1 / 16

Security Patterns Template and Tutorial

Security Patterns Template and Tutorial. - Darrell M. Kienzle, Ph.D., Matthew C. Elder, Ph.D., David S. Tyree, James Edwards-Hewitt Presented by Dan Frohlich. Overview. What is a Pattern? What is a Security Pattern? The Security Pattern Template. Related Work. What is a Pattern?.

kyra-rogers
Download Presentation

Security Patterns Template and Tutorial

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Patterns Template and Tutorial - Darrell M. Kienzle, Ph.D., Matthew C. Elder, Ph.D., David S. Tyree, James Edwards-Hewitt Presented by Dan Frohlich

  2. Overview • What is a Pattern? • What is a Security Pattern? • The Security Pattern Template. • Related Work.

  3. What is a Pattern? • Developed by Christopher Alexander for Architectural and Urban Planning • Made popular for software design by GoF. • Definition: A solution to a problem in a context. • Summary, solution and impact • Expanded to include recurrence, a teaching component, and a name by J. Vlissides (GoF)

  4. Variations • Architectural patterns. • Enterprise Level (System Patterns) • AntiPatterns. • Document common mistakes • Pattern Languages. • Families of solutions good for OO Frameworks.

  5. What is a Security Pattern? • Technique for encapsulating and disseminating security expertise. • Some but not all are design Patterns • Structural Security Patterns • Like GoF Design Patterns • Procedural Security Patterns • Improve the development process of secure software

  6. Audience drives Level of Detail • Concepts • General Strategies like “Least Privilege” • Classes of Patterns • General problem area with many solutions • Patterns • General enough to be used in many circumstances • Examples • A worked solution for a specific problem instance

  7. The Security Pattern Template. • Pattern Name • Noun describing a thing to be built. (Structural) • Verb describing recommended action. (Procedural) • Abstract • Describes intent/purpose • Independent of context • Indicates limits on applicability.

  8. The Security Pattern Template. • Aliases • Also Known As • Problem • Context for application • Motivation for use • Solution • Applicability / Rationale • How the Pattern solves the Problem

  9. The Security Pattern Template. • Static Structure • Includes a Diagram if applicable or a note if not • Enumerates the components of the Diagram • Dynamic Structure • Collaborations • Outlines Component interactions

  10. The Security Pattern Template. • Implementation Issues • Detailed hints and techniques • Identify pitfalls, and guide reader around them • Common attacks • Identify attacks that interact with this pattern • Links to public databases

  11. The Security Pattern Template. • Known Uses • Cite examples of this pattern from all 3 levels when possible. • Code Level • Rely on language features. • System Level • Rely on OS features • Network Level • Implemented with network level components.

  12. The Security Pattern Template. • Sample Code • Presented whenever possible. • Adds tangibility to an abstract idea. • Consequences • Each area should be discussed. • Accountability, Confidentiality, Integrity, Availability, Performance, Cost, Manageability, Usability

  13. The Security Pattern Template. • Related Patterns • Reference related patterns and the nature of the relationship • References • Enumerate citations related to the pattern

  14. Related Work • Security Properties of Design Patterns • Security ramifications of GoF • NRL Patterns work • Formal verification of security-critical software • www.security-patterns.de • Collaborative site for security pattern developers

  15. Related Work (cont.) • OpenGroup Security Forum • Developing a library of architectural security patterns.

  16. Questions

More Related