Security Patterns and A Methodology to Apply them

  • Eduardo B. Fernandez
Part of the Advances in Information Security book series (ADIS, volume 45)


Patterns encapsulate experience and good practices that can be used for new designs. Analysis and design patterns are well established as a convenient and reusable way to build high-quality object-oriented software. Security patterns join the extensive knowledge accumulated about security with the structure provided by patterns to provide guidelines for secure system design and evaluation. A variety of security patterns has been developed for the construction of secure systems. We survey the security patterns developed by our group and a few other researchers. We apply these patterns through a secure system development method based on a hierarchical architecture whose layers define the scope of each security mechanism. We are building a catalog of security patterns that helps in defining the security mechanisms at each architectural level and at each development stage. In addition to their value for new system design, security patterns are useful to evaluate existing systems by analyzing if they include specific patterns or not. They are also useful to compare security standards and to verify that products comply with the standard. Finally, we have found security patterns very valuable for teaching security concepts and mechanisms.


Access Control Secure System Design Pattern Security Model Security Mechanism 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    M.B. d'Amorim, Proxy-to-Proxy, a structural pattern for leveraging security on highly distributed Internet applications, Procs. SugarLoafPLoP 2001.Google Scholar
  2. 2.
    P. Avgeriou and U. Zdun, Architectural patterns revisited: A pattern language, Procs. EuroPLoP 2005, 1–39.Google Scholar
  3. 3.
    A. Braga, C. Rubira, and R. Dahab, Tropyc: A pattern language for cryptographic object-oriented software, Chapter 16 in Pattern Languages of Program Design 4 (N. Harrison, B. Foote, and H. Rohnert, Eds.). Also in Procs. of PLoP'98.Google Scholar
  4. 4.
    F. Lee Brown, J. DiVietri, G. Diaz de Villegas, and E. B. Fernandez, The Authenticator pattern, Procs. of PLOP'99.Google Scholar
  5. 5.
    F. Buschmann, R. Meunier, H. Rohnert, P. Sommerland, and M. Stal., Pattern- oriented software architecture, Wiley 1996.Google Scholar
  6. 6.
    F. Das Neves and A. Garrido, Bodyguard, Chapter 13 in Pattern Languages of Program Design 3, Addison-Wesley 1998.Google Scholar
  7. 7.
    N. Delessy-Gassant, E.B.Fernandez, S. Rajput, and M.M.Larrondo-Petrie, Patterns for application firewalls, Procs. of PLoP 2004.Google Scholar
  8. 8.
    N. Delessy, and E. B.Fernandez, Patterns for the eXtensible Access Control Markup Language, in Proceedings of the 12th Pattern Languages of Programs Conference (PLoP2005), Monticello, Illinois, USA, 7–10 September 2005.Google Scholar
  9. 9.
    N. Delessy. E.B.Fernandez, M.M. Larrondo-Petrie, and J. Wu, Patterns for access control in distributed systems, Procs. of the 14th Pattern Languages of Programs Conference (PLoP2007), Monticello, Illinois, USA, September 5–8, 2007.Google Scholar
  10. 10.
    W. Essmayr, G. Pernul, and A.M. Tjoa, Access controls by object-oriented concepts, Proc. of 11th IFIP WG 11.3 Working Conf. on Database Security, August 1997.Google Scholar
  11. 11.
    E.B.Fernandez, M.M.Larrondo-Petrie and E.Gudes, A method-based authorization model for object-oriented databases, Proc. of the OOPSLA 1993 Workshop on Security in Object-oriented Systems, 70–79.Google Scholar
  12. 12.
    E B. Fernandez and R.Y. Pan, A pattern language for security models, Procs. of PLoP 2001.Google Scholar
  13. 13.
    E.B.Fernandez, Patterns for operating systems access control, Procs. ofPLoP 2002.Google Scholar
  14. 14.
    E.B.Fernandez and J.C.Sinibaldi, More patterns for operating systems access control, InProcs. EuroPLoP 2003.Google Scholar
  15. 15.
    E.B. Fernandez and R. Warrier, Remote Authenticator/Authorizer, Procs. of PLoP 2003.Google Scholar
  16. 16.
    E.B.Fernandez and T. Sorgente, A pattern language for secure operating system architectures, Procs. of the 5th Latin American Conference on Pattern Languages of Programs, Brazil, August 16–19, 2005.Google Scholar
  17. 17.
    E.B.Fernandez and M. M. Larrondo-Petrie, Teaching a course on data and network security using UML and patterns, In Procs. of the Educators Symposium of MoDELS/UML 2005, Montego Bay, Jamaica, October 2–7, 2005.Google Scholar
  18. 18.
    E.B.Fernandez and David L. la Red Martinez, Using patterns to develop, evaluate, and teach secure operating systems, Proceedings of the Congreso Internacional de Auditora y Seguridad de la Informacin (CIASI 2005), Madrid, Spain, 125–130.Google Scholar
  19. 19.
    E.B. Fernandez, M.M. Larrondo-Petrie, T. Sorgente, and M. VanHilst, A methodology to develop secure systems using patterns, Ch. 5 in Integrating security and software engineering: Advances and future vision, H. Mouratidis and P. Giorgini (Eds.), IDEA Press, 2006, 107–126.Google Scholar
  20. 20.
    E.B.Fernandez, T. Sorgente, and M.M. Larrondo-Petrie, Even more patterns for secure operating systems, Procs. of the Pattern Languages of Programming Conference (PLoP 2006).Google Scholar
  21. 21.
    E.B.Fernandez and G. Pernul, Patterns for session-based access control, Procs. of the Pattern Languages of Programming Conference (PLoP 2006).Google Scholar
  22. 22.
    E.B. Fernandez, J.C. Pelaez, and M.M. Larrondo-Petrie, Attack patterns: A new forensic and design tool, chapter 24 in Advances in Digital Forensics III, P. Craiger and S. Shenoi (Eds.), Springer/IFIP, 2007, 345–357Google Scholar
  23. 23.
    E.B.Fernandez, J.C. Pelaez, and M.M. Larrondo-Petrie, Security patterns for voice over IP networks,A Journal of Software, Vol. 2, No 2, August 2007, 19–29Google Scholar
  24. 24.
    E.B. Fernandez, M. VanHilst, and J.C. Pelaez, Patterns for WiMax security, Procs. EuroPLoP 2007.Google Scholar
  25. 25.
    M. Fowler, Analysis patterns – Reusable object models, Addison-Wesley, 1997.Google Scholar
  26. 26.
    E. Gamma, R. Helm,R. Johnson, and J. Vlissides, Design patterns Elements of Reusable object-oriented software, Addison-Wesley 1994.Google Scholar
  27. 27.
    G. Georg, I. Ray, and R. France, Using aspects to design a secure system, Proceedings of the Eighth IEEE International Conference on Engineering of Complex Computer Systems, Greenbelt, MD, December 2002.Google Scholar
  28. 28.
    D. Gollmann, Computer security (2nd Ed.), Wiley, 2006.Google Scholar
  29. 29.
    IBM Corp., Introduction to business security patterns, white paper,
  30. 30.
  31. 31.
    J. Juerjens, Secure systems development with UML, Springer-Verlag, 2004.Google Scholar
  32. 32.
    S. Lehtonen and J. Parssinen, A pattern language for key management, Procs. of PLoP 2001.Google Scholar
  33. 33.
    Microsoft patterns and practices development center,
  34. 34.
    P. Morrison and E.B.Fernandez, Securing the Broker pattern, Procs. of EuroPLoP 2006.Google Scholar
  35. 35.
    P. Morrison and E.B.Fernandez, The Credential pattern, Procs. of PLoP 2006.Google Scholar
  36. 36.
    The Open Group, Security Design Patterns Technical Guide,
  37. 37.
    T. Priebe, E.B.Fernandez, J.I.Mehlau, and G. Pernul, A pattern system for access control, in Research Directions in Data and Applications Security XVIII, C. Farkas and P. Samarati (Eds.), Procs of the 18th. Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Sitges, Spain, 2004.Google Scholar
  38. 38.
    Indrakshi Ray, R.B. France, N. Li, and G. Georg, An Aspect-Based approach to modeling Access Control Concerns, Journal of Information and Software Technology, Vol. 46, No. 9, July 2004, 575–587.Google Scholar
  39. 39.
    F. Sanchez-Cid, A. Maa, Serenity pattern-based software development life cycle. Proceedings of the 19th International Conference on Database and Expert Systems Application. 2008.Google Scholar
  40. 40.
    M. Schumacher, E.B.Fernandez, D. Hybertson, F. Buschmann, and P. Sommerlad, Security Patterns, J. Wiley & Sons, 2006.Google Scholar
  41. 41.
    The Security Patterns page, maintained by M. Schumacher,
  42. 42.
    C. Steel, R. Nagappan, and R. Lai, Core Security Patterns: Best Strategies for J2EE, Web Services, and Identity Management, Prentice Hall, Upper Saddle River, New Jersey, 2005.Google Scholar
  43. 43.
    M. VanHilst, E.B.Fernandez, and F. Braz, A multidimensional classification for users of security patterns, accepted for the Journal of Research and Practice in Information Technology.Google Scholar
  44. 44.
    J. Yoder and J. Barcalow, Architectural patterns for enabling application security. Procs. PLOP'97, Also Chapter 15 in Pattern Languages of Program Design, vol. 4 (N. Harrison, B. Foote, and H. Rohnert, Eds.), Addison-Wesley, 2000.Google Scholar

Copyright information

© Springer-Verlag US 2009

Authors and Affiliations

  1. 1.Dept. of Computer Science and Engineering FloridaAtlantic UniversityBoca RatonUSA

Personalised recommendations