Vulnerability-based security pattern categorization in search of missing patterns

Priya Anand, Jungwoo Ryoo, Rick Kazman

Research output: Chapter in Book/Report/Conference proceedingConference contribution

15 Scopus citations

Abstract

A Security Pattern encapsulates security design expertise that addresses recurring information security problems in the form of a credentialed solution. It also presents potential problems and trade-offs in its application. This paper proposes a novel classification model for security patterns. Based on our review of more than one hundred security patterns, we categorize security patterns according to the type of vulnerability they address and also identify similar or identical patterns with different names. Our literature review indicates that there exists very little research on the categorization of security patterns based on vulnerabilities. Any attackers need to exploit existing vulnerabilities to break the security of an information system. To solve security problems effectively, we have to fix their root causes, which are vulnerabilities. The primary contribution of this paper is twofold: (1) to propose a novel security pattern classification model that helps software designers choose an appropriate security pattern once they know the type of a vulnerability they would like to remove and (2) to identify missing security patterns, which naturally emerge as a result of classifying security patterns according to the vulnerabilities they address. The identification of missing patterns could be useful in soliciting help to develop more patterns from the security community to tackle the vulnerabilities currently not handled by the existing patterns.

Original languageEnglish (US)
Title of host publicationProceedings - 9th International Conference on Availability, Reliability and Security, ARES 2014
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages476-483
Number of pages8
ISBN (Electronic)9781479942237
DOIs
StatePublished - Dec 9 2014
Event9th International Conference on Availability, Reliability and Security, ARES 2014 - Fribourg, Switzerland
Duration: Sep 8 2014Sep 12 2014

Publication series

NameProceedings - 9th International Conference on Availability, Reliability and Security, ARES 2014

Other

Other9th International Conference on Availability, Reliability and Security, ARES 2014
Country/TerritorySwitzerland
CityFribourg
Period9/8/149/12/14

All Science Journal Classification (ASJC) codes

  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'Vulnerability-based security pattern categorization in search of missing patterns'. Together they form a unique fingerprint.

Cite this