Abstract
Security patterns are a useful way of describing, packaging and applying security knowledge which might otherwise be unavailable. However, because patterns represent partial knowledge of a problem and solution space, there is little certainty that addressing the consequences of one problem won’t introduce or exacerbate another. Rather than using patterns exclusively to explore possible solutions to security problems, we can use them to better understand the security problem space. To this end, we present a framework for evaluating the implications of security and attack patterns using premortems: scenarios describing a failed system that invites reasons for its failure. We illustrate our approach using an example from the EU FP 7 webinos project.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Schumacher M, Fernandez E, Hybertson D, Buschmann F. Security patterns: integrating security and systems engineering. Chichester: Wiley; 2005.
McGraw G, Migues S, West J. Building Security In Maturity model: BSIMMV. October 2013. http://bsimm.com. Accessed March 2014
Fernandez EB, Yoshioka N, Washizaki H, Jürjens J, VanHilst M, Pernul G. Using security patterns to develop secure systems. In: Mouratidis H, editor. Software engineering for secure systems: industrial and research perspectives. , New York: IGI Global; 2011. p. 16–31.
Chiesa R, Ducci S, Ciappi S. Profiling hackers: the science of criminal profiling as applied to the world of hacking. 1st ed. Boston: Auerbach Publications; 2008.
Atzeni A, Cameroni C, Faily S, Lyle J, Flechais I. Here’s johnny: a methodology for developing attacker personas. In: Proceedings of the 2011 sixth international conference on availability, reliability and security. ARES ’11. Washington: IEEE Computer Society; 2011. p. 722–7. http://dx.doi.org/10.1109/ARES.2011.115.
Faily S, Flechais I. To boldly go where invention isn’t secure: applying security entrepreneurship to secure systems design. In: Proceedings of the 2010 workshop on new security paradigms. NSPW ’10. New York: ACM; 2010. p. 73–84. http://doi.acm.org/10.1145/1900546.1900557.
Klein G. Performing a project premortem. Harvard Bus Rev. 2007;85(9):18–9.
van Lamsweerde A. Requirements engineering: from system goals to UML models to software specifications. West Sussex: Wiley; 2009.
Faily S, Fléchais I. Towards tool-support for usable secure requirements engineering with CAIRIS. Int J Secure Software Eng. 2010;1(3):56–70.
Faily S. CAIRIS web site; 2013. http://github.com/failys/CAIRIS.
Faily S, Fléchais I. Eliciting policy requirements for critical national infrastructure using the iris framework. Int J Secure Software Eng. 2011;2(4):114–9.
Gamma E, Helm R, Johnson R, Vlissides J. Design patterns: elements of reusable object-oriented software. Boston: Addison-Wesley Longman; 1995.
Faily S, Fléchais I. A meta-model for usable secure requirements engineering. In: Proceedings of the 2010 ICSE workshop on software engineering for secure systems. SESS ’10. New York: ACM; 2010. p. 29–35. http://doi.acm.org/10.1145/1809100.1809105.
Faily S, Lyle J, Namiluko C, Atzeni A, Cameroni C. Model-driven architectural risk analysis using architectural and contextualised attack patterns. In: Proceedings of the workshop on model-driven security. MDsec ’12. New York: ACM; 2012. p. 3:1–3:6. http://doi.acm.org/10.1145/2422498.2422501.
Faily S, Fléchais I. Analysing and visualising security and usability in iris. 2012 seventh international conference on availability, reliability and security 2010; p. 543–8.
Sindre G, Opdahl AL. Eliciting security requirements with misuse cases. Requir Eng. 2005;10(1):34–44. http://dx.doi.org/10.1007/s00766-004-0194-4.
Fuhrhop C, Lyle J, Faily S. The webinos project. In: Proceedings of the 21st international conference companion on World Wide Web. WWW ’12 Companion. New York: ACM; 2012. p. 259–62. Available from: http://doi.acm.org/10.1145/2187980.2188024.
Lyle J, Monteleone S, Faily S, Patti D, Ricciato F. Cross-platform access control for mobile web applications. In: 2012 IEEE international symposium on policies for distributed systems and networks (POLICY);2012. p. 37–44.
webinos Consortium. Context Policy Management Architectural Pattern; July. https://github.com/webinos/webinos-design-data/blob/master/architecture/architecturalpatterns/ContextPolicyManagement.xml.
The MITRE Corporation. Common Attack Pattern Enumeration and Classification (CAPEC) web site; 2012. http://capec.mitre.org.
The MITRE Corporation. Common Weakness Enumeration (CWE) web site; 2012. http://cwe.mitre.org.
webinos Consortium. Ethan Attacker Persona; 2011. https://github.com/webinos/webinos-design-data/blob/master/personas/ethan.xml.
webinos Consortium. Test Footprinting Attack Pattern; July. https://github.com/webinos/webinos-design-data/blob/master/architecture/attackpatterns/TestFootprinting.xml.
Chesbrough HW. Open innovation: the new imperative for creating and profiting from technology. Boston: Harvard Business School Press; 2003.
Acknowledgments
The work described in this chapter was funded by the EU FP7 webinos project (FP7-ICT-2009-05 Objective 1.2).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Faily, S., Parkin, S., Lyle, J. (2014). Evaluating the Implications of Attack and Security Patterns with Premortems. In: Blackwell, C., Zhu, H. (eds) Cyberpatterns. Springer, Cham. https://doi.org/10.1007/978-3-319-04447-7_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-04447-7_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-04446-0
Online ISBN: 978-3-319-04447-7
eBook Packages: Computer ScienceComputer Science (R0)