Growing a pattern language (for security)

Hafiz, Munawar; Adamczyk, Paul; Johnson, Ralph E.

doi:10.1145/2384592.2384607

Cited by 50 publications

(24 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Researchers have been documenting security patterns for decades, and there have been similar efforts to increase the usability of patterns [16]. We now review and discuss the similarities of these related efforts in the security pattern domain, and how they differ from our own work.…”

Section: Related Workmentioning

confidence: 99%

“…More recently, there has been substantial work on object-oriented design patterns [14], requirements patterns [9,15] and security patterns [10,12,16]. A security requirements pattern provides a software engineer with a reusable set of requirements to solve common security problems.…”

Section: A Pattern Languagesmentioning

confidence: 99%

“…Hafiz et al introduce an approach for organizing and describing the relationship between patterns using directed acyclic graphs [16]. Their approach uses a hierarchical scheme based on threat models in order to classify security patterns.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Managing security requirements patterns using feature diagram hierarchies

Slavin

Lehker

Niu

et al. 2014

2014 IEEE 22nd International Requirements Engineering Conference (RE)

View full text Add to dashboard Cite

Abstract-Security requirements patterns represent reusable security practices that software engineers can apply to improve security in their system. Reusing best practices that others have employed could have a number of benefits, such as decreasing the time spent in the requirements elicitation process or improving the quality of the product by reducing product failure risk. Pattern selection can be difficult due to the diversity of applicable patterns from which an analyst has to choose. The challenge is that identifying the most appropriate pattern for a situation can be cumbersome and time-consuming. We propose a new method that combines an inquiry-cycle based approach with the feature diagram notation to review only relevant patterns and quickly select the most appropriate patterns for the situation. Similar to patterns themselves, our approach captures expert knowledge to relate patterns based on decisions made by the pattern user. The resulting pattern hierarchies allow users to be guided through these decisions by questions, which elicit and refine requirements as well as introduce related patterns. Furthermore, our approach is unique in the way that pattern forces are interpreted as quality attributes to balance trade-offs in the resulting requirements. We evaluate our approach using access control patterns in a pattern user study.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: A Pattern Languagesmentioning

confidence: 99%

See 1 more Smart Citation

Managing security requirements patterns using feature diagram hierarchies

Slavin

Lehker

Niu

et al. 2014

2014 IEEE 22nd International Requirements Engineering Conference (RE)

View full text Add to dashboard Cite

show abstract

“…These security threats are dangerous for financial transactions, such as fund transfer in online banking system, online bill payment, loan application, and other online transactions. Hafiz et al [13] described a pattern language for security aspects, having ninety six patterns. Although for any application, all patterns may not be applied; but based on security requirements for the case study on online banking system, five software security patterns such as Single Sign On, Check Point, Authenticator, Policy, and Secure Proxy have been considered.…”

Section: Identification and Composition Of Security Patternsmentioning

confidence: 99%

Formalization of Web Security Patterns

Dwivedi

Rath

2015

INFOCOMP

View full text Add to dashboard Cite

Abstract. Security issues in software industries become more and more challenging due to malicious attacks and as a result, it leads to exploration of various security holes in software system. In order to secure the information assets associated with any software system, organizations plan to design the system based on a number of security patterns, useful to build and test new security mechanisms. These patterns are nothing but certain design guidelines. But they have certain limitations in terms of consistency and usability. Hence, these security patterns may sometimes act as insecure. In this study, an attempt has been made to compose security patterns for the web-based application. Subsequently, a formal modeling approach for the composition of security patterns is presented. In order to maximize comprehensibility, Unified Modeling Language (UML) notations are used to represent structural and behavioral aspects of a web-based system. A formal modeling language i.e., Alloy has been taken into consideration for analyzing web-based security pattens. For the demonstration of this approach, a case study i.e., an online banking system is considered. A qualitative evaluation is performed for the identified security patterns against the critical security properties. In this study a model-driven framework is presented, which helps to automate the process of analyzing web security patterns.

show abstract

“…The CERT Program is developing a library of insider threat enterprise architectural patterns [Mundie 2012] based on the data we have collected and our previous qualitative analyses and previous work documenting security patterns [Schumacher 2006, Hafiz 2012. Our previous research has generated strong, specific hypotheses for a follow-on quantitative and explanatory investigation of the pattern "Increased Review for IP Theft by Departing Insiders," which is the subject of this paper.…”

Section: Introductionmentioning

confidence: 99%

Justification of a Pattern for Detecting Intellectual Property Theft by Departing Insiders

Moore¹,

McIntire²,

Mundie³

et al. 2013

View full text Add to dashboard Cite

This paper describes an analysis that justifies applying the pattern "Increased Review for Intellectual Property (IP) Theft by Departing Insiders." The pattern helps organizations plan, prepare, and implement a strategy to mitigate the risk of insider theft of IP. The analysis shows that organizations can reduce their risk of insider theft of IP through increased review of departing insiders' actions during a relatively small window of time prior to their departure. Preliminary research results show that approximately 70% of insider IP thieves can be caught by following the pattern's recommendation of reviewing insiders' actions for theft events during only the last two months of their employment. These results provide practical guidance for practitioners wishing to fine tune the application of the pattern for their organizations. "Increased Review for IP Theft by Departing Insiders" is part of the CERT ® Insider Threat Center's evolving library of enterprise architectural patterns for mitigating the insider threat, based on the Center's collected data. The Center's larger goal is to foster greater organizational resilience to insider threat, using repeated application of patterns from the library.

show abstract

Growing a pattern language (for security)

Cited by 50 publications

References 14 publications

Managing security requirements patterns using feature diagram hierarchies

Managing security requirements patterns using feature diagram hierarchies

Formalization of Web Security Patterns

Justification of a Pattern for Detecting Intellectual Property Theft by Departing Insiders

Contact Info

Product

Resources

About