Transcript Security Patterns Template and Tutorial
Security Patterns Template and Tutorial
- Darrell M. Kienzle, Ph.D., Matthew C. Elder, Ph.D., David S. Tyree, James Edwards-Hewitt Presented by Dan Frohlich
Overview What is a Pattern?
What is a Security Pattern?
The Security Pattern Template.
Related Work.
What is a Pattern?
Developed by Christopher Alexander for Architectural and Urban Planning Made popular for software design by GoF.
Definition: A solution to a problem in a context.
– Summary, solution and impact – Expanded to include recurrence, a teaching component, and a name by J. Vlissides (GoF)
Variations Architectural patterns.
– Enterprise Level (System Patterns) AntiPatterns.
– Document common mistakes Pattern Languages.
– Families of solutions good for OO Frameworks.
What is a Security Pattern?
Technique for encapsulating and disseminating security expertise.
Some but not all are design Patterns Structural Security Patterns – Like GoF Design Patterns Procedural Security Patterns – Improve the development process of secure software
Audience drives Level of Detail Concepts – General Strategies like “Least Privilege” Classes of Patterns – General problem area with many solutions Patterns – General enough to be used in many circumstances Examples – A worked solution for a specific problem instance
The Security Pattern Template.
Pattern Name – Noun describing a thing to be built. (Structural) – Verb describing recommended action. (Procedural) Abstract – Describes intent/purpose – Independent of context – Indicates limits on applicability.
The Security Pattern Template.
Aliases – Also Known As Problem – Context for application – Motivation for use Solution – Applicability / Rationale – How the Pattern solves the Problem
The Security Pattern Template.
Static Structure – Includes a Diagram if applicable or a note if not – Enumerates the components of the Diagram Dynamic Structure – Collaborations – Outlines Component interactions
The Security Pattern Template.
Implementation Issues – Detailed hints and techniques – Identify pitfalls, and guide reader around them Common attacks – Identify attacks that interact with this pattern – Links to public databases
The Security Pattern Template.
Known Uses – Cite examples of this pattern from all 3 levels when possible.
– Code Level Rely on language features.
– System Level Rely on OS features – Network Level Implemented with network level components.
The Security Pattern Template.
Sample Code – Presented whenever possible.
– Adds tangibility to an abstract idea.
Consequences – Each area should be discussed.
– Accountability, Confidentiality, Integrity, Availability, Performance, Cost, Manageability, Usability
The Security Pattern Template.
Related Patterns – Reference related patterns and the nature of the relationship References – Enumerate citations related to the pattern
Related Work Security Properties of Design Patterns – Security ramifications of GoF NRL Patterns work – Formal verification of security-critical software www.security-patterns.de – Collaborative site for security pattern developers
Related Work (cont.) OpenGroup Security Forum – Developing a library of architectural security patterns.
Questions