Security patterns and requirements for internet-based applications

Internet Research

Volumn 16, Issue 5, 2006, Pages 519-536

  Rosado, David G ^a   Gutiérrez, Carlos ^a   Fernández Medina, Eduardo ^a   Piattini, Mario ^a  

^a UNIVERSITY OF CASTILLA LA MANCHA   (Spain)

Author keywords

Computer applications; Security products; Worldwide web

Indexed keywords

EID: 33750441515     PISSN: 10662243     EISSN: None     Source Type: Journal    
DOI: 10.1108/10662240610710996     Document Type: Article

References (51)

1. Alexander, C., Ishikawa, S., Silverstein, M., Jacobson, M., Fiksdahl-King, I. and Angel, S. (1977), A Pattern Language: Towns, Buildings, Construction, Oxford University Press, New York, NY.
2. Anderson, S., Bohren, J., Boubez, T., Chanliau, M., Della-Libera, G., Dixon, B., Garg, P. and Gudgin, M. et al. (2005), Web Services Trust Language (WS-Trust), February, available ftp://www6.software.ibm.com/software/developer/ library/ws-trust.pdf.
3. Ashley, P., Hada, S., Karjoth, G. and Schunter, M. (2002), "E-P3P privacy policies and privacy authorization", Workshop on Privacy in the Electronic Society, WPES'02, Washington, DC.
4. Bass, L., Clements, P. and Kazman, R. (2003), Software Architecture in Practice, Addison-Wesley, Reading, MA.
5. Berry, C.A., Carnell, J., Juric, M.B., Kunnumpurath, M.M., Nashi, N. and Romanosky, S. (2002), Chapter 5: Patterns Applied to Manage Security, J2EE Design Patterns Applied.
6. Bilorusets, R., Bosworth, A., Box, D., Cabrera, L.F., Collison, D., Ferguson, D., Ferris, C. and Freund, T. (2004), Web Services Reliable Messaging Protocol (WS-ReliableMessaging), March, available at:ftp://www6.software.ibm. com/software/developer/library/ws-reliablemessaging200403.pdf.
7. Buschmann, F. (1999), "Building software with patterns", paper presented at the 2nd European Conference on Pattern Languages of Programs (EuroPLoP 1999), Irsee, Germany.
8. Buschmann, F., Meunier, R., Rohnert, H., Sommerlad, P. and Stal, M. (1996), Pattern-Oriented Software Architecture: A System of Patterns, John Wiley, New York, NY.
9. CERT (2006), Statistics 1988-2006, available at: www.cert.org/stats/ certstats.htmlincidents.
10. Cranor, L., Langheinrich, M. and Marchiori, M. (2002), A P3P Preference Exchange Language 1.0 (APPEL1.0). W3C Working Draft, available at: www.w3.org/TR/2002/WD-P3P-preferences-20020415/.
11. Curbera, F., Nagy, W.A. and Weerawarana, S. (2001), "Web services: why and how", Workshop on Object Orientation and Web Services OOWS2001, Tampa, FL.
12. Cheng, B.H.C., Konrad, S., Campbell, L.A. and Wassermann, R. (2003), "Using security patterns to model and analyze security requirements", High Assurance Systems Workshop (RHAS 03) as part of the IEEE Joint International Conference on Requirements Engineering (RE 03), Monterey Bay, CA.
13. Das Neves, F. and Garrido, A. (1998), BodyGuard, Pattern Languages of Programs III, Addison-Wesley, Reading, MA.
14. Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Bell, S. and Ylonen, T. (1999), SPKI Certificate Theory, Internet Eng. Task Force RFC 2693.
15. Evans, C., Chappell, D., Bunting, D., Tharakan, G., Shimamura, H., Durand, J., Mischkinsky, J. and Nihei, K. et al. (2003), Web Services Reliability (WS-Reliability) Ver1.0. January 8, available at: www.oracle.com/technology/tech/webservices/htdocs/spec/WS-ReliabilityV1.0.pdf.
16. Fernandez, E.B. (2002), "Patterns for operating systems access control", paper presented at the 9th Conference on Pattern Languages of Programs, PLoP 2002, Allerton Park, IL.
17. Fernandez, E.B. and Pan, R. (2001), "A pattern language for security models", paper presented at the 8th Conference on Pattern Languages of Programs, PLoP 2001, Allerton Park, Monticello, IL.
18. Fernandez, E.B., Petrie, M.L., Seliya, N. and Herzberg, A. (2003), "A pattern language for firewalls", paper presented at the 10th Conference on Pattern Languages of Programs (PLoP'2003), Allerton Park, Monticello, IL.
19. Firesmith, D.G. (2003), "Engineering security requirements", Journal of Object Technology, Vol. 2 No. 1, pp. 53-68.
20. Firesmith, D.G. (2004), "Specifying reusable security requirements", Journal of Object Technology, Vol. 3, pp. 61-75.
21. Flanders, R. and Fernandez, E.B. (1999), "Data filter architecture pattern", paper presented at the 6th Conference on Pattern Languages of Programs, PLoP 1999, Allerton Park, Monticello, IL.
22. Ford, W., Hallam-Baker, P., Fox, B., Dillaway, B., LaMacchia, B., Epstein, J. and Lapp, J. (2001), XML Key Management Specification (XKMS). W3C Note 30, VeriSign Inc, Microsoft Corporation, webMethods Inc., London.
23. Fox, S. (2001), Collection and Dissemination of Computer and Internet Security Related Information (Alerts, Advisories, Incident Notes, Vulnerability Notes, Summaries and other Bulletins), SANS.org, Washington, DC, August 21.
24. Gutiérrez, C., Fernández-Medina, E. and Piattini, M. (2004), "Web services security: is the problem solved?", Information Systems Security, Vol. 13, pp. 22-31.
25. Gutiérrez, C., Fernández-Medina, E. and Piattini, M. (2005a), "PWSSec: process for web services security", paper presented at the IEEE International Conference on Web Services, Orlando, FL.
26. Gutiérrez, C., Fernández-Medina, E. and Piattini, M. (2005b), "Web services-based security requirement elicitation", paper presented at 1st International Workshop on Service-Oriented Computing: Consequences for Engineering Requirements (SOCCER 2005), in conjunction with RE 05 - 13th IEEE International Requirements Engineering Conference, Paris, France.
27. Gutiérrez, C., Fernández-Medina, E. and Piattini, M. (2005c), "Web services enterprise security architecture: a case study", Workshop on Security on Web Services, Fairfax, VA.
28. Housley, R., Ford, W., Polk, W. and Solo, D. (1999), Internet X.509 Public Key Infrastructure Certificate and CRL Profile, Internet Eng. Task Force RFC 2459, January.
29. IBM (2002), Security in a Web Services World: A Proposed Architecture and Roadmap. White Paper from IBM Corporation and Microsoft Corporation, Version 1.0, available at: www.verisign.com/wss/architectureRoadmap.pdf.
30. IDC (2005), Consumption of Web Services Will Greatly Increase through 2009, available at: www.idc.com/getdoc.jsp?containerId=prUS00190705.
31. Imamura, T. and Tatsubori, M. (2003), "Patterns for securing web services messaging", OOPSLA'03 Workshop for Web Services and Service Oriented Architecture Best Practice and Patterns, Anaheim, CA.
32. Kis, M. (2002), "Information Security antipatterns in software requirements engineering", paper presented at the 9th Conference on Pattern Languages of Programs (PLoP'2002), Allterton Park, Monticello, IL.
33. Lee Brown, J.F., DiVietri, J., Diaz de Villegas, G. and Fernandez, E.B. (1999), "The authenticator pattern", paper presented at the 6th Conference on Pattern Languages of Programs, PLoP 1999, Allerton Park, Monticello, IL.
34. Lehtoren, S. and Pärssinen, J. (2002), "Pattern language for cryptographic key management", paper presented at the 7th European Conference on Pattern Languages of Programs (EuroPlop'2002), Irsee, Germany.
35. OASIS (2003), Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1, available at: www.oasis-open.org/committees/ download.php/3406/oasis-sstc-saml-core-1.1.pdf.
36. OASIS (2005), Quality Model for Web Services, Available at: www.oasis-open.org/committees/download.php/15910/WSQM-ver-2.0.doc.
37. OASIS (2006a), Web Services Security. X.509 Certificate Token Profile 1.1. OASIS Standard Specification, available at: www.oasis-open.org/committees/ download.php/16785/wss-v1.1-spec-os-x509TokenProfile.pdf.
38. OASIS (2006b), Web Services Security. Username Token Profile 1.1. OASIS Standard Specification, 1 February, available at: www.oasis-open.org/committees/ download.php/16782/wss-v1.1-spec-os-UsernameTokenProfile.pdf.
39. OASIS (2006c), Web Services Security. Kerberos Token Profile 1.1. OASIS Standard Specification, 1 February, available at: www.oasis-open.org/committees/ download.php/16788/wss-v1.1-spec-os-KerberosTokenProfile.pdf.
40. OASIS (2006d), Web Services Security. SOAP Message Security 1.1 (WS-Security 2004). OASIS Standard Specification, 1 February, available at: www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os- SOAPMessageSecurity.pdf.
41. Ramachandran, J. (2002), Designing Security Architecture Solutions, John Wiley, New York, NY.
42. Romanosky, S. (2001), Security Design Patterns, available at: www.cgisecurity.com/lib/securityDesignPatterns.html.
43. Romanosky, S. (2002), "Enterprise security patterns", paper presented at the 7th European Conference on Pattern Languages of Programs (EuroPlop'02), Irsee, Germany.
44. Rosado, D.G., Gutiérrez, C., Fernandez-Medina, E. and Piattini, M. (2006), "A study of security architectural patterns", paper presented at the 1st International Conference on Availability, Reliability and Security (ARES 2006), Vienna, Austria, IEEE Computer Society, available at: http://csdl.computer.org/dl/proceedings/ares/2006/2567/00/25670358.pdf.
45. Steel, C., Nagappan, R. and Lai, R. (2005), Core Security Patterns, Prentice-Hall, Englewood Cliffs, NJ.
46. Todd, S., Parr, F. and Conner, M. (2001), A Primer for HTTPR. An Overview of the Reliable HTTP Protocol, IBM, available at: www-128.ibm.com/ developerworks/webservices/library/ws-phtt/.
47. W3C (2004), Services Architecture, available at: www.w3.org/TR/2004/NOTE- ws-arch-20040211/.
48. WS-I (2005), Security Challenges, Threats and Countermeasures Version 1.0.T. Report, available at: www.ws-i.org/Profiles/BasicSecurity/ SecurityChallenges-1.0-20050507.doc.
49. Yagüe, M.I. and Troya, J.M. (2002), "A semantic approach for access control in web services", paper presented at the Euroweb 2002 International Conference, W3C & British Computer Society Electronic Workshops in Computing (eWiC), Oxford.
50. Yagüe, M.I., Maa, A. and López, J. (2005), "A metadata-based access control model for web services", Internet Research Journal: Electronic Networking Applications and Policy, Vol. 25 No. 1, pp. 99-116.
51. Yoder, J. and Barcalow, J. (1997), "Architectural patterns for enabling application security", paper presented at the 4th Conference on Patterns Language of Programming, PLop 1997, Monticello, IL.