Abstract
We introduce security patterns as the most mature domain within cyberpatterns, and outline a conceptual framework to help understand and develop good security patterns. Security patterns help us move from an improvised craft to engineering discipline because they transfer knowledge about proven solutions in an understandable and reusable format to experienced users and novices alike. Although security patterns are widely known, many questions remain unanswered regarding their conceptual foundation and practical use. We characterise the current pattern schemes using the Zachman Framework for enterprise architecture modelling, which allows us to structure and pose questions about both the problem domain and corresponding solutions provided by security patterns. We propose a parallel security plane overlaying the entire Zachman grid allowing the separate consideration of security within the security plane using the interrogative questions (who, what, where, when, why and how) to evaluate the six aspects. The integration between security and functional concerns is similarly aided by using the correspondence between aspects in the security and functional planes to decompose and examine the relationship between security patterns and problem context. We also briefly discuss security patterns as transformations, and related concepts such as tactics that may usefully be applied to security. We conclude with a set of unsolved challenges for security patterns. This discussion is relevant to other types of cyberpattern such as attack patterns, and may aid the eventual development of a comprehensive framework for cyberpatterns.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Gabriel RP. Patterns of software: tales from the software community. New York: Oxford University Press; 1996. http://www.dreamsongs.com/Files/PatternsOfSoftware.pdf. Accessed 10 Nov 2013.
Kienzle DM, Elder MC, Tyree D, Edwards-Hewitt J. Security patterns repository version 1.0. Washington DC: DARPA; 2002. www.scrypt.net/~celer/securitypatterns/repository.pdf. Accessed 7 Nov 2013.
Gamma E, Helm R, Johnson R, Vlissides J. Design patterns: elements of reusable object-oriented software. Reading: Addison-Wesley; 1995.
Schumacher M, Fernandez-Buglioni E, Hybertson D, Buschmann F, Sommerlad P. Security patterns: integrating security and systems engineering. Chichester: John Wiley; 2005.
Zachman JA. A framework for information systems architecture. IBM Syst J. 1987;26(3): 276–92.
Zachman JA. John Zachman’s concise definition of The Zachman framework\(^{TM}\). Zachman International, Inc. 2008. http://www.zachman.com/about-the-zachman-framework. Accessed 28 Oct 2013.
Blackwell C. A strategy for formalising attack patterns. 1st cyberpatterns workshop. 2012. In cyberpatterns: unifying design patterns with security and attack patterns. Springer; 2014.
Sherwood J, Clark A, Lynas D. Enterprise security architecture, a business driven approach. San Francisco: CMP Books; 2005.
Fernandez EB, Larrondo-Petrie MM, Sorgente T, VanHilst M. A methodology to develop secure systems using patterns. Chapter V: Integrating security and software engineering: advances and future vision. IGI; 2006. p. 107–26.
Yoder J, Barcalow J. Architectural patterns for enabling application security. In: Proceedings of the 4th annual conference on pattern languages of programs (PLoP 1997). 1997.
Graham I. Business rules management and service oriented architecture: a pattern language. Chichester (WSX): John Wiley; 2007.
Hafiz M. Security pattern catalog. www.munawarhafiz.com/securitypatterncatalog. Accessed 30 Oct 2013 (15 March 2013).
Hafiz M, Adamczyk P, Johnson RE. Organising security patterns. IEEE Softw. 2007;24(4): 52–60.
Blakely B, Heath C. Security design patterns. Berkshire, UK: The Open Group; 2004.
Yoshioka N, Washizaki H, Maruyama K. A survey on security patterns. Prog Inf. 2008;5(5): 35–47.
Dougherty CR, Sayre K, Seacord R, Svoboda D, Togashi K. Secure design patterns. Software engineering institute. Paper 47. 2009. http://repository.cmu.edu/sei/47. Accessed 8 Nov 2013.
Steel C, Nagappan R, Lai R. Core security patterns: best practices and strategies for J2EE, web services, and identity management. Englewood Cliffs: Prentice Hall; 2005.
Hogg J, Smith D, Chong F, Taylor D, Wall L, Slater P. Web service security: scenarios, patterns, and implementation guidance for web services enhancements (WSE) 3.0. Redmond (WA): Microsoft Press; 2006.
Heaney J, Hybertson D, Reedy A, Chapin S, Bollinger T, Williams D, Kirwan Jr. M. Information assurance for enterprise engineering. In: Proceedings of the 8th annual conference on pattern languages of programs (PLoP’02). 2002.
Trowbridge D, Cunningham W, Evans M, Brader L, Slater P. Describing the enterprise architectural space. MSDN. June 2004. msdn.microsoft.com/en-us/library/ff648192.aspx. Accessed 8 Nov 2013.
Maier MW, Emery D, Hilliard R. Software architecture: introducing IEEE standard 1471. IEEE Comput. 2001;34(4):107–9.
Swiderski F, Snyder W. Threat modelling. Redmond (WA): Microsoft Press; 2004.
Hafiz M, Adamczyk P, Johnson RE. Growing a pattern language (for security). In: Proceedings of the 27th object-oriented programming, systems, languages and applications (OOPSLA 2012). 2012.
Fernandez-Buglioni E. Security patterns in practice: designing secure architectures using software patterns (Wiley software patterns series). New York: John Wiley; 2013.
Fernandez EB, Pan R. A pattern language for security models. In: Proceedings of the 8th annual conference on pattern languages of programs (PLoP 2001). 2001.
VanHilst M, Fernandez EB, Braz F. A multidimensional classification for users of security patterns. J Res Pract Inf Tech. 2009;41(2):87–97.
Bass L, Clements P, Kazman R. Software architecture in practice. Boston: Addison-Wesley; 2012.
Fowler M. Refactoring: improving the design of existing code. Boston: Addison-Wesley; 1999.
Lano K. Design patterns: applications and open issues. 1st cyberpatterns workshop. 2012. In cyberpatterns: unifying design patterns with security and attack patterns. Springer; 2014.
Hafiz M. Security on demand. PhD dissertation. University of Illinois. 2011. http://munawarhafiz.com/research/phdthesis/Munawar-Dissertation.pdf. Accessed 6 Nov 2013.
Buschmann F, Meunier R, Rohnert H, Sommerlad P, Stal M. Pattern-oriented software architecture volume 1: a system of patterns. Chichester: John Wiley; 1996.
Buschmann F, Henney K, Schmidt DC. Pattern-oriented software architecture volume 4: a pattern language for distributed computing. Chichester: John Wiley; 2007.
Zhu H. Cyberpatterns: a pattern oriented research methodology for studying cyberspace. In cyberpatterns: unifying design patterns with security and attack patterns. Springer; 2014.
Sowa J, Zachman JA. Extending and formalizing the framework for information systems architecture. IBM Syst J. 1992;31(3):590–616.
Zhu H. Design space-based pattern representation. 1st cyberpatterns workshop. 2012. In unifying design patterns with security and attack patterns. Springer; 2014.
Bayley I. Challenges for a formal framework for patterns. 1st cyberpatterns workshop. 2012. In unifying design patterns with security and attack patterns. Springer; 2014.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Blackwell, C. (2014). Towards a Conceptual Framework for Security Patterns. In: Blackwell, C., Zhu, H. (eds) Cyberpatterns. Springer, Cham. https://doi.org/10.1007/978-3-319-04447-7_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-04447-7_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-04446-0
Online ISBN: 978-3-319-04447-7
eBook Packages: Computer ScienceComputer Science (R0)