A classification methodology for security patterns to help fix software weaknesses

Regainia, Loukmen; Salva, Sébastien; Ecuhcurs, Cedric

doi:10.1109/aiccsa.2016.7945693

Cited by 8 publications

(11 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…After having studied the CAPEC base, we observed that attacks are described with a set of CWE weaknesses, a set of security principles and potential solutions and mitigations. These security activities can also be found in our previous classification (Regainia et al, 2016a), connecting weaknesses with security patterns. However, we noticed that the mitigations and security principles available in the attack documents often have a high level of abstraction making their use difficult.…”

Section: Classification Methodologymentioning

confidence: 82%

“…In Step 2, we collect the relationships between every attack and CWE weaknesses, reflecting which weakness is targeted by an attack. In Step 3, we reuse our earlier classification (Regainia et al, 2016a) to extract for every CWE weakness, the security principles, mitigations and security patterns which fix the weakness. After the consolidation of the different databases built in the previous steps, we obtain a database DB f from which the classification is automatically extracted in Step 4.…”

Section: Classification Methodologymentioning

confidence: 99%

“…In (Regainia et al, 2016a), we proposed a first semi-automatic methodology of classification and the classification itself, which exposes relationships among 185 software weaknesses of the CWE base (Mitre corporation, 2015b), security principles and 26 security patterns. It expresses which patterns partially mitigate a given weakness with respect to the security principles that have to be addressed to fix the weakness.…”

Section: Open Issues and Contributionsmentioning

confidence: 99%

“…We proposed in (Regainia et al, 2016a) a classification, which exposes relationships among software weaknesses, security principles and security patterns. More precisely, for a given weakness, it provides its mitigations, the security principles that have to be followed to fix the weakness, the strong points (sub-properties) of security patterns that meet these principles and finally the security patterns allowing to correct the weakness.…”

Section: Step 3: Connection Between Cwe Weaknesses and Security Patternsmentioning

confidence: 99%

“…The methodology takes as inputs CAPEC attacks, builds a hierarchical tree of attacks showing the sub-attacks of a given attack and links them with the targeted weaknesses found in the CWE base. Afterwards, we reuse an earlier work, proposed in (Regainia et al, 2016a), to build relationships among weaknesses, security principles and security patterns. All these steps provide the detailed justifications of the resulting classification.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

A Methodology of Security Pattern Classification and of Attack-Defense Tree Generation

Regainia

Salva

2017

Proceedings of the 3rd International Conference on Information Systems Security and Privacy

Self Cite

View full text Add to dashboard Cite

Security at the design stage of the software life cycle can be performed by means of security patterns, which are viable and reusable solutions to regular security problems. Their generic nature and growing number make their choice difficult though, even for experts in system design. To guide them through the appropriate choice of patterns, we present a methodology of security pattern classification and the classification itself, which exposes relationships among attacks, weaknesses and security patterns. Given an attack of the CAPEC (Common Attack Patterns Enumeration and Classification) database , the classification expresses the security pattern combinations that overcome the attack. The methodology, which generates the classification is composed of five steps, which decompose patterns and attacks into sets of more precise sub-properties that are associated. These steps provide the justifications of the classification and can be followed again to upgrade it. From the classification, we also generate Attack-Defense Trees (ADTtrees), which depict an attack, its sub-attacks and the related defenses in the form of security pattern combinations. Without loss of generality, this classification has been established for Web applications and covers 215 attacks, 136 software weaknesses and 26 security patterns.

show abstract

Section: Classification Methodologymentioning

confidence: 82%

Section: Classification Methodologymentioning

confidence: 99%

Section: Open Issues and Contributionsmentioning

confidence: 99%

Section: Step 3: Connection Between Cwe Weaknesses and Security Patternsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

A Methodology of Security Pattern Classification and of Attack-Defense Tree Generation

Regainia

Salva

2017

Proceedings of the 3rd International Conference on Information Systems Security and Privacy

Self Cite

View full text Add to dashboard Cite

show abstract

A Security Pattern Classification Based on Data Integration

Salva¹,

Regainia²

2018

Communications in Computer and Information Science

Self Cite

View full text Add to dashboard Cite

Security patterns are design patterns specialised to provide reusable and general solutions to recurring security problems. These patterns, which capture the strengths of different security approaches, are intended to make the design of maintainable and secure applications easier. The pattern community is continuously providing new security patterns (180 patterns are available at the moment). For a given problem, this growing pattern set along with their abstract presentations make the security pattern choice tedious, even for experts in software design. We contribute in this issue by presenting a method of security pattern classification based upon data extraction and integration. The pattern classification is semi-automatically inferred by means of a data-store integrating disparate publicly available security data. This classification exposes relationships among software attacks, weaknesses, security principles and security patterns. It expresses the pattern combinations that can counter a given attack. Besides the pattern classification, we show that the data-store can be used to generate Attack Defense Trees. In our context, these illustrate, for a given attack, its sub-attacks and the related defenses given under the form of security pattern combinations. Such trees make the pattern classification more readable even for beginners in security patterns. Finally, we evaluate on 25 human subjects the benefits of using Attack Defense Trees and a classification established for Web applications, which covers 215 attacks, 136 software weaknesses, 66 security principles and 26 security patterns.

show abstract