Progress in Informatics

	Online ISSN:1349-8606
Progress in Informatics
No5. March 2008
Page 35-47

A survey on security patterns

Nobukazu YOSHIOKA,Hironori WASHIZAKI, and Katsuhisa MARUYAMA

LINK [1]P.T.Devanbu and S. Stubblebine, “Software engineering for security: a roadmap,” in Proceedings of the Conference on The Future of Software Engineering, pp.227-239, 2000.

LINK [2] M. Schumacher, E. B. Fernandez, D. Hybertson, F. Buschmann, and P. Sommerlad, Security Patterns: Integrating Security And Systems Engineering,John Wiley & Sons Inc, 2006.

LINK [3]E.Houg, N. R. Mead and T. R. Stehney, “Security quality requirements engineering (square) methodology,” Technical Report CMU/SEI-2005-TR-009,CMU/SEI, 2005.

LINK [4] P. Bresciani, P. Giorgini, F. Giunchiglia, and J. Mylopoulos, “Tropos: An agent-oriented software development methodology,” JAAMAS,vol.8, no.3, pp.203-236,2004.

LINK [5] J. Jurjens, G. Popp, and G. Wimmel, “Towards using security patterns in model-based system development,” in Proceedings of PLoP 2002 Conference, 2002.

LINK [6] C. Alexander, The Timeless Way of Building,Oxford University Press, 1979.

LINK [7] F. Buschmann, K. Henney, and D.C. Schmidt, Pattern-Oriented Software Architecture: On Patterns and Pattern Languages,John Wiley & Sons Inc, 2007.

LINK [8] M. Kis, “Information security antipatterns in software requirements engineering,” in the PLoP 2002 conference, 2002.

LINK [9] M. A.Jackson, Problem Frames: Analysing and structuring software development problems,Addison Wesley, 2000.

LINK [10] P. Giorgini, F. Massacci, J. Mylopoulos, and N. Zannone, “Modelling security requirements through ownership, permission and delegation,” in 13th IEEE International Conference on Requirements Engineering 2005, pp.167-176, 2005.

LINK [11] H. Mouratidis, M. Weiss, and P. Giorgini, “Modelling secure systems using an agent-oriented approach and security patterns,” International Journal of Software Engineering and Knowledge Engineering,vol.16, no.3, pp.471-498, 2006.

LINK [12] D. Hatebur, M. Heisel, and H. Schmidt, “Security engineering using problem frames,” in Proceedings of the International Conference on Emerging Trends in Information and Communication Security (ETRICS), vol.3995, pp.238-253, Springer Berlin, Heidelberg, 2006.

LINK [13] D. Hatebur, M. Heisel, and H. Schmidt, “A pattern system for security requirements engineering,” in Proceedings of the International Conference on Availability, Reliability and Security (AReS), pp.356-365, IEEE, 2007.

LINK [14] D. Hatebur, M. Heisel, and H. Schmidt, “A security engineering process based on patterns,” in Proceedings of the International Workshop on Database and Expert Systems Applications (DEXA), pp.734-738, IEEE, 2007.

LINK [15] J. Yoder and J. Barcalow, “Architectural patterns for enabling application security,” in Proceedings of PLoP '97 Conference, 1997.

LINK [16] E. B. Fernandez and R. Pan, “A pattern language for security models,” in Proceedings of PLoP 2001 Conference, 2001.

LINK [17] E. Gamma, R. Helm, R. Johnson, and J. Vlissides, Design Patterns: Elements of Reusable Object-Oriented Software,Addison-Wesley Professional, 1995.

LINK [18] C. Steel, R. Nagappan, and R. Lai, Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management,Prentice Hall, 2005.

LINK [19] E. B. Fernandez, J. C. Pelae, and M. M. Larrondo-Petrie, “Security patterns for voice over ip networks,” in Proceedings of the International Multi-Conference on Computing in the Global Information Technology (IC-CGI'07), 2007.

LINK [20] M. Weiss, Integrating Security and Software Engineering: Advances and Future Vision,Chapter VI: Modelling Security Patterns Using NFR Analysis, pp.127-141, Idea Group Publishing, 2006.

LINK [21] P. Morrison and E. B. Fernandez, “Securing the broker pattern,” In Proceedings of the 11th European Conference on Pattern Languages of Programs (EuroPLoP 2006), 2006.

LINK [22] F. Buschmann, R. Meunier, H. Rohnert, P. Sommerlad, and M. Stal, Pattern-Oriented Software Architecture Volume 1: A System of Patterns,Wiley, 1996.

LINK [23] D. Alur, J. Crupi, and D. Malks, Core J2EE Patterns: Best Practices and Design Strategies, Second Edition, Prentice Hall, 2003.

LINK [24] E. B. Fernandez, T. Sorgente, and M. M. Larrondo-Petrie. “Even more patterns for secure operating systems,” in Proceedings of PLoP 2006 Conference, 2006.

LINK [25] M. Hafiz, “Secure pre-forking - a pattern for performance and security,” in Proceedings of PLoP 2005 Conference, 2005.

LINK [26] M. Sadicoff, M. M. Larrondo-Petrie, and E. B. Fernandez, “Privacy-aware network client pattern,” in Proceedings of PLoP 2005 Conference, 2005.

LINK [27] S. Romanosky, A. Acquisti, J. Hong, L. F. Cranor, and B. Friedman, “Privacy patterns for online interactions,” in Proceedings of PLoP 2006 Conference, 2006.

LINK [28] M. Bishop, Computer Security:Art and Science,Chapter 29: Program Security,pp.869-921, Addison Wesley, 2003.

LINK [29] M. G. Graffand K. R. Wyk, Secure Coding: Principles and Practices,Chapter 4: Implementation, pp.99-123, O'Reilly, 2003.

LINK [30] D. A. Wheeler, “Secure Programming for Linux and Unix HOWTO,” 1999. http://www.dwheeler.com/secure-programs/.

LINK [31] G. McGraw and E. Felten, “Twelve rules for developing more secure java code,” 1998; http://www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules.html.

LINK [32] J. Viega, G. McGraw, T.Mutdosch, and E.W. Felten, “Statically scanning java code: Finding security vulner-abilities,” IEEE Software,vol.17, no.5, pp.68-74, 2000.

LINK [33] Sun Microsystems, Security code guidelines, 2000. http://java.sun.com/security/seccodeguide.html.

LINK [34] J. Viega and M. Messier, Secure Programming Cookbook for C and C++,O'Reilly, 2003.

LINK [35] R. C. Seacord, Secure Coding in C and C++,Addison Wesley, 2006.

LINK [36] S. Oaks, Java Security, 2nd ed. Addison-Wesley, 2001.

LINK [37] M. Howard and D. LeBlanc, Writing Secure Code, Second Edition,Microsoft Press,2002.

LINK [38] C. Wysopal, L. Nelson, D. D. Zovi, and E. Dustin, The Art of Software Security Testing,Addison-Wesley, 2006.

LINK [39] J. A. Whittaker and H.H. Thompson, How to Break Software Security,Addison Wesley,2001.

LINK [40] M. Andrews and J. A. Whittaker, How to Break Web Software,Addison-Wesley, 2006.

LINK [41] G. Hoglund and G. McGraw, Exploiting Software: How to BreakCode,Addison-Wesley,2004.

LINK [42] M. Fowler, Refactoring: Improving the Design of Existing Code,Addison-Wesley,1999.

LINK [43] W. F. Opdyke, Refactoring Object-Oriented Frameworks.PhD thesis, University of Illinois, Urbana-Champaign, 1992.

LINK [44] J. Kerievsky, Refactoring to Patterns,Addison-Wesley, 2004.

LINK [45] K. Maruyama, “Secure refactoring: Improving the security level of existing code,” in Proc. Int'l Conf. Software and Data Technologies (ICSOFT 2007), pp.222-229, 2007.

LINK [46] M. Schumacher, Security Engineering With Patterns: Origins, Theoretical Models, and New Applications, Springer, 2003.

LINK [47] K. Supaporn, N. Prompoon, and T. Rojkangsadan, “An approach: Constructing the grammar from security pattern,” in Proc. 4th International Joint Conference on Computer Science and Software Engineering (JC-SSE2007), 2007.

LINK [48] M. Kifer, G. Lausen, and J. Wu, “Logical foundations of object oriented and frame based languages,” Journal of ACM,vol.42, pp.741-843, 1995.

LINK [49] T. Heyman, K. Yskout, R. Scandariato, and W. Joosen, “An analysis ofthe security patterns landscape,” in 3rd International Workshop on Software Engineering for Secure Systems (SESS07), Proc. 29th International Conference on Software Engineering Workshops (IC-SEW'07),IEEE CS, 2007.

LINK [50] S. Konrad, B. H. C. Cheng, L. A. Campbell, and R. Wassermann, “Using security patterns to model and analyze security requirements,” in International Workshop on Requirements for High Assurance Systems, 2003.

LINK [51] D. G. Rosado, C. Gutierrez, Eduardo Fernandez-Medina,and M. Piattini, “Security patterns related to security requirements,” in Proc. 4th International Workshop on Security in Information Systems (WOSIS), 2006.

LINK [52] M. Hafiz, P. Adamczyk, and R.E. Johnson, “Organizing security patterns,” IEEE Software,vol.24, no.4, pp.52-60, 2007.

LINK [53] Commission of European Communities, Information technology security evaluation criteria, version 1.2, 1991.

LINK [54] J. A. Zachman, “A framework for information systems architecture,” IBM Systems Journal,vol.26, no.3, 1987.

LINK [55] F. Swiderski and W. Snyder, Threat modeling,Microsoft Press, 2004.

LINK [56] A. Kubo, H. Washizaki, and Y. Fukazawa, “Extracting relations among security patterns,” Submitted to 1st International Workshop on Software Patterns and Quality (SPAQu'07).

LINK [57] A. Kubo, H. Washizaki, A. Takasu, and Y. Fukazawa, “Extracting relations among embedded software design patterns,” Journal of Design & Process Science,vol.9, no.3, pp.39-52, 2005.

LINK [58] K. Yskout, T. Heyman, R. Scandariato, and W. Joosen, “An inventory of security patterns,” in Technical Report CW-469,Katholieke Universiteit Leuven, Department of Computer Science, 2006.

LINK [59] Microsoft, Patternshare; http://patternshare.org/.

LINK [60] Cunningham & Cunningham, Inc., Portland pattern repository; http://c2.com/ppr/.

LINK [61] J. Viega and G. McGraw, Building Secure Software: How to Avoid Security Problems the Right Way, Addison-Wesley, 2001.

LINK [62] S. T. Halkidis, A. Chatzigeorgiou, and G. Stephanides, “A qualitative evaluation of security patterns,” in Proc. International Conference on Information and Communications Security (ICICS), 2004.

LINK [63] E. B. Fernandez, M.M. Larrondo-Petrie, T, Sorgente, and M. VanHilst. Integrating Security and Software Engineering: Advances and Future Vision,Chapter V: A methodology to develop secure systems using patterns, pages 107-126, Idea Group Publishing, 2006.

LINK [64] E. B. Fernandez, “Security patterns,” in Procs. Eigth International Symposium on System and Information Security (SSI'2006), Keynote talk, 2006.

LINK [65] G. Georg, I. Ray, and R. France, “Using aspects to design a secure system,” in Proc. Eighth IEEE International Conference on Engineering of Complex Computer Systems, 2002.

LINK [66] I. Ray, R. France, N. Li, and G. Georg, “An aspect-based approach to modeling access control concerns,” Information and Software Technology,vol.46, no.9, pp.575-587, 2004.

LINK [67] J. Jürjens, Secure Systems Development with UML, Springer, 2004.

LINK [68] A. Apvrille and M. Pourzandi, “Secure software development by example,” IEEE Security & Privacy,vol.3, no.4, pp.10-17, 2005.

LINK [69] M. Vokac, “Defect frequency and design patterns: an empirical study of industrial code,” Transactions on Software Engineering,vol.30, no.12, pp.904-917, 2004.

LINK [70] L. Lin, B. Nuseibeh, D. Ince, M. Jackson, and J. Moffett, “Analysing security threats and vulnerabilities using abuse frames,” Open University Technical Report No:2003/10, 2003. Abuse Frame.

LINK [71] R. Crook, D. Ince, L. Lin, and B. Nuseibeh, “Security requirements engineering: When anti-requirements hit the fan,” in Proceeding of the 10th Requirements Engineering Conference (RE'02), pp.9-13, 2002.

LINK [72] P. Giorgini, F. Massacci, J. Mylopoulos, and N. Zannone, “Requirements engineering meets trust management: Model, methodology, and reasoning,” in Proc. of iTrust'04,LNCS 2995, pp.176-190, Springer-Verlag, 2004.

LINK [73] P. Hope, G. McGraw, and A.I. Anton, “Misuse and abuse cases:Getting past the positive,” IEEE Security &Privacy,vol.2, no.3, pp.90-92, 2004.

LINK [74] E. B. Fernandez, M. VanHilst, M.M. Larrondo, and S. Huang, “Defining security requirements through misuse actions,” in IFIP International Federation for Information Processing, pp.123-137, 2006.

LINK [75] T. Lodderstedt, D.A. Basin, and J. Doser, “SecureUML: A UML-based modeling language for model-driven security,” in Proceedings of the 5th International Conference on The Unified Modeling Language, pp.426-441, 2002.

LINK [76] N. Yoshioka, S. Honiden, and A. Finkelstein, “Security patterns: a method for constructing secure and efficient inter-company coordination systems,” in Proceedings of Enterprise Distributed Object Computing Conference 2004 (EDOC'04), pp.84-97, 2004.