Building Secure Software Architectures using Security Patterns
Patterns combine experience and good practices to develop basic models that can be used to build new systems and to evaluate existing systems. Security patterns join the extensive knowledge accumulated about security with the structure provided by patterns to provide guidelines for secure system design and evaluation. We consider the structure and purpose of security patterns, show a variety of security patterns, and illustrate their use in the construction of secure systems. These patterns include among others Authentication, Authorization/Access Control, Firewalls, Secure Broker, Web Services Security patterns, and Cloud Security patterns. We have built a catalog of over 100 security patterns. We complement these patterns with misuse patterns, which describe how an attack is performed from the point of view of the attacker and how it can be stopped. We integrate patterns in the form of security reference architectures. Reference architectures have not been used much in security and we explore their possibilities. We introduce patterns in a conceptual way, relating them to their purposes and to the functional parts of the architecture. We show how to apply these patterns through a secure system development methodology. Example architectures include a financial system and a SCADA system (a cyber-physical system). The use of patterns can provide a holistic view of security, which is a fundamental principle to build secure systems. Patterns can be applied throughout the software lifecycle and provide an ideal communication tool for the builders of the system. They are also useful to record design decisions. The patterns and reference architectures are shown using UML models and examples are taken from my two books on security patterns as well as from my recent publications. I have written more security patterns than anybody else in the world.
Thu 29 OctDisplayed time zone: Eastern Time (US & Canada) change
10:30 - 12:00
|Building Secure Software Architectures using Security Patterns|
Eduardo Fernandez Florida Atlantic University