Now Offering a 50% Discount When a Minimum of Five Titles in Related Subject Areas are Purchased TogetherAlso, receive free worldwide shipping on orders over US$ 395.(This offer will be automatically applied upon checkout and is applicable to print & digital publications)Browse Titles

Special Offers
- Receive a 50% Discount When a Minimum of Five Titles are Purchased Together
  This 50% discount is automatically applied upon checkout and is only applicable when five or more reference books and scholarly journals are ordered. Discount valid on purchases made directly through IGI Global’s Online Bookstore (www.igi-global.com) and cannot be combined with any other discount. It may not be used by distributors or book sellers and the offer does not apply to databases. Exclusions of select titles may apply.
  Browse Titles
- IGI Global Converts Over 30+ Journals to Full Gold Open Access (OA)
  With access to digital resources and OA content being critical during this time, IGI Global has converted 30 journals to full Gold OA. IGI Global OA provides a quality, expediate, high-quality OA publishing process, flexible funding options, and more, which allows researchers to benefit from freely and immediately sharing their peer-reviewed research with the world.
  Learn More
- Additional Source of OA Funding When Your Institution Invests in IGI Global’s InfoSci-Databases
  When an institution invests in IGI Global’s InfoSci-Databases, IGI Global will match the library’s investment with a fund of equal value to go toward subsidizing the OA article processing charges (APCs) for faculty at that institution when their work is submitted and accepted under OA (following peer review) into an IGI Global journal.
  Learn More
- Reduced Research Anthology Pricing
  Based on the increased interest in our Research Anthologies line from last year and understanding current budgetary limitations, IGI Global is reducing the price of our multi-volume Research Anthologies up to 50%. These publications are ideal for accommodating library budgets, as they contain hand-selected research content of the highest quality.
  Learn More
- Receive Complimentary Electronic Access to the First, Second, Third, and Fourth Edition of the
  Encyclopedia of Information Science and Technology with the Purchase of the Fifth Edition
  For a limited time, receive the complimentary e-books for the first, second, third, and fourth editions with the purchase of the Encyclopedia of Information Science and Technology, Fifth Edition e-book*. Offer is only valid when purchasing the fifth edition’s hardcover + e-book or e-book only option directly through IGI Global’s Online Bookstore (www.igi-global.com/books) and is not intended for use by book distributors or wholesalers. Contact Customer Service, cust@igi-global.com, for details. Offer expires July 1, 2021.
  Learn More
- Offering a 5% Pre-Publication Discount on
  All Reference Books Ordered Through IGI Global’s Online Bookstore*
  To support customers with accessing the latest research, IGI Global is offering a 5% pre-publication discount on all hardcover, softcover, e-books, and hardcover + e-books titles.
  *5% discount offer is eligible on hardcover, softcover, e-books, and hardcover + e-books titles and is automatically applied directly to the shopping cart. Discount offer only valid on purchases made directly through IGI Global’s Online Bookstore and offer expires 30 days after the publication’s release. This automatic discount is not intended for use by book distributors or wholesalers.
  Browse Titles
- Receive Free Shipping on Orders Over US$ 295.00
  Free shipping will be automatically applied to shopping cart orders over US$ 295.00 or more before tax, which can include a combination of print and non-shippable products (i.e. e-books, e-journals, and articles/chapters). It is only available when you order directly through IGI Global’s Online Bookstore and is only valid on standard U.S. and international shipping. There will be additional charges for express shipping and limitations may apply.
  Browse Titles
- Create a Free IGI Global Library Account to Receive an Additional 5% Discount on All Purchases
  Exclusive benefits include one-click shopping, flexible payment options, free COUNTER 5 reports and MARC records, and a 5% discount on single all titles, as well as the award-winning InfoSci^®-Databases.
  Sign Up Now!
Books
Journals
- - Journals
  - Open Access Journals
InfoSci^®-Databases
Articles/Chapters
Publish with Us
Resources
- - Instructors
  - Course Adoption
  - Teaching Cases
  - K-12 Online Learning Collection
  - Authors and Editors
  - eEditorial Discovery^® System
  - Peer Review Process
  - Ethics and Malpractice
  - COPE Membership
  - Fair Use Policy
  - Open Access Publishing
  - Editorial Services
  - FAQ
Catalogs
About Us
Newsroom

Security Patterns: Comparing Modeling Approaches

Armstrong Nhlabatsi (The Open University, UK), Arosha Bandara (The Open University, UK), Shinpei Hayashi (Tokyo Institute of Technology, Japan), Charles Haley (The Open University, UK), Jan Jurjens (The Open University, UK), Haruhiko Kaiya (Shinshu University, Japan), Atsuto Kubo (National Institute of Informatics, Japan), Robin Laney (The Open University, UK), Haralambos Mouratidis (University of East London, UK), Bashar Nuseibeh (The Open University, UK & Lero, Ireland), Thein Tun (The Open University, UK), Hironori Washizaki (Waseda University, Japan), Nobukazu Yoshioka (National Institute of Informatics, Japan) and Yijun Yu (The Open University, UK)

Source Title: Software Engineering for Secure Systems: Industrial and Research Perspectives

DOI: 10.4018/978-1-61520-837-1.ch004

OnDemand PDF Download:

Available

$37.50

Current Special Offers

No Current Special Offers

Abstract

Addressing the challenges of developing secure software systems remains an active research area in software engineering. Current research efforts have resulted in the documentation of recurring security problems as security patterns. Security patterns provide encapsulated solutions to specific security problems and can be used to build secure systems by designers with little knowledge of security. Despite this benefit, there is lack of work that focus on evaluating the capabilities of security analysis approaches for their support in incorporating security analysis patterns. This chapter presents evaluation results of a study we conducted to examine the extent to which constructs provided by security requirements engineering approaches can support the use of security patterns as part of the analysis of security problems. To achieve this general objective, the authors used a specific security pattern and examined the challenges of representing this pattern in some security modeling approaches. The authors classify the security modeling approaches into two categories: problem and solution and illustrate their capabilities with a well-known security patterns and some practical security examples. Based on the specific security pattern they have used our evaluation results suggest that current approaches to security engineering are, to a large extent, capable of incorporating security analysis patterns.

Chapter Preview

Top

1. Introduction

The collective experience of engineering secure software systems indicates that potential considerations for vulnerabilities in system design are both broad and deep. Anything from a single line of program code, the level of power consumption by the computer, to lapses in human memory may invite security breaches. Security engineers, therefore, need an array of tools at their disposal in dealing with diverse security problems. An integral part of the toolkit is the ability to access transferable design knowledge. Very often it is convenient to document this transferable knowledge in a pattern. A pattern is a description of a recurring problem and its corresponding successful solution (Gamma et al., 1996). As a pattern describes the identified recurring problem and its solution in principle, it (pattern) can be described in different languages. We call the description of a pattern using a specific modelling language, such as UML, its representation. Security patterns are well-understood solutions to recurring security problems (Schumacher et al., 2005). They enable engineers to recognise, with relative ease, known vulnerabilities in their design and potential solutions. Several security patterns have been reported by practitioners and researchers, and there are lively and ongoing discussions about the discovery, documentation and application of security patterns.

Although many security patterns are documented in the public domain, they are often specifically tied to the language and the method in which they are expressed. Since security engineers do not have a common language and method to model, analyse and implement systems, it is important to know whether a particular security pattern can be expressed and applied in their own approach. This chapter aims to examine some of the languages in which security patterns may be expressed and the methods in which they are applied, with a view to articulating their relative strengths and weaknesses.

In this survey, we will focus primarily on the languages for modelling and methods for applying security patterns in early requirements analysis and designs. This choices are both principled and practical: principled because earlier patterns are less understood compared to those at the implementation level and because early prevention of security vulnerabilities is thought to be less costly than remedial actions taken later; and practical because further expanding the scope of the survey would open up issues that are too many to be discussed in this chapter.

The main contribution of this chapter is an evaluation of security pattern modelling approaches. Our evaluation builds on the survey of security patterns by Yoshioka et al. (Yoshioka et al., 2008). We compare approaches from the following three categories because these approaches are repeatedly referred as representative ones that address security in models (Mayer et al., 2007; Cabot and Zannone, 2008): object-oriented design (UML, SecureUML, UMLsec, Misuse Cases), goal-oriented (KAOS, Secure Tropos, i*), and problem-oriented (problem frames, abuse frames). In comparing and contrasting these different approaches, we adopt the widely acknowledge security pattern, Roll-Based Access Control (RBAC), and a familiar example to illustrate different aspects of each approach using a common set of evaluation criteria to judge the pros and cons of each approach. The general objective of this survey is to evaluate how security patterns can be described in selected requirements engineering approaches: in particular whether all key properties of RBAC can be expressed in those approaches. In other words, we are evaluating what each RE approach is able (and not able) to describe. Evaluation results should be useful for the following stakeholders: security pattern designers can use the results to find out what languages are appropriate for modeling their patterns; and application designers can use security patterns to develop their applications with desired quality characteristics including security. Since the evaluation results characterise the attributes of existing security patterns, they can also be used to improve the understanding of these security patterns that are modelled by any one of the approaches evaluated in the chapter. This survey aims to examine some of the languages in which security patterns may be expressed partially or entirely.

Complete Chapter List

Search this Book:

Reset

MLA

APA

Chicago

Export Reference

Security Patterns: Comparing Modeling Approaches

Abstract

1. Introduction

Complete Chapter List