Security Engineering with Patterns: Origins, Theoretical Models, and New Applications | Guide books

Security Engineering with Patterns: Origins, Theoretical Models, and New ApplicationsSeptember 2003

Go to Security Engineering with Patterns

September 2003

Author:
Markus Schumacher

Publisher:

Springer-Verlag
Berlin, Heidelberg

ISBN:978-3-540-40731-7

Published:01 September 2003

Pages:

208

Available at Amazon

Bibliometrics

Sections

2003

Abstract

No abstract available.

Cited By

Athinaiou M, Mouratidis H, Fotis T and Pavlidis M A Conceptual Redesign of a Modelling Language for Cyber Resiliency of Healthcare Systems Computer Security, (140-158)
Salva S and Regainia L (2019). An approach for guiding developers in the choice of security solutions and in the generation of concrete test cases, Software Quality Journal, 27:2, (675-701), Online publication date: 1-Jun-2019.
Washizaki H, Yu Y, Kaiya H, Yoshioka N, Hu Z, Xiong Y and Hosseinian-Far A (2017). Goal Modelling for Security Problem Matching and Pattern Enforcement, International Journal of Secure Software Engineering, 8:3, (42-57), Online publication date: 1-Jul-2017.
Ruiz J, Arjona M, Maña A and Rudolph C (2017). Security knowledge representation artifacts for creating secure IT systems, Computers and Security, 64:C, (69-91), Online publication date: 1-Jan-2017.
Hamid B and Perez J (2016). Supporting pattern-based dependability engineering via model-driven development, Journal of Systems and Software, 122:C, (239-273), Online publication date: 1-Dec-2016.
Jasser S and Riebisch M Reusing security solutions Proccedings of the 10th European Conference on Software Architecture Workshops, (1-7)
Berger B, Sohr K and Koschke R Automatically Extracting Threats from Extended Data Flow Diagrams Proceedings of the 8th International Symposium on Engineering Secure Software and Systems - Volume 9639, (56-71)
Bouaziz R and Kammoun S A Decision Support Map for Security Patterns Application Proceedings, Part IV, of the 15th International Conference on Computational Science and Its Applications -- ICCSA 2015 - Volume 9158, (750-759)
Hamid B and Percebois C A Modeling and Formal Approach for the Precise Specification of Security Patterns Proceedings of the 6th International Symposium on Engineering Secure Software and Systems - Volume 8364, (95-112)
Maña A, Fernandez E, Ruiz J and Rudolph C Towards computer-oriented security patterns Proceedings of the 20th Conference on Pattern Languages of Programs, (1-14)
Preschern C, Kajtazovic N and Kreiner C Building a safety architecture pattern system Proceedings of the 18th European Conference on Pattern Languages of Program, (1-55)
Radermacher A, Hamid B, Fredj M and Profizi J Process and tool support for design patterns with safety requirements Proceedings of the 18th European Conference on Pattern Languages of Program, (1-16)
Preschern C Catalog of security tactics linked to common criteria requirements Proceedings of the 19th Conference on Pattern Languages of Programs, (1-17)
Kost M and Freytag J Privacy analysis using ontologies Proceedings of the second ACM conference on Data and Application Security and Privacy, (205-216)
Ruiz J, Harjani R and Maña A A security-focused engineering process for systems of embedded components Proceedings of the International Workshop on Security and Dependability for Resource Constrained Embedded Systemss, (1-9)
Muñoz A and Maña A Facilitating the use of TPM technologies using the serenity framework Proceedings of the 8th international conference on Autonomic and trusted computing, (164-174)
van Veenstra A and Ramilli M Exploring information security issues in public sector inter-organizational collaboration Proceedings of the 10th IFIP WG 8.5 international conference on Electronic government, (355-366)
Bouaziz R, Hamid B and Desnos N Towards a better integration of patterns in secure component-based systems design Proceedings of the 2011 international conference on Computational science and Its applications - Volume Part V, (607-621)
Hamid B, Desnos N, Grepet C and Jouvray C Model-based security and dependability patterns in RCES Proceedings of the International Workshop on Security and Dependability for Resource Constrained Embedded Systems, (1-4)
Busnel P and Giroux S Security, privacy, and dependability in smart homes Proceedings of the Aging friendly technology for health and independence, and 8th international conference on Smart homes and health telematics, (24-31)
Schnjakin M, Menzel M and Meinel C A pattern-driven security advisor for service-oriented architectures Proceedings of the 2009 ACM workshop on Secure web services, (13-20)
Supakkul S, Hill T, Chung L and Oladimeji E Goal-oriented security threat mitigation patterns Proceedings of the 16th Conference on Pattern Languages of Programs, (1-15)
Busnel P, El Khoury P, Li K, Saidane A and Zannone N (2009). S&D Pattern Deployment at Organizational Level, Electronic Notes in Theoretical Computer Science (ENTCS), 244, (27-39), Online publication date: 1-Aug-2009.
Parrend P and Frenot S (2009). Security benchmarks of OSGi platforms: toward Hardened OSGi, Software—Practice & Experience, 39:5, (471-499), Online publication date: 1-Apr-2009.
Fenz S and Ekelhart A Formalizing information security knowledge Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, (183-194)
Compagna L, El Khoury P, Krausová A, Massacci F and Zannone N (2009). How to integrate legal requirements into a requirements engineering methodology for the development of security and privacy patterns, Artificial Intelligence and Law, 17:1, (1-30), Online publication date: 1-Mar-2009.
Yu Y, Kaiya H, Washizaki H, Xiong Y, Hu Z and Yoshioka N Enforcing a security pattern in stakeholder goal models Proceedings of the 4th ACM workshop on Quality of protection, (9-14)
Horvath V and Dörges T From security patterns to implementation using petri nets Proceedings of the fourth international workshop on Software engineering for secure systems, (17-24)
Breu R, Popp G and Alam M (2007). Model based development of access policies, International Journal on Software Tools for Technology Transfer (STTT), 9:5-6, (457-470), Online publication date: 1-Oct-2007.
Compagna L, Khoury P, Massacci F, Thomas R and Zannone N How to capture, model, and verify the knowledge of legal, security, and privacy experts Proceedings of the 11th international conference on Artificial intelligence and law, (149-153)
Alam M, Hafner M and Breu R A constraint based role based access control in the SECTET a model-driven approach Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, (1-13)
Alam M Model driven security engineering for the realization of dynamic security requirements in collaborative systems Proceedings of the 2006 international conference on Models in software engineering, (278-287)
Hafner M, Alam M and Breu R Towards a MOF/QVT-Based domain architecture for model driven security Proceedings of the 9th international conference on Model Driven Engineering Languages and Systems, (275-290)
Balopoulos T, Gymnopoulos L, Karyda M, Kokolakis S, Gritzalis S and Katsikas S A framework for exploiting security expertise in application development Proceedings of the Third international conference on Trust, Privacy, and Security in Digital Business, (62-70)
Mouratidis H, Jürjens J and Fox J Towards a comprehensive framework for secure systems development Proceedings of the 18th international conference on Advanced Information Systems Engineering, (48-62)
Mouratidis H, Weiss M and Giorgini P Security patterns meet agent oriented software engineering Proceedings of the 24th international conference on Conceptual Modeling, (225-240)
Babar M, Wang X and Gorton I Supporting security sensitive architecture design Proceedings of the First international conference on Quality of Software Architectures and Software Quality, and Proceedings of the Second International conference on Software Quality, (140-154)

Contributors

Markus Schumacher
Technical University of Darmstadt
- Publication Years2000 - 2005
- Publication counts6
- Citation count218
- Available for Download1
- Downloads (cumulative)2,065
- Downloads (12 months)16
- Downloads (6 weeks)1
- Average Downloads per Article2,065
- Average Citation per Article36
View Full Profile

Index Terms

Reviews

Reviewer: Kevin W. Wall

Schumacher is a leading authority in the security patterns community, and those approaching his book from a pedantic perspective will find some useful information in it. However, both security and pattern novices, as well as those wishing for a more immediately practical approach, will be put off by its doctoral dissertation-turned-book style. The book is organized into three major sections, in ten chapters. Chapter 1, the introduction, begins with a brief but obligatory “why security is important” speech, then summarizes the author’s view of core security problems, and succinctly previews his proposed solution, namely security engineering using patterns. The introduction ends with an overview of the book’s organization. In Part 1, “Context,” the author discusses software development patterns, including a concise history of patterns, basic pattern concepts, and the organization of individual patterns into larger structures, such as pattern catalogs, pattern systems, and pattern languages. This leads into an examination of pattern classification, and methods of writing and mining patterns, naturally followed by an ensuing discourse on the definition and representation of ontologies, and their role in the security engineering process. In Part 2, “Problem,” Schumacher explores his hardly disputed hypothesis that “human failings are a major reason for security breaches,” and that much design of security is ad hoc, usually done as something of an afterthought. He then offers two simple (and, I would say, rather unconvincing and hardly conclusive) case studies to support this hypothesis. From there, he begins a discussion of classification frameworks of “security improvement artifacts,” which he describes as “any approach, standard, role, method, technique, or tool that helps to improve security.” Here, he begins a dialogue integrating these security improvement artifacts into the software development life cycle, at each stage dedicating two or three pages to a discussion of relevant techniques. After spending about half of the book covering the background, and the existing security terrain, Schumacher finally begins his vision for his “security core ontology” at the end of Part 2. He clarifies some very specific fundamental definitions of terms, such as “asset,” “threat,” “attack,” and “vulnerability,” and ends with a few diagrams showing how all of these concepts relate. One wonders why he did not define these terms, and the relationship between them, much earlier, since he uses them from the beginning. Having at last covered sufficient material to address security patterns in any detail, the author starts Part 3, “Solution,” with a simple example of a password-related security pattern, followed by a brief history of security patterns, and ends it with a monograph on what constitutes a security pattern (versus a software pattern in general). Next is a rather formal attempt at tying earlier chapters together, by integrating Schumacher’s ontology with security patterns. While this section composes the heart of the author’s original research, it also is the chapter that the majority of readers will find the most difficult to slog their way through, since it consists of many mathematical symbols, unusual notation, and formal proofs. Schumacher then describes his vision of a “security pattern search engine,” which can be used by security novices to find security patterns to act as countermeasures against various security threats and vulnerabilities. Part 3 ends by detailing some experiments with a proof-of-concept prototype, and their results. The book ends with a summary chapter, five appendices, a reference section, and an index. The appendices cover sources useful for mining security patterns, present a few more examples of security patterns, and illustrate these examples augmented with metadata described in F-Logic. Also included is a more in-depth review of ontologies, as well as an introduction to F-Logic, a deductive, higher-order language based on knowledge frames and first-order predicate calculus, and frequently used for reasoning in knowledge-based systems. The list of references is very thorough, and includes several interesting ones that I was not aware of, but plan to explore further when time permits. On the other hand, the index is rather sparse, and its organization is somewhat counterintuitive. For example, the index lists people by their first names, rather than their surnames. Although it is no fault of the author, the book fell short of my initial hopes for it being a practical, much needed Gang of Four-like book [1] for the security community. While the techniques that it teaches would be most useful to security novices (one of Schumacher’s intents in selecting security patterns), they are perhaps among the least likely group to read this treatise. Although the book strives to address security in laymen’s terms, as one who has practiced as an information security specialist for the past seven years, as well as spending two years teaching an introductory graduate-level computer security class, I feel that the book will fail to appeal to most security novices. Again, this is no fault of Schumacher, but rather endemic to the modern, fast-paced society in which we live. In this age of watered-down, so-called technical books meant to entertain us (the For Dummies series comes to mind), and books for the impatient (the Learn Information Security in 24 Hours types), security newbies are not going to have the discipline to plod through a book that lacks the security sex appeal that books like the Hacking Exposed series have made popular. Rather, these books will more likely appeal to those in academia who are interested in information security. As a computer security practitioner, I found myself disagreeing with points here and there in this book, but overall, and especially as an academic, I felt this work used a pedagogical approach worth further exploration. Online Computing Reviews Service

Reviewer: Ghita Kouadri Mostéfaoui

Security is an important aspect of emerging open systems, such as those in e-commerce and similar applications. Security is, however, often added after the system is already built, and, therefore, many problems may arise from the lack of a systematic consideration of security in the system analysis and design stages, and throughout the whole of system development. Security patterns have been proposed to encourage such an approach, and to encapsulate best practices in security design, as is the case with software patterns. The main advantage of this paradigm is to address the human factor, which is a main source of errors in building security systems. "A security pattern describes a particular recurring security problem that arises in a specific security context and presents a well-proven generic scheme for a security solution." For example, there are patterns for access control, passwords, and firewalls. This book provides an anchor reference for security patterns. The author gained his expertise from planning and organizing the security workshop Hacker Context, and supervising a set of security-related master's theses. The book is divided into 10 chapters. These chapters address the need for, and history of, security patterns (chapters 1 through 6), and present the foundations of security patterns, provide a theoretical model, and discuss their main applications (chapters 7 and 8). Chapter 10 reviews previous chapters, by discussing the contribution of each one of these chapters, and concludes the book. This text was initially a Ph.D. thesis, which was then published in the form of a book. I don't recommend it for classroom use, but rather as introductory material for people wishing to understand security patterns. I also recommend supplemental material (in the form of a pattern catalog), which I consider a must to complement the book. The pattern catalog is available at http://www.opengroup.org/publications/catalog/g031.htm, and enables system architects and designers to develop security architectures that meet their particular requirements. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Recommendations

Safety and Security Engineering
Software-security patterns: degree of maturity
EuroPLoP '15: Proceedings of the 20th European Conference on Pattern Languages of Programs

Since Gamma et al. published their design patterns, patterns are very popular in the area of software engineering. They provide best practice to handle recurring problems during the software development phase. Three years later, security patterns ...
Applied J2ee Security Patterns: Architectural Patterns & Best Practices

Save to Binder