Growing a pattern language (for security) | Proceedings of the ACM international symposium on New ideas, new paradigms, and reflections on programming and software (original) (raw)

Authors Info & Claims

Published: 19 October 2012 Publication History

Abstract

Researchers and practitioners have been successfully documenting software patterns for over two decades. But the next step--building pattern languages--has proven much more difficult. This paper describes an approach for building a large pattern language for security: an approach that can be used to create pattern languages for other software domains. We describe the mechanism of growing this pattern language: how we cataloged the security patterns from books, papers and pattern collections written by all security experts over the last 15 years, how we classified the patterns to help developers find the appropriate ones, and how we identified and described the relationships between patterns in the language. To our best knowledge, this is the largest pattern language in software. But the most significant contribution of this paper is the story behind how the pattern language is grown; it illustrates the steps that can be adapted to create and grow pattern languages for other domains.

References

[1]

M. Adams, J. Coplien, R. Gamoke, R. Hanmer, F. Keeve, and K. Nicodemus. Pattern Languages of Program Design 2, chapter 33: Fault-Tolerant Telecommunication System Patterns. Addison-Wesley, 1996.

[2]

C. Alexander. The Timeless Way of Building. Number 1 in Center for Environmental Structure series. Oxford University Press, New York, 1980.

[3]

C. Alexander, S. Ishakawa, and M. Silverstein. A Pattern Language: Towns, Building and Construction. Oxford University Press, New York, 1977.

[4]

D. Bell and L. LaPadula. Secure computer systems: Mathematical foundations. Technical Report ESD-TR-73--278, MITRE Corporation, 1973.

[5]

B. Blakley and C. Heath. Security design patterns technical guide--Version 1. Technical report, Open Group(OG), 2004.

[6]

F. L. Brown Jr., J. DiVietri, G. D. Villegas, and E. B. Fernandez. The authenticator pattern. 1999.

[7]

F. Buschmann, R. Meunier, H. Rohnert, P. Sommerlad, and M. Stal. Pattern-Oriented Software Architecture: A System of Patterns. Wiley series in Software design patterns. John Wiley & Sons, 1996.

[8]

J. Coplien. Advanced C+ Programming Styles and Idioms. Addison-Wesley, 1992.

[9]

E. Evans. Domain-Driven Design: Tacking Complexity In the Heart of Software. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 2003.

[10]

E. B. Fernandez and J. C. Sinibaldi. More patterns for operating systems access control. In Proceedings of the European Conference on Patterns Language of Programming (EuroPLoP'03), 2003.

[11]

M. Fowler. Patterns of Enterprise Application Architecture. Addison-Wesley, 2002.

[12]

E. Gamma, R. Helm, R. Johnson, and J. Vlissides. Design Patterns. Addison-Wesley, 1995.

[13]

M. Goodyear, editor. Enterprise System Architectures: Building Client Server and Web Based Systems. CRC Press, Sep 28 1999.

[14]

M. Hafiz. A Pattern Language for Developing Privacy Enhancing Technologies. To appear in Software--Practice and Experience, 2012.

[15]

M. Hafiz, P. Adamczyk, and R. E. Johnson. Organizing security patterns. IEEE Software, 24(4):52--60, July/August 2007.

[16]

M. Hafiz and R. Johnson. Evolution of the MTA architecture: The impact of security. Software--Practice and Experience, 38(15):1569--1599, Dec 2008.

[17]

M. Hafiz, R. Johnson, and R. Afandi. The security architecture oftextitqmail. In Proceedings of the 11th Conference on Patterns Language of Programming (PLoP'04)., 2004.

[18]

R. Hanmer. Patterns For Fault Tolerant Software. Wiley, 2007.

[19]

J. Heaney, D. Hybertson, A. Reedy, S.Chapin, T. Bollinger, D. Williams, and M. Kirwan Jr. Information assurance for enterprise engineering. In Proceedings of the 9th Conference on Patterns Language of Programming (PLoP'02), 2002.

[20]

J. Heer and M. Agrawala. Software design patterns for information visualization. IEEE Transactions on Visualization and Computer Graphics, 12:853--860, 2006.

[21]

J. Hogg, D. Smith, F. Chong, D. Taylor, L. Wall, and P. Slater. Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0. Microsoft Press, March 2006.

[22]

D. Hybertson, J. Heaney, and A. Reedy. Conceptual aspects of security patterns. 2002.

[23]

IEEE Std 1471--2000. IEEE recommended practice for architectural description of software-intensive systems, 2000.

[24]

R. E. Johnson. Documenting frameworks using patterns. In A. Paepke, editor, Proceedings of the Conference on Object-Oriented Programming, Systems, Languages and Applications, pages 63--76. ACM Press, Oct. 1992.

[25]

D. Kienzle, M. Elder, D. Tyree, and J. Edwards-Hewitt. Security patterns repository version 1.0. http://www.scrypt.net/ celer/securitypatterns/repository.pdf, 2002.

[26]

G. Meszaros. Pattern Languages of Program Design 1, chapter 8: Pattern: Half-object

[27]

Protocol (HOPP). Addison-Wesley, 1995.

[28]

R. Porter, J. O. Coplien, and T. Winn. Sequences as a basis for pattern language composition. Science of Computer Programming, 56(1--2):231 -- 249, 2005.

[29]

S. Romanosky. Security design patterns part 1. http: //citeseer.ist.psu.edu/575199.html, Nov 2001.

[30]

S. Romanosky. Enterprise security patterns.\ http://citeseer.ist.psu.edu/romanosky02enter-\\\\ prise.html, 2002.

[31]

J. Saltzer and M. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, Sep 1975.

[32]

M. Schumacher, E. Fernandez-Buglioni, D. Hybertson, F. Buschmann, and P. Sommerlad. Security Patterns: Integrating Security and Systems Engineering. John Wiley and Sons, December 2005.

[33]

M. Schumacher and U. Roedig. Security engineering with patterns. In Proceedings of the 8th Conference on Patterns Language of Programming (PLoP'01)., 2001.

[34]

C. Steel, R. Nagappan, and R. Lai. Core Security Patterns : Best Practices and Strategies for J2EE(TM), Web Services, and Identity Management. Prentice Hall PTR, Oct 2005.

[35]

F. Swiderski and W. Snyder. Threat Modeling. Microsoft Press, 2004.

[36]

J. Tidwell. Designing interfaces : Patterns for Effective Interaction Design. O'Reilly, 2005.

[37]

D. Trowbridge, W. Cunningham, M. Evans, L. Brader, and P. Slater. Describing the enterprise architectural space. MSDN, June 2004.

[38]

R. Veryard and A. Ward. Trusting components and services, 2001.

[39]

J. Viega and G. McGraw. Building Secure Software: How to Avoid Security Problems The Right Way. Addison-Wesley, 2002.

[40]

K. Wolf and C. Liu. Pattern Languages of Program Design 1, chapter 4. New Clients with Old Servers: A Pattern Language for Client/Server Frameworks. Addison-Wesley, 1995.

[41]

J. Yoder and J. Barcalow. Architectural patterns for enabling application security. In Proceedings of the 4th Conference on Patterns Language of Programming (PLoP'97)., 1997.

[42]

J. A. Zachman. A framework for information systems architecture. IBM Systems Journal, 26(3), 1987.

Information & Contributors

Information

Published In

Onward! 2012: Proceedings of the ACM international symposium on New ideas, new paradigms, and reflections on programming and software

October 2012

258 pages

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 October 2012

Permissions

Request permissions for this article.

Check for updates

Author Tags

1. architecture
2. pattern language
3. patterns

Qualifiers

• Research-article

Conference

Acceptance Rates

Onward! 2012 Paper Acceptance Rate 13 of 43 submissions, 30%;

Overall Acceptance Rate 40 of 105 submissions, 38%

Upcoming Conference

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

• View Citations
• Downloads (Last 12 months)52
• Downloads (Last 6 weeks)4

Reflects downloads up to 13 Jan 2025

Other Metrics

Citations

• Zdun UQueval PSimhandl GScandariato RChakravarty SJelić MJovanović A(2024)Detection Strategies for Microservice Security TacticsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.327648721:3(1257-1273)Online publication date: May-2024
• Sapaty PSapaty P(2024)Active Spatial Patterns in SGL Versus Traditional AlgorithmsSpatial Networking in the United Physical, Virtual, and Mental World10.1007/978-3-031-62154-3_9(167-189)Online publication date: 30-Jun-2024
• Sapaty PSapaty P(2024)ConclusionsSpatial Networking in the United Physical, Virtual, and Mental World10.1007/978-3-031-62154-3_11(211-224)Online publication date: 30-Jun-2024
• Zdun UQueval PSimhandl GScandariato RChakravarty SJelic MJovanovic A(2023)Microservice Security Metrics for Secure Communication, Identity Management, and ObservabilityACM Transactions on Software Engineering and Methodology10.1145/353218332:1(1-34)Online publication date: 13-Feb-2023
• Poongavanam ET MV KMurugesan S(2023)Analysis of cloud services using OWASP security design2023 International Conference on Research Methodologies in Knowledge Management, Artificial Intelligence and Telecommunication Engineering (RMKMATE)10.1109/RMKMATE59243.2023.10369976(1-5)Online publication date: 1-Nov-2023
• Kanakogi KWashizaki HFukazawa YOgata SOkubo TKato TKanuka HHazeyama AYoshioka N(2022)Comparative Evaluation of NLP-Based Approaches for Linking CAPEC Attack Patterns from CVE Vulnerability InformationApplied Sciences10.3390/app1207340012:7(3400)Online publication date: 27-Mar-2022
• Kanakogi KWashizaki HFukazawa YOgata SOkubo TKato TKanuka HHazeyama AYoshioka N(2021)Tracing CVE Vulnerability Information to CAPEC Attack Patterns Using Natural Language Processing TechniquesInformation10.3390/info1208029812:8(298)Online publication date: 26-Jul-2021
• Washizaki HXia TKamata NFukazawa YKanuka HKato TYoshino MOkubo TOgata SKaiya HHazeyama ATanaka TYoshioka NPriyalakshmi G(2021)Systematic Literature Review of Security Pattern ResearchInformation10.3390/info1201003612:1(36)Online publication date: 16-Jan-2021
• Tenev TTsvetanov S(2020)Recommendations for Enhancing Security in Microservice Environment Altered in an Intelligent Way2020 International Conference on Software, Telecommunications and Computer Networks (SoftCOM)10.23919/SoftCOM50211.2020.9238277(1-6)Online publication date: 17-Sep-2020
• Santos JSuloglu SYe JMirakhorli M(2020)Towards an Automated Approach for Detecting Architectural Weaknesses in Critical SystemsProceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops10.1145/3387940.3392222(250-253)Online publication date: 27-Jun-2020
• Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Sign in

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Affiliations

Munawar Hafiz

Auburn University, Auburn, AL, USA

Paul Adamczyk

Booz Allen Hamilton, McLean, VA, USA

Ralph E. Johnson

University of Illinois, Urbana, IL, USA