A Qualitative Evaluation of Security Patterns

  • Spyros T. Halkidis
  • Alexander Chatzigeorgiou
  • George Stephanides
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3269)


Software Security has received a lot of attention during the last years. It aims at preventing security problems by building software without the so-called security holes. One of the ways to do this is to apply specific patterns in software architecture. In the same way that the well-known design patterns for building well-structured software have been used, a new kind of patterns, called security patterns have emerged. The way to build secure software is still vague, but guidelines for this have already appeared in the literature. Furthermore, the key problems in building secure software have been mentioned. Finally, threat categories for a software system have been identified. Based on these facts, it would be useful to evaluate known security patterns based on how well they follow each guideline, how they encounter with possible problems in building secure software and for which of the threat categories they do take care of.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Blakley, B., Heath, C. and Members of the Open Group Security Forum: Security Design Patterns. Open Group Technical Guide (2004) Google Scholar
  2. 2.
    Braga, A., Rubira, C., Dahab, R.: Tropyc: A Pattern Language for Cryptographic Software. In: Proceedings of the 5th Conference on Pattern Languages of Programming, PloP 1998 (1998)Google Scholar
  3. 3.
    Lee Brown, F., Di Vietri, J., Diaz de Villegas, G., Fernandez, E.: The Authenticator Pattern. In: Proceedings of the 6th Conference on Pattern Languages of Programming, PloP 1999 (1999)Google Scholar
  4. 4.
    Buschmann, F., Meunier, R., Rohnert, H., Sommerland, P., Stahl, M.: Pattern Oriented Software Architecture – A System of Patterns. John Wiley and Sons, Chichester (1996)Google Scholar
  5. 5.
    Cheng, B., Konrad, S., Campbell, L., Wassermann, R.: Using Security Patterns to Model and Analyze Security Requirements. In: Proceedings of the High Assurance Systems Workshop (RHAS 2003) as part of the IEEE Joint International Conference on Requirements Engineering (2003)Google Scholar
  6. 6.
    Fernandez, E.: Metadata and authorization patterns (2000),ẽd/MetadataPatterns.pdfGoogle Scholar
  7. 7.
    Fites, P., Kratz, M.: Information Systems Security: A Practitioner’s Reference. International Thomson Computer Press (1996)Google Scholar
  8. 8.
    Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns. Addison-Wesley, Reading (1995)Google Scholar
  9. 9.
    Howard, M., LeBlanc, D.: Writing Secure Code. Microsoft Press, Redmond (2002)Google Scholar
  10. 10.
    IBM, Introduction to Business Security Patterns, IBM White Paper (2003) Google Scholar
  11. 11.
    Kienzle, D., Elder, M.: Security Patterns for Web Application Development, Univ. of Virginia Technical Report (2002)Google Scholar
  12. 12.
    Kis, M.: Information Security Antipatterns in Software Requirements Engineering. In: Proceedings of the 9th Conference on Pattern Languages of Programming, PLoP 2002 (2002)Google Scholar
  13. 13.
    Krause, M., Tipton, H. (eds.): Information Security Management Handbook, 4th edn. CRC Press – Auerbach Publications (1999)Google Scholar
  14. 14.
    Mahmoud, Q.: Security Policy: A Design Pattern for Mobile Java Code. In: Proceedings of the 7th Conference on Pattern Languages of Programming, PLoP 2000 (2000)Google Scholar
  15. 15.
    McGraw, G.: Building Secure Software, How to Avoid Security Problems the Right Way. Addison-Wesley, Reading (2002)Google Scholar
  16. 16.
    McGraw, G.: From the Ground Up: The DIMACS Software Security Workshop, IEEE Security and Privacy, pp. 2–9 (April 2003)Google Scholar
  17. 17.
    Mouratidis, H., Giorgini, P., Schumacher, M.: Security Patterns for Agent Systems. In: Proceedings of the Eighth European Conference on Pattern Languages of Programs, EuroPLoP 2003 (2003)Google Scholar
  18. 18.
    Ramachandran, J.: Designing Security Architecture Solutions. John Wiley and Sons, Chichester (2002)Google Scholar
  19. 19.
    Romanosky, S.: Security Design Patterns (2002),
  20. 20.
    Romanosky, S.: Enterprise Security Patterns (2002),
  21. 21.
    Romanosky, S.: Operational Security Patterns (2003),
  22. 22.
    Weiss, M.: Patterns for Web Applications. In: Proceedings of the 10th Conference on Pattern Languages of Programming, PLoP 2003 (2003)Google Scholar
  23. 23.
    Yoder, J.: and, Barcalow, J., Architectural Patterns for enabling application security. In: Proceedings of the 4th Conference on Pattern Languages of Programming, PLoP 1997 (1997)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Spyros T. Halkidis
    • 1
  • Alexander Chatzigeorgiou
    • 1
  • George Stephanides
    • 1
  1. 1.Department of Applied InformaticsUniversity of MacedoniaThessalonikiGreece

Personalised recommendations