A survey on security patterns

Progress in Informatics

Volumn , Issue 5, 2008, Pages 35-48

  Yoshioka, Nobukazu ^a   Washizaki, Hironori ^b   Maruyama, Katsuhisa ^c  

^a NATIONAL INSTITUTE OF INFORMATICS   (Japan)

^b GRADUATE UNIVERSITY FOR ADVANCED STUDIES   (Japan)

^c RITSUMEIKAN UNIVERSITY   (Japan)

Author keywords

Design patterns; Refactoring; Security; Security patterns; Software engineering

Indexed keywords

DESIGN PATTERNS; REFACTORING; SECURITY PATTERNS;

PATTERN RECOGNITION; PROBLEM SOLVING; SOFTWARE ENGINEERING; SYSTEMS ANALYSIS;

SECURITY SYSTEMS;

EID: 42449139876     PISSN: 13498614     EISSN: 13498606     Source Type: Journal    
DOI: 10.2201/NiiPi.2008.5.5     Document Type: Review

References (76)

1. R T. Devanbu and S. Stubblebine, "Software engineering for security: a roadmap," in Proceedings of the Conference on The Future of Software Engineering, pp.227-239, 2000.
2. M. Schumacher, E. B. Fernandez, D. Hybertson, F. Buschmann, and P. Sommerlad, Security Patterns: Integrating Security And Systems Engineering, John Wiley & Sons Inc, 2006.
3. E. Houg, N. R. Mead and T. R. Stehney, "Security quality requirements engineering (square) methodology," Technical Report CMU/SEI-2005-TR-009, CMU/SEI, 2005.
4. P. Bresciani, P. Giorgini, F. Giunchiglia, and J. Mylopoulos, "Tropos: An agent-oriented software development methodology," JAAMAS, vol.8, no.3, pp.203-236, 2004.
5. J. Jürjens, G. Popp, and G. Wimmel, "Towards using security patterns in model-based system development," in Proceedings of PLoP 2002 Conference, 2002.
6. C. Alexander, The Timeless Way of Building, Oxford University Press, 1979.
7. F. Buschmann, K. Henney, and D.C. Schmidt, Pattern-Oriented Software Architecture: On Patterns and Pattern Languages, John Wiley & Sons Inc, 2007.
8. M. Kis, "Information security antipatterns in software requirements engineering," in the PLoP 2002 conference, 2002.
9. M. A. Jackson, Problem Frames: Analysing and structuring software development problems, Addison Wesley, 2000.
10. P. Giorgini, F. Massacci, J. Mylopoulos, and N. Zannone, "Modelling security requirements through ownership, permission and delegation," in 13th IEEE International Conference on Requirements Engineering 2005, pp.167-176, 2005.
11. H. Mouratidis, M. Weiss, and P. Giorgini, "Modelling secure systems using an agent-oriented approach and security patterns," International Journal of Software Engineering and Knowledge Engineering, vol.16, no.3, pp.471-498, 2006.
12. D. Hatebur, M. Heisel, and H. Schmidt, "Security engineering using problem frames," in Proceedings of the International Conference on Emerging Trends in Information and Communication Security (ETRICS), vol.3995, pp.238-253, Springer Berlin, Heidelberg, 2006.
13. D. Hatebur, M. Heisel, and H. Schmidt, "A pattern system for security requirements engineering," in Proceedings of the International Conference on Availability, Reliability and Security (AReS), pp.356-365, IEEE, 2007.
14. D. Hatebur, M. Heisel, and H. Schmidt, "A security engineering process based on patterns," in Proceedings of the International Workshop on Database and Expert Systems Applications (DEXA), pp.734-738, IEEE, 2007.
15. J. Yoder and J. Barcalow, "Architectural patterns for enabling application security," in Proceedings of PLoP '97 Conference, 1997.
16. E. B. Fernandez and R. Pan, "A pattern language for security models," in Proceedings of PLoP 2001 Conference, 2001.
17. E. Gamma, R. Helm, R. Johnson, and J. Vlissides, Design Patterns: Elements of Reusable Object-Oriented Software, Addison-Wesley Professional, 1995.
18. C. Steel, R. Nagappan, and R. Lai, Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management, Prentice Hall, 2005.
19. E. B. Fernandez, J. C. Pelae, and M. M. Larrondo-Petrie, "Security patterns for voice over ip networks," in Proceedings of the International Multi-Conference on Computing in the Global Information Technology (ICCGI'07), 2007.
20. M. Weiss, Integrating Security and Software Engineering: Advances and Future Vision, Chapter VI: Modelling Security Patterns Using NFR Analysis, pp. 127-141, Idea Group Publishing, 2006.
21. P. Morrison and E. B. Fernandez, "Securing the broker pattern," In Proceedings of the 11th European Conference on Pattern Languages of Programs (EuroPLoP 2006), 2006.
22. F. Buschmann, R. Meunier, H. Rohnert, P. Sommerlad, and M. Stal, Pattern-Oriented Software Architecture Volume 1: A System of Patterns, Wiley, 1996.
23. D. Alur, J. Crupi, and D. Malks, Core J2EE Patterns: Best Practices and Design Strategies, Second Edition, Prentice Hall, 2003.
24. E. B. Fernandez, T. Sorgente, and M. M. Larrondo-Petrie. "Even more patterns for secure operating systems," in Proceedings of PLoP 2006 Conference, 2006.
25. M. Hafiz, "Secure pre-forking - a pattern for performance and security," in Proceedings of PLoP 2005 Conference, 2005.
26. M. Sadicoff, M. M. Larrondo-Petrie, and E. B. Fernandez, "Privacy-aware network client pattern," in Proceedings of PLoP 2005 Conference, 2005.
27. S. Romanosky, A. Acquisti, J. Hong, L. F. Cranor, and B. Friedman, "Privacy patterns for online interactions," in Proceedings of PLoP 2006 Conference, 2006.
28. M. Bishop, Computer Security: Art and Science, Chapter 29: Program Security, pp.869-921, Addison Wesley, 2003.
29. M. G. Graff and K. R. Wyk, Secure Coding: Principles and Practices, Chapter 4: Implementation, pp.99-123, O'Reilly, 2003.
30. D. A. Wheeler, "Secure Programming for Linux and Unix HOWTO," 1999. http://www.dwheeler.com/secure-programs/.
31. G. McGraw and E. Felten, "Twelve rules for developing more secure java code," 1998; http://www.javaworld.com/javaworld/jw-12-1998/jw-12- securityrules.html.
32. J. Viega, G. McGraw, T. Mutdosch, and E.W. Felten, "Statically scanning java code: Finding security vulnerabilities," IEEE Software, vol.17, no.5, pp.68-74, 2000.
33. Sun Microsystems, Security code guidelines, 2000. http://java.sun.com/ security/seccodeguide.html.
34. J. Viega and M. Messier, Secure Programming Cookbook for C and C++, O'Reilly, 2003.
35. R. C. Seacord, Secure Coding in C and C++, Addison Wesley, 2006.
36. S. Oaks, Java Security, 2nd ed. Addison-Wesley, 2001.
37. M. Howard and D. LeBlanc, Writing Secure Code, Second Edition, Microsoft Press, 2002.
38. C. Wysopal, L. Nelson, D. D. Zovi, and E. Dustin, The Art of Software Security Testing, Addison-Wesley, 2006.
39. J. A. Whittaker and H.H. Thompson, How to Break Software Security, Addison Wesley, 2001.
40. M. Andrews and J. A. Whittaker, How to Break Web Software, Addison-Wesley, 2006.
41. G. Hoglund and G. McGraw, Exploiting Software: How to Break Code, Addison-Wesley, 2004.
42. M. Fowler, Refactoring: Improving the Design of Existing Code, Addison-Wesley, 1999.
43. W. F. Opdyke, Refactoring Object-Oriented Frameworks. PhD thesis, University of Illinois, Urbana-Champaign, 1992.
44. J. Kerievsky, Refactoring to Patterns, Addison-Wesley, 2004.
45. K. Maruyama, "Secure refactoring: Improving the security level of existing code," in Proc. Int'l Conf. Software and Data Technologies (ICSOFT 2007), pp. 222-229, 2007.
46. M. Schumacher, Security Engineering With Patterns: Origins, Theoretical Models, and New Applications, Springer, 2003.
47. K. Supaporn, N. Prompoon, and T. Rojkangsadan, "An approach: Constructing the grammar from security pattern," in Proc. 4th International Joint Conference on Computer Science and Software Engineering (JCSSE2007), 2007.
48. M. Kifer, G. Lausen, and J. Wu, "Logical foundations of object oriented and frame based languages," Journal of ACM, vol.42, pp.741-843, 1995.
49. T. Heyman, K. Yskout, R. Scandariato, and W. Joosen, "An analysis of the security patterns landscape," in 3rd International Workshop on Software Engineering for Secure Systems (SESS07), Proc. 29th International Conference on Software Engineering Workshops (ICSEW'07), IEEE CS, 2007.
50. S. Konrad, B. H. C. Cheng, L. A. Campbell, and R. Wassermann, "Using security patterns to model and analyze security requirements," in International Workshop on Requirements for High Assurance Systems, 2003.
51. D. G. Rosado, C. Gutierrez, Eduardo Fernandez-Medina, and M. Piattini, "Security patterns related to security requirements," in Proc. 4th International Workshop on Security in Information Systems (WOSIS), 2006.
52. M. Hafiz, P. Adamczyk, and R.E. Johnson, "Organizing security patterns," IEEE Software, vol.24, no.4, pp.52-60, 2007.
53. Commission of European Communities, Information technology security evaluation criteria, version 1.2, 1991.
54. J. A. Zachman, "A framework for information systems architecture," IBM Systems Journal, vol.26, no.3, 1987.
55. F. Swiderski and W. Snyder, Threat modeling, Microsoft Press, 2004.
56. A. Kubo, H. Washizaki, and Y. Fukazawa, "Extracting relations among security patterns," Submitted to 1st International Workshop on Software Patterns and Quality (SPAQu'07).
57. A. Kubo, H. Washizaki, A. Takasu, and Y. Fukazawa, "Extracting relations among embedded software design patterns," Journal of Design & Process Science, vol.9, no.3, pp.39-52, 2005.
58. K. Yskout, T. Heyman, R. Scandariato, and W. Joosen, "An inventory of security patterns," in Technical Report CW-469, Katholieke Universiteit Leuven, Department of Computer Science, 2006.
59. Microsoft, Patternshare; http://patternshare.org/.
60. Cunningham & Cunningham, Inc., Portland pattern repository; http://c2.com/ppr/.
61. J. Viega and G. McGraw, Building Secure Software: How to Avoid Security Problems the Right Way, Addison-Wesley, 2001.
62. S. T. Halkidis, A. Chatzigeorgiou, and G. Stephanides, "A qualitative evaluation of security patterns," in Proc. International Conference on Information and Communications Security (ICICS), 2004.
63. E. B. Fernandez, M.M. Larrondo-Petrie, T, Sorgente, and M. VanHilst. Integrating Security and Software Engineering: Advances and Future Vision, Chapter V: A methodology to develop secure systems using patterns, pages 107-126, Idea Group Publishing, 2006.
64. E. B. Fernandez, "Security patterns," in Procs. Eigth International Symposium on System and Information Security (SSI'2006), Keynote talk, 2006.
65. G. Georg, I. Ray, and R. France, "Using aspects to design a secure system," in Proc. Eighth IEEE International Conference on Engineering of Complex Computer Systems, 2002.
66. I. Ray, R. France, N. Li, and G. Georg, "An aspect-based approach to modeling access control concerns," Information and Software Technology, vol.46, no.9, pp.575-587, 2004.
67. J. Jürjens, Secure Systems Development with UML, Springer, 2004.
68. A. Apvrille and M. Pourzandi, "Secure software development by example," IEEE Security & Privacy, vol.3, no.4, pp.10-17, 2005.
69. M. Vokac, "Defect frequency and design patterns: an empirical study of industrial code," Transactions on Software Engineering, vol.30, no.12, pp.904-917, 2004.
70. L. Lin, B. Nuseibeh, D. Ince, M. Jackson, and J. Moffett, "Analysing security threats and vulnerabilities using abuse frames," Open University Technical Report No:2003/10, 2003. Abuse Frame.
71. R. Crook, D. Ince, L. Lin, and B. Nuseibeh, "Security requirements engineering: When anti-requirements hit the fan," in Proceeding of the 10th Requirements Engineering Conference (RE'02), pp.9-13, 2002.
72. P. Giorgini, F. Massacci, J. Mylopoulos, and N. Zannone, "Requirements engineering meets trust management: Model, methodology, and reasoning," in Proc. of iTrust'04, LNCS 2995, pp.176-190, Springer-Verlag, 2004.
73. P. Hope, G. McGraw, and A.I. Anton, "Misuse and abuse cases: Getting past the positive," IEEE Security & Privacy, vol.2, no.3, pp.90-92, 2004.
74. E. B. Fernandez, M. VanHilst, M.M. Larrondo, and S. Huang, "Defining security requirements through misuse actions," in IFIP International Federation for Information Processing, pp.123-137, 2006.
75. T. Lodderstedt, D. A. Basin, and J. Doser, "SecureUML: A UML-based modeling language for model-driven security," in Proceedings of the 5th International Conference on The Unified Modeling Language, pp.426-441, 2002.
76. N. Yoshioka, S. Honiden, and A. Finkelstein, "Security patterns: a method for constructing secure and efficient inter-company coordination systems," in Proceedings of Enterprise Distributed Object Computing Conference 2004 (EDOC'04), pp.84-97, 2004.