerce portals. These models are complex and we use the basic patterns to develop a set of patterns for metadata-based access control.
Y.: Best-Practice Patterns and Tool Support for Configuring Secure Web
- Services Messaging. ICWS’04: International Conference on Web Services, San Diego, IEEE Computer Society(2004) 244–251
"... This paper presents an emerging tool for security configuration of service-oriented architectures with Web Services. Security is a major concern when implement-ing mission-critical business transactions and such con-cern motivated the development of Web Services Secu-rity (WS-Security). However, the ..."
Abstract
-
Cited by 20 (0 self)
- Add to MetaCart
(Show Context)
This paper presents an emerging tool for security configuration of service-oriented architectures with Web Services. Security is a major concern when implement-ing mission-critical business transactions and such con-cern motivated the development of Web Services Secu-rity (WS-Security). However, the existing tools for con-figuring the security properties of Web Services give a technology-oriented view, and only assist in choosing the data to encrypt and selecting an encryption algo-rithm. The users must construct their own mental mod-els of how the security configurations actually relate to business policies. In contrast, the tool described here gives a simpli-fied, business-policy-oriented view. It models the mes-saging with customers and business partners, lists vari-ous threats, and presents best-practice security patterns against the threats. A user can select among variations on the basic patterns according to the business policies, and then apply them to the messaging model through the GUI. The result of the pattern application is described
Security Patterns for Agent Systems
- PROCEEDINGS OF THE EIGHT EUROPEAN CONFERENCE ON PATTERN LANGUAGES OF PROGRAMS (EUROPLOP), IRSEE
, 2003
"... Security patterns capture the experiences of experts, allowing novices to rely on expert knowledge and solve security problems in a more systematic and structured way. So far, literature provides many examples of security patterns for object-oriented systems. However, no attempt has been made to doc ..."
Abstract
-
Cited by 19 (6 self)
- Add to MetaCart
(Show Context)
Security patterns capture the experiences of experts, allowing novices to rely on expert knowledge and solve security problems in a more systematic and structured way. So far, literature provides many examples of security patterns for object-oriented systems. However, no attempt has been made to document security patterns for multiagent systems. In this paper we present a set of patterns for secure agent systems that, currently, consisting of four patterns.
Security patterns repository, version 1.0
, 2006
"... A security pattern is a well-understood solution to a recurring information security problem. They are patterns in the sense originally defined by Christopher Alexander (the basis for much of the later work in design patterns and pattern languages of programs), applied to the domain of information s ..."
Abstract
-
Cited by 18 (0 self)
- Add to MetaCart
A security pattern is a well-understood solution to a recurring information security problem. They are patterns in the sense originally defined by Christopher Alexander (the basis for much of the later work in design patterns and pattern languages of programs), applied to the domain of information security. A security pattern encapsulates security expertise in the form of worked solutions to these recurring problems, presenting issues and trade-offs in the usage of the pattern. This document presents version 1.0 of our Security Patterns Repository. The Security Patterns Repository Version 1.0 consists of 26 patterns and 3 mini-patterns. (A mini-pattern is a shorter, less formal discussion of security expertise in terms of just a problem and its solution.) To define the scope of the problems our patterns address, we focused on the domain of web application security. The patterns are divided between structural patterns and procedural patterns. Structural patterns are patterns that can be implemented in an application; they encompass design patterns (such as those presented by the Gang of Four), but can also apply at the architectural or implementation levels. Procedural patterns are patterns that can be used to improve the process for development of security-critical software; they often impact the organization or management of a development project. Following the presentation of security patterns in this document, we include a comprehensive bibliography collecting references from all the patterns with other relevant web application security and patterns material. To supplement this patterns repository document, we have developed a Web application that is a functional repository for these Security Patterns. Our repository application enables viewing of patterns, submitting of feedback on the patterns, and editing of patterns for authorized users. We will include relevant example code within the repository document when this application is finalized. The Security Patterns repository is available at
A System of Patterns for Fault Tolerance
- in Proceedings of 2002 EuroPLoP Conference
"... Many fault tolerance techniques that have been devised, applied and improved over the past three decades represent general solutions to recurring problems in the design of fault tolerant computer systems. This document presents some of the best known such techniques, formatted as patterns and organi ..."
Abstract
-
Cited by 14 (4 self)
- Add to MetaCart
(Show Context)
Many fault tolerance techniques that have been devised, applied and improved over the past three decades represent general solutions to recurring problems in the design of fault tolerant computer systems. This document presents some of the best known such techniques, formatted as patterns and organized by a classification scheme into a system of patterns for fault tolerance. This pattern system reveals the relations among the presented patterns for fault tolerance and delineates a number of ways in which these patterns can be used to refine each other. In turn, these refinement relations create design frameworks for the development of fault tolerant systems with different efficiency and complexity characteristics.
Two patterns for web services security
- Proceedings of the International Symposium on Web Services and Applications, Las Vegas
, 2004
"... Patterns are widely used in software engineering where they have been successful in improving analysis and design by encapsulating the experience of many designers. Security patterns are a recent development as a way to encapsulate the accumulated knowledge about secure systems design. We present he ..."
Abstract
-
Cited by 13 (1 self)
- Add to MetaCart
(Show Context)
Patterns are widely used in software engineering where they have been successful in improving analysis and design by encapsulating the experience of many designers. Security patterns are a recent development as a way to encapsulate the accumulated knowledge about secure systems design. We present here two patterns for web services: 1) a Security Assertion Coordination pattern that coordinates authentication and authorization using a Role-Based Control (RBAC) model for access to distributed resources; and 2) A pattern for XML firewalls, that filters XML messages or documents according to institution policies. Because of space restrictions we only describe some sections of the standard template descriptions; more details can be seen in [1] and [7]. Keywords: Distributed systems security, Object-oriented patterns, SAML, Security patterns, XML firewalls Web services are increasing in importance but one of the main obstacles to their acceptance is security. This situation is improving with the appearance of several security standards that define architectural requirements to provide appropriate levels of security [2]. One of these standards is the Security Assertion Markup Language (SAML), that expresses security assertions that can be exchanged between nodes in a
Key Issues of a Formally Based Process Model for Security Engineering
- IN PROCEEDINGS OF THE 16TH INTERNATIONAL CONFERENCE ON SOFTWARE & SYSTEMS ENGINEERING AND THEIR APPLICATIONS (ICSSEA03
, 2003
"... In this paper we outline a new process model for security engineering. This process model extends object oriented, use case oriented software development by systematic security requirements elicitation and realization. In particular, we integrate the modeling of security requirements, threat and ri ..."
Abstract
-
Cited by 12 (2 self)
- Add to MetaCart
(Show Context)
In this paper we outline a new process model for security engineering. This process model extends object oriented, use case oriented software development by systematic security requirements elicitation and realization. In particular, we integrate the modeling of security requirements, threat and risk analysis on the one hand with the modeling of business processes, use cases and the construction of the software architecture on the other hand. Since formal methods play a special role in security engineering we characterize their usage within the process model presented.
An Analysis of the Security Patterns Landscape
"... Architectural and design patterns represent effective techniques to package expert knowledge in a reusable way. Over time, they have proven to be very successful in software engineering. Moreover, in the security discipline, a well-known principle calls for the use of standard, timetested solutions ..."
Abstract
-
Cited by 11 (1 self)
- Add to MetaCart
(Show Context)
Architectural and design patterns represent effective techniques to package expert knowledge in a reusable way. Over time, they have proven to be very successful in software engineering. Moreover, in the security discipline, a well-known principle calls for the use of standard, timetested solutions rather than inventing ad-hoc solutions from scratch. Clearly, security patterns provide a way to adhere to this principle. However, their adoption does not live up to their potential. To understand the reasons, this paper analyzes an extensive set of published security patterns according to several dimensions and outlines the directions for improvement. 1.
