Advertisement

Using Data Integration to Help Design More Secure Applications

  • Sébastien SalvaEmail author
  • Loukmen Regainia
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10694)

Abstract

Security patterns are reusable solutions, which enable the design of maintainable systems or applications that have to meet security requirements. The generic nature of security patterns and their growing number make their choices difficult, even for experts in software design. We propose to contribute in this issue by presenting a methodology of security pattern classification based upon data integration. The classification exhibits relationships among 215 software attacks, 66 security principles and 26 security patterns. It expresses pattern combinations, which are countermeasures to a given attack. This classification is semi-automatically inferred by means of a data-store integrating disparate publicly available security data. Besides pattern classification, we show that the data-store can be used to generate Attack Defence Trees. In our context, these illustrate, for a given attack, its sub-attacks, steps, techniques and the related defences given under the form of security pattern combinations. Such trees make the pattern classification more readable even for beginners in security patterns.

Keywords

Security patterns Classification Attack Attack defence tree 

Notes

Acknowledgement

Research supported by the industrial chair on Digital Confidence http://confiance-numerique.clermont-universite.fr/index-en.html.

References

  1. 1.
  2. 2.
    Alvi, A.K., Zulkernine, M.: A natural classification scheme for software security patterns. In: 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing, pp. 113–120 (2011)Google Scholar
  3. 3.
    Alvi, A.K., Zulkernine, M.: A comparative study of software security pattern classifications. In: 2012 Seventh International Conference on Availability, Reliability and Security, pp. 582–589 (2012)Google Scholar
  4. 4.
    Bunke, M., Koschke, R., Sohr, K.: Organizing security patterns related to security and pattern recognition requirements. International Journal on Advances in Security 5 (2012)Google Scholar
  5. 5.
    Jhawar, R., Kordy, B., Mauw, S., Radomirović, S., Trujillo-Rasua, R.: Attack trees with sequential conjunction. In: Federrath, H., Gollmann, D. (eds.) SEC 2015. IAICT, vol. 455, pp. 339–353. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-18467-8_23 CrossRefGoogle Scholar
  6. 6.
    Kordy, B., Kordy, P., Mauw, S., Schweitzer, P.: ADTool: security analysis with attack–defense trees. In: Joshi, K., Siegle, M., Stoelinga, M., D’Argenio, P.R. (eds.) QEST 2013. LNCS, vol. 8054, pp. 173–176. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40196-1_15 CrossRefGoogle Scholar
  7. 7.
    Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Attack-defense trees. Journal of Logic and Computation p. exs029 (2012)Google Scholar
  8. 8.
    Meier, J.: Web application security engineering. IEEE Secur. Priv. 4(4), 16–24 (2006)CrossRefGoogle Scholar
  9. 9.
    Mitre corporation: Common attack pattern enumeration and classification (2015). https://capec.mitre.org/
  10. 10.
    Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975)CrossRefGoogle Scholar
  11. 11.
    Schumacher, M.: Security Engineering with Patterns: Origins, Theoretical Models, and New Applications. Springer-Verlag New York Inc., Secaucus (2003)CrossRefzbMATHGoogle Scholar
  12. 12.
    Tøndel, I.A., Jensen, J., Røstad, L.: Combining misuse cases with attack trees and security activity models. In: International Conference on Availability, Reliability, and Security, 2010, ARES 2010, pp. 438–445. IEEE (2010)Google Scholar
  13. 13.
    Uzunov, A.V., Fernandez, E.B.: An extensible pattern-based library and taxonomy of security threats for distributed systems. Comput. Stand. Interfaces 36(4), 734–747 (2014)CrossRefGoogle Scholar
  14. 14.
    Viega, J., McGraw, G.: Building Secure Software: How to Avoid Security Problems the Right Way. Portable Documents, Pearson Education (2001)Google Scholar
  15. 15.
    Wiesauer, A., Sametinger, J.: A security design pattern taxonomy based on attack patterns. In: International Joint Conference on e-Business and Telecommunications, pp. 387–394 (2009)Google Scholar
  16. 16.
    Willett, P.: Recent trends in hierarchic document clustering: a critical review. Inf. Process. Manag. 24(5), 577–597 (1988)CrossRefGoogle Scholar
  17. 17.
    Yoder, J., Yoder, J., Barcalow, J., Barcalow, J.: Architectural patterns for enabling application security. In: Proceedings of PLoP 1997, vol. 51, p. 31 (1998)Google Scholar
  18. 18.
    Yskout, K., Heyman, T., Scandariato, R., Joosen, W.: A system of security patterns (2006)Google Scholar
  19. 19.
    Yskout, K., Scandariato, R., Joosen, W.: Do security patterns really help designers? In: Proceedings of the 37th International Conference on Software Engineering - Volume 1, pp. 292–302. ICSE 2015. IEEE Press, Piscataway (2015). http://dl.acm.org/citation.cfm?id=2818754.2818792

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.LIMOS CNRS UMR 6158Clermont Auvergne UniversityClermont-FerrandFrance

Personalised recommendations