Towards a Pattern-Based Security Methodology to Build Secure Information Systems

Roberto Ortiz, Santiago Moral-Rubio, Javier Garzás, Eduardo Fernández-Medina

Abstract

Methodologies for the construction of secure systems provide a controlled, planned development process, with verifications in all stages, thus avoiding unexpected errors and leading to an improvement in the quality and security of the system produced. These methodologies can be enriched from the use of security patterns, since these tools are widely accepted by both the scientific community and industry for the construction of secure information systems owing to the fact that they accumulate security experts’ knowledge in a documented and structured manner, thus providing a systematic means to solve recurrent problems. In this paper we present a first approximation of a pattern-based security methodology to support both the construction of secure information systems and maintenance of the level of security attained. This proposal is based on real case studies, and is now in the first stages of application in real settings. Interesting results are already appearing that will allow us to refine and validate the proposal.

References

  1. Fernandez, E. B. (2009). Security Patterns and A Methodology to Apply them. Security and Dependability for Ambient Intelligence (pp. 37-46).
  2. Fernandez, E. B., Larrondo-Petrie, M. M., Sorgente, T. and VanHilst, M. (2006). Chapter 5, A methodology to develop secure systems using patterns. Integrating security and software engineering: Advances and future vision (pp. 107-126): IDEA Press.
  3. Fernandez, E. B., Yoshioka, N. and Washizaki, H. (2009). Modeling Misuse Patterns. Paper presented at the ARES 7809. International Conference on Availability, Reliability and Security.
  4. Halkidis, S. T., Tsantalis, N., Chatzigeorgiou, A. and Stephanides, G. (2008). Architectural Risk Analysis of Software Systems Based on Security Patterns. IEEE Transactions on Dependable and Secure Computing, 5(3), 129-142.
  5. Hatebur, D., Heisel, M. and Schmidt, H. (2007). A Security Engineering Process based on Patterns. Paper presented at the DEXA 7807. 18th International Conference on Database and Expert Systems Applications.
  6. IBM. (2011). Introduction to Business Security Patterns, An IBM White Paper.
  7. Jürjens, J. (2004). Secure Systems Development with UML: Springer-Verlag.
  8. Kienzle, D. M., Elder, M. C., Tyree, D. and Edwards-Hewitt, J. (2006). Security patterns repository, version 1.0.
  9. Kis, M. (2002). Information Security Antipatterns in Software Requirements Engineering. Paper presented at the Pattern Languages of Programs Conference.
  10. Král, J. and Zemlicka, M. (2009). Popular SOA Antipatterns. Paper presented at the Computation World: Future Computing, Service Computation, Cognitive, Adaptive, Content, Patterns, Athens, Greece.
  11. Kruchten, P. (2000). The Rational Unified Process: An Introduction. Boston: AddisonWesley.
  12. Microsoft. (2011). Patterns & Practices: Web Service Security Patterns
  13. Moral-García, S., Ortiz, R., Moral-Rubio, S., Vela, B., Garzás, J. and Fernández-Medina, E. (2010). A New Pattern Template to Support the Design of Security Architectures. Paper presented at the The Second International Conferences of Pervasive Patterns and Applications, Lisbon, Portugal.
  14. OMG. (2008). Software & Systems Process Engineering Meta-Model Specification (SPEM) 2.0.
  15. Ortiz, R., Moral-García, S., Moral-Rubio, S., Vela, B., Garzás, J. and Fernández-Medina, E. (2010). Applicability of Security Patterns. Paper presented at the The 5th International Symposium on Information Security (IS'10 - OTM'10), Crete, Greece.
  16. Pressman, R. (2004). Software Engineering: A Practitioner's Approach: McGraw-Hill Science/Engineering/Math.
  17. Roberts, T. (1999 ). Why can't we implement this SDM? IEEE Software 16(6), 70 - 71, 75. doi: 10.1109/52.805477
  18. Sanchez-Cid, F. and Maña, A. (2008). Serenity Pattern-Based Software Development Life-Cycle. Paper presented at the 19th International Workshop on Database and Expert Systems Application, 2008. DEXA 7808., Turin.
  19. Schumacher, M., Fernandez, E. B., Hybertson, D., Buschmann, F. and Sommerlad, P. (2006). Security Patterns: Integrating Security and Systems Engineering (Wiley ed.).
  20. Steel, C., Nagappan, R. and Lai, R. (2005). Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management (Prentice Hall ed.).
  21. Yoder, J. and Barcalow, J. (1997). Architectural Patterns for Enabling Application Security. Fourth Conference on Patterns Languages of Programs (PLoP'97).
Download


Paper Citation


in Harvard Style

Ortiz R., Moral-Rubio S., Garzás J. and Fernández-Medina E. (2011). Towards a Pattern-Based Security Methodology to Build Secure Information Systems . In Proceedings of the 8th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2011) ISBN 978-989-8425-61-4, pages 59-69. DOI: 10.5220/0003579300590069


in Bibtex Style

@conference{wosis11,
author={Roberto Ortiz and Santiago Moral-Rubio and Javier Garzás and Eduardo Fernández-Medina},
title={Towards a Pattern-Based Security Methodology to Build Secure Information Systems},
booktitle={Proceedings of the 8th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2011)},
year={2011},
pages={59-69},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003579300590069},
isbn={978-989-8425-61-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 8th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2011)
TI - Towards a Pattern-Based Security Methodology to Build Secure Information Systems
SN - 978-989-8425-61-4
AU - Ortiz R.
AU - Moral-Rubio S.
AU - Garzás J.
AU - Fernández-Medina E.
PY - 2011
SP - 59
EP - 69
DO - 10.5220/0003579300590069