TY - GEN
T1 - Vulnerability-based security pattern categorization in search of missing patterns
AU - Anand, Priya
AU - Ryoo, Jungwoo
AU - Kazman, Rick
N1 - Publisher Copyright:
© 2014 IEEE.
PY - 2014/12/9
Y1 - 2014/12/9
N2 - A Security Pattern encapsulates security design expertise that addresses recurring information security problems in the form of a credentialed solution. It also presents potential problems and trade-offs in its application. This paper proposes a novel classification model for security patterns. Based on our review of more than one hundred security patterns, we categorize security patterns according to the type of vulnerability they address and also identify similar or identical patterns with different names. Our literature review indicates that there exists very little research on the categorization of security patterns based on vulnerabilities. Any attackers need to exploit existing vulnerabilities to break the security of an information system. To solve security problems effectively, we have to fix their root causes, which are vulnerabilities. The primary contribution of this paper is twofold: (1) to propose a novel security pattern classification model that helps software designers choose an appropriate security pattern once they know the type of a vulnerability they would like to remove and (2) to identify missing security patterns, which naturally emerge as a result of classifying security patterns according to the vulnerabilities they address. The identification of missing patterns could be useful in soliciting help to develop more patterns from the security community to tackle the vulnerabilities currently not handled by the existing patterns.
AB - A Security Pattern encapsulates security design expertise that addresses recurring information security problems in the form of a credentialed solution. It also presents potential problems and trade-offs in its application. This paper proposes a novel classification model for security patterns. Based on our review of more than one hundred security patterns, we categorize security patterns according to the type of vulnerability they address and also identify similar or identical patterns with different names. Our literature review indicates that there exists very little research on the categorization of security patterns based on vulnerabilities. Any attackers need to exploit existing vulnerabilities to break the security of an information system. To solve security problems effectively, we have to fix their root causes, which are vulnerabilities. The primary contribution of this paper is twofold: (1) to propose a novel security pattern classification model that helps software designers choose an appropriate security pattern once they know the type of a vulnerability they would like to remove and (2) to identify missing security patterns, which naturally emerge as a result of classifying security patterns according to the vulnerabilities they address. The identification of missing patterns could be useful in soliciting help to develop more patterns from the security community to tackle the vulnerabilities currently not handled by the existing patterns.
UR - http://www.scopus.com/inward/record.url?scp=84920620149&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84920620149&partnerID=8YFLogxK
U2 - 10.1109/ARES.2014.71
DO - 10.1109/ARES.2014.71
M3 - Conference contribution
AN - SCOPUS:84920620149
T3 - Proceedings - 9th International Conference on Availability, Reliability and Security, ARES 2014
SP - 476
EP - 483
BT - Proceedings - 9th International Conference on Availability, Reliability and Security, ARES 2014
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 9th International Conference on Availability, Reliability and Security, ARES 2014
Y2 - 8 September 2014 through 12 September 2014
ER -