Vulnerability-Based Security Pattern Categorization in Search of Missing Patterns

Anand, P. M. Rubesh; Ryoo, Jungwoo; Kazman, Rick

doi:10.1109/ares.2014.71

Cited by 15 publications

(12 citation statements)

References 6 publications

(7 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Some other works such as (Jafari and Rasoolzadegan, 2016) and (Fernandez and Ortega-Arjona, 2009) have focused on the idea of adding security capabilities to previously un-secure design patterns.  Pattern languages and the Classification (or Categorization) of patterns: Developments in this regard include attempts at classifying security patterns (Anand et al, 2014), (Fernandez et al, 2008) or presenting new pattern languages (Hafiz et al, 2012), (Li et al, 2013), (Mundie et al, 2012). It's worth noting that a pattern language is not just a catalog of patterns, but also a system to guide the designers in using multiple patterns to design secure systems (Hafiz, 2013).…”

Section: The Pattern Development Categorymentioning

confidence: 99%

“…(Ponde et al, 2016), (Hafiz et al, 2007) Vulnerability OWASP's vulnerability classification. (Anand et al, 2014) This section includes our analyses and discussions regarding the results in section 3. Instead of presenting a separate discussion for each of the 9 research questions, we have categorized our discussion into 4 subsections which collectively covers the entire results of this study.…”

Section: Classification Criteria Sample Values Examplesmentioning

confidence: 99%

See 1 more Smart Citation

Security patterns: A systematic mapping study

Jafari

Rasoolzadegan

2020

Journal of Computer Languages

View full text Add to dashboard Cite

Security patterns are a means to encapsulate and communicate proven security solutions. They are wellestablished approaches for introducing security into the software development process. Our objective is to explore the research efforts on security patterns and discuss the current state of the art. This study will serve as a guideline for researchers, practitioners, and teachers interested in this field. We have conducted a systematic mapping study of relevant literature from 1997 until the end of 2017 and identified 403 relevant papers, 274 of which were selected for analysis based on quality criteria. This study derives a customized research strategy from established systematic approaches in the literature. We have utilized an exhaustive 3-tier search strategy to ensure a high degree of completeness during the study collection and used a test set to evaluate our search. The first 3 research questions address the demographics of security pattern research such as topic classification, trends, and distribution between academia and industry, along with prominent researchers and venues. The next 9 research questions focus on more indepth analyses such as pattern presentation notations and classification criteria, pattern evaluation techniques, and pattern usage environments. The results and discussions of this study have significant implications for researchers, practitioners, and teachers in software engineering and information security. to the end of 2017 Security pattern related research (Development, Evaluation, Usage)TABLE 1 COMPARISON BETWEEN OUR WORK AND OTHER REVIEWSpattern research and instead, attempted to cover the entire research spectrum in this field. We initially planned to utilize only two search strategies (manual search and backward snowballing), but we found that these two approaches were lacking in a few specific instances. The issue with backward snowballing and manual search is that they rely on the cross-reference relationship between research papers. Papers referenced from multiple other papers, or published in commonly occurring venues are easily discovered, whereas isolated papers in unexpected venues have a chance of never being found. Another issue with backward snowballing stems from its backward nature. The search period for our study was up to the end of 2017, but to find 2017 papers through backward snowballing, we had to analyze papers published after that period (2018 and up) which was out of our scope. Similarly, newer papers with fewer citations are hard to discover through backward snowballing. Adding a database search proved beneficial as we discovered 97 new papers, 64 of which were included.The time period for the study of Uzunov et al. (Uzunov et al., 2012) and Yoshioka et al. (Yoshioka et al., 2008) in Table 1 are not explicitly stated, but are extracted based on the references list. In the work of Bunke et al. (Bunke et al., 2012), the mentioned number of studies consists of other non-primary studies (e.g. tech reports, books, surveys). This work utilizes three search strat...

show abstract

Section: The Pattern Development Categorymentioning

confidence: 99%

Section: Classification Criteria Sample Values Examplesmentioning

confidence: 99%

Security patterns: A systematic mapping study

Jafari

Rasoolzadegan

2020

Journal of Computer Languages

View full text Add to dashboard Cite

show abstract

“…(Bunke et al, 2012), but the notions of attacks or vulnerabilities are not mentioned. Vulnerabilities are taken into consideration for pattern classification in (Anand et al, 2014;Alvi and Zulkernine, 2011). This gives another point of view helping designers in the choice of patterns to fix software vulnerabilities.…”

Section: Related Workmentioning

confidence: 99%

“…)., by vulnerabilities (Anand et al, 2014;Alvi and Zulkernine, 2011) or by attacks (Wiesauer and Sametinger, 2009;Alvi and Zulkernine, 2011). Despite the improvements in the pattern choice brought by these classifications, several issues still remain open.…”

Section: Introductionmentioning

confidence: 99%

A Methodology of Security Pattern Classification and of Attack-Defense Tree Generation

Regainia

Salva

2017

Proceedings of the 3rd International Conference on Information Systems Security and Privacy

View full text Add to dashboard Cite

Security at the design stage of the software life cycle can be performed by means of security patterns, which are viable and reusable solutions to regular security problems. Their generic nature and growing number make their choice difficult though, even for experts in system design. To guide them through the appropriate choice of patterns, we present a methodology of security pattern classification and the classification itself, which exposes relationships among attacks, weaknesses and security patterns. Given an attack of the CAPEC (Common Attack Patterns Enumeration and Classification) database , the classification expresses the security pattern combinations that overcome the attack. The methodology, which generates the classification is composed of five steps, which decompose patterns and attacks into sets of more precise sub-properties that are associated. These steps provide the justifications of the classification and can be followed again to upgrade it. From the classification, we also generate Attack-Defense Trees (ADTtrees), which depict an attack, its sub-attacks and the related defenses in the form of security pattern combinations. Without loss of generality, this classification has been established for Web applications and covers 215 attacks, 136 software weaknesses and 26 security patterns.

show abstract

“…Despite the benefits brought by these studies, this kind of classification remains insufficient because security principles are mostly abstract and lead to imprecise categories from which designers still have to take a decision on the Research supported by the industrial chair on Digital Confidence (http://confiance-numerique.clermont-universite.fr/index-en.html) patterns to implement. This is why other works proposed to classify security patterns according to vulnerabilities [6], [4]. For a given security pattern, these classifications provide the vulnerabilities that are mitigated with the application of this pattern.…”

Section: Introductionmentioning

confidence: 99%

A classification methodology for security patterns to help fix software weaknesses

Regainia

Salva

Ecuhcurs

2016

2016 IEEE/ACS 13th International Conference of Computer Systems and Applications (AICCSA)

View full text Add to dashboard Cite

Security patterns are generic solutions that can be applied since early stages of software life to overcome recurrent security weaknesses. Their generic nature and growing number make their choice difficult, even for experts in system design. To help them on the pattern choice, this paper proposes a semiautomatic methodology of classification and the classification itself, which exposes relationships among software weaknesses, security principles and security patterns. It expresses which patterns remove a given weakness with respect to the security principles that have to be addressed to fix the weakness. The methodology is based on seven steps, which anatomize patterns and weaknesses into set of more precise sub-properties that are associated through a hierarchical organization of security principles. These steps provide the detailed justifications of the resulting classification and allow its upgrade. Without loss of generality, this classification has been established for Web applications and covers 185 software weaknesses, 26 security patterns and 66 security principles.

show abstract

Vulnerability-Based Security Pattern Categorization in Search of Missing Patterns

Cited by 15 publications

References 6 publications

Security patterns: A systematic mapping study

Security patterns: A systematic mapping study

A Methodology of Security Pattern Classification and of Attack-Defense Tree Generation

A classification methodology for security patterns to help fix software weaknesses

Contact Info

Product

Resources

About