Abstract
Security patterns are reusable solutions, which enable the design of maintainable systems or applications that have to meet security requirements. The generic nature of security patterns and their growing number make their choices difficult, even for experts in software design. We propose to contribute in this issue by presenting a methodology of security pattern classification based upon data integration. The classification exhibits relationships among 215 software attacks, 66 security principles and 26 security patterns. It expresses pattern combinations, which are countermeasures to a given attack. This classification is semi-automatically inferred by means of a data-store integrating disparate publicly available security data. Besides pattern classification, we show that the data-store can be used to generate Attack Defence Trees. In our context, these illustrate, for a given attack, its sub-attacks, steps, techniques and the related defences given under the form of security pattern combinations. Such trees make the pattern classification more readable even for beginners in security patterns.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Security pattern catalog. http://www.munawarhafiz.com/securitypatterncatalog/
Alvi, A.K., Zulkernine, M.: A natural classification scheme for software security patterns. In: 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing, pp. 113–120 (2011)
Alvi, A.K., Zulkernine, M.: A comparative study of software security pattern classifications. In: 2012 Seventh International Conference on Availability, Reliability and Security, pp. 582–589 (2012)
Bunke, M., Koschke, R., Sohr, K.: Organizing security patterns related to security and pattern recognition requirements. International Journal on Advances in Security 5 (2012)
Jhawar, R., Kordy, B., Mauw, S., Radomirović, S., Trujillo-Rasua, R.: Attack trees with sequential conjunction. In: Federrath, H., Gollmann, D. (eds.) SEC 2015. IAICT, vol. 455, pp. 339–353. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-18467-8_23
Kordy, B., Kordy, P., Mauw, S., Schweitzer, P.: ADTool: security analysis with attack–defense trees. In: Joshi, K., Siegle, M., Stoelinga, M., D’Argenio, P.R. (eds.) QEST 2013. LNCS, vol. 8054, pp. 173–176. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40196-1_15
Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Attack-defense trees. Journal of Logic and Computation p. exs029 (2012)
Meier, J.: Web application security engineering. IEEE Secur. Priv. 4(4), 16–24 (2006)
Mitre corporation: Common attack pattern enumeration and classification (2015). https://capec.mitre.org/
Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975)
Schumacher, M.: Security Engineering with Patterns: Origins, Theoretical Models, and New Applications. Springer-Verlag New York Inc., Secaucus (2003)
Tøndel, I.A., Jensen, J., Røstad, L.: Combining misuse cases with attack trees and security activity models. In: International Conference on Availability, Reliability, and Security, 2010, ARES 2010, pp. 438–445. IEEE (2010)
Uzunov, A.V., Fernandez, E.B.: An extensible pattern-based library and taxonomy of security threats for distributed systems. Comput. Stand. Interfaces 36(4), 734–747 (2014)
Viega, J., McGraw, G.: Building Secure Software: How to Avoid Security Problems the Right Way. Portable Documents, Pearson Education (2001)
Wiesauer, A., Sametinger, J.: A security design pattern taxonomy based on attack patterns. In: International Joint Conference on e-Business and Telecommunications, pp. 387–394 (2009)
Willett, P.: Recent trends in hierarchic document clustering: a critical review. Inf. Process. Manag. 24(5), 577–597 (1988)
Yoder, J., Yoder, J., Barcalow, J., Barcalow, J.: Architectural patterns for enabling application security. In: Proceedings of PLoP 1997, vol. 51, p. 31 (1998)
Yskout, K., Heyman, T., Scandariato, R., Joosen, W.: A system of security patterns (2006)
Yskout, K., Scandariato, R., Joosen, W.: Do security patterns really help designers? In: Proceedings of the 37th International Conference on Software Engineering - Volume 1, pp. 292–302. ICSE 2015. IEEE Press, Piscataway (2015). http://dl.acm.org/citation.cfm?id=2818754.2818792
Acknowledgement
Research supported by the industrial chair on Digital Confidence http://confiance-numerique.clermont-universite.fr/index-en.html.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Salva, S., Regainia, L. (2018). Using Data Integration to Help Design More Secure Applications. In: Cuppens, N., Cuppens, F., Lanet, JL., Legay, A., Garcia-Alfaro, J. (eds) Risks and Security of Internet and Systems. CRiSIS 2017. Lecture Notes in Computer Science(), vol 10694. Springer, Cham. https://doi.org/10.1007/978-3-319-76687-4_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-76687-4_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-76686-7
Online ISBN: 978-3-319-76687-4
eBook Packages: Computer ScienceComputer Science (R0)