Security Patterns

Design patterns can be applied to achieve goals in the area of security. All of the classical design patterns have different instantiations to fulfill some information security goal: such as confidentiality, integrity, and availability. Additionally, one can create a new design pattern to specifically achieve some security goal.

Existing security pattern

The pattern community has provided a collection of security patterns, which were discussed in workshops at Pattern Languages of Programs (PLoP) conferences. They have been unified and published in a joint project.[1]

Munawar Hafiz and colleagues worked with Ward Cunningham and Microsoft Patterns and Practices group on a comprehensive catalog of all published security patterns. They have also explored how to classify the patterns in small groups[2] and how to organize them using a pattern language.[3] As of March 2013, their pattern catalog contains 97 security patterns. More details are available in the webpage maintained the Munawar Hafiz.[4]

From Sun Microsystems, Ramesh Nagappan and Christopher Steel worked together to release a Comprehensive Security Patterns and Security Solution Catalog with Best Practices guidance for Java applications, XML Web Services, Identity Management and Identity provisioning.[5]

The Open Group provides a set of documented security pattern.

Available system patterns

These are patterns that are concerned with the availability of the assets. The assets are either services or resources offered to users.

Protected system patterns

This is a set of patterns concerned with the confidentiality and integrity of information by providing means to manage access and usage of the sensitive data.

The protected system pattern provides some reference monitor or enclave that owns the resources and therefor must be bypassed to get access. The monitor enforces as the single point a policy. The GoF refers to it as "Protection Proxy".

The policy pattern is an architecture to decouple the policy from the normal resource code. An authenticated user owns a security context (erg. a role) that is passed to the guard of resource. The guard checks inside the policy whether the context of this user and the rules match and provides or denies access to the resource.

The authenticator pattern is also known as the Pluggable Authentication Modules or Java Authentication and Authorization Service (JAAS).

Security patterns for Java EE, XML Web Services and Identity Management [6]

This is a set of security patterns evolved by Sun Java Center - Sun Microsystems engineers Ramesh Nagappan and Christopher Steel, which helps building end-to-end security into multi-tier Java EE enterprise applications, XML based Web services, enabling Identity management in Web applications including Single sign-on authentication, multi-factor authentication, and enabling Identity provisioning in Web based applications.

External links

References

  1. Markus Schumacher, Eduardo Fernandez-Buglioni, Duane Hybertson, Frank Buschmann, Peter Sommerlad. Security Patterns: Integrating Security and Systems Engineering, Wiley Series in Software Design Patterns, 2005.
  2. Munawar Hafiz, Paul Adamczyk and Ralph Johnson. Organizing Security Patterns. In IEEE Software Special Issue on Software Patterns, Jul/Aug 2007
  3. Munawar Hafiz, Paul Adamczyk and Ralph Johnson. Growing a Pattern Language (for Security). In Proceedings of the 27th Object-Oriented Programming, Systems, Languages and Applications, OOPSLA 2012, Oct 2012
  4. Munawar Hafiz. Security Pattern Catalog. http://www.munawarhafiz.com/securitypatterncatalog/index.php
  5. Ramesh Nagappan, Christopher Steel - Core Security Patterns Catalog. http://coresecuritypatterns.com/patterns.htm
  6. Ramesh Nagappan, Christopher Steel. Core Security Patterns: Best Practices and Strategies for J2EE, Web Services and Identity Management, Prentice Hall, 2005.
This article is issued from Wikipedia - version of the 2/5/2015. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.