Patterns of Federated Identity Management Systems as Architectural Reconfigurations

This paper proposes a formal model of Federated Identity Management systems (FIMs) in terms of architectural design rewriting. FIMs allow cross-domain user authentication to enable access control across the organisations under the concept known as Circle of Trust (CoT). Patterns of FIMs emerged as recurring CoT scenarios due to the fact that each of the pattern has different security and trust requirements. This paper proposes a formal model for FIMs to characterise their patterns as architectural styles. More precisely, an architectural style is given to precisely pinpoint all possible legal configurations of the CoT in terms of the patterns. The proposed model is specified through style-consistent (graphical) designs in terms of architectural design rewriting (ADR)

Usability support security patterns

The main feature of secure software lies in the nature of processes and practices used to specify, design, develop and implement software. Security patterns applied the concept of pattern in the security realm. Its description helps to capture immediately the essence: what is the problem to which attends and what the proposed solution is. The different formats that exist for its description and the multiplicity of sources make its discovery demand effort that discourages the systematic use by potential recipients. This paper presents the prototype of a catalogue that seeks to establish a bridge between the knowledge and experience security experts and the needs of knowledge of software development teams.WSI - II Workshop de seguridad informáticaRed de Universidades con Carreras en Informática (RedUNCI

Catalogación como apoyo al uso de patrones de seguridad

La principal característica de un software seguro reside en la naturaleza de los procesos y las prácticas utilizadas para especificar, diseñar, desarrollar y desplegar el software. La atención temprana de la seguridad tiene que ver con la adopción de un conjunto de actividades que hacen posible la integración de la misma en el ciclo de vida de desarrollo de software. Los patrones de seguridad aplican el concepto de patrón al dominio de la seguridad, describiendo un problema particular de seguridad recurrente que ocurre en un contexto específico y presentando una solución probada, permitiendo una transferencia eficiente de experiencia y de conocimientos. La descripción de un patrón debe ayudar a capturar de manera inmediata su esencia: cuál es el problema al que atiende y cuál es la solución propuesta. Los diferentes formatos existentes para su descripción y la multiplicidad de fuentes donde se encuentran disponibles, hacen que su descubrimiento demande esfuerzo que desalienta el uso sistemático por parte de los potenciales destinatarios. En este trabajo se presenta el prototipo de un catálogo que busca establecer un puente entre el conocimiento y la experiencia desarrollados por expertos en seguridad y las necesidades de conocimiento de los equipos de desarrollo de software.Sociedad Argentina de Informática e Investigación Operativ

Catalogación como apoyo al uso de patrones de seguridad

La principal característica de un software seguro reside en la naturaleza de los procesos y las prácticas utilizadas para especificar, diseñar, desarrollar y desplegar el software. La atención temprana de la seguridad tiene que ver con la adopción de un conjunto de actividades que hacen posible la integración de la misma en el ciclo de vida de desarrollo de software. Los patrones de seguridad aplican el concepto de patrón al dominio de la seguridad, describiendo un problema particular de seguridad recurrente que ocurre en un contexto específico y presentando una solución probada, permitiendo una transferencia eficiente de experiencia y de conocimientos. La descripción de un patrón debe ayudar a capturar de manera inmediata su esencia: cuál es el problema al que atiende y cuál es la solución propuesta. Los diferentes formatos existentes para su descripción y la multiplicidad de fuentes donde se encuentran disponibles, hacen que su descubrimiento demande esfuerzo que desalienta el uso sistemático por parte de los potenciales destinatarios. En este trabajo se presenta el prototipo de un catálogo que busca establecer un puente entre el conocimiento y la experiencia desarrollados por expertos en seguridad y las necesidades de conocimiento de los equipos de desarrollo de software.Sociedad Argentina de Informática e Investigación Operativ

Catalogación como apoyo al uso de patrones de seguridad

La principal característica de un software seguro reside en la naturaleza de los procesos y las prácticas utilizadas para especificar, diseñar, desarrollar y desplegar el software. La atención temprana de la seguridad tiene que ver con la adopción de un conjunto de actividades que hacen posible la integración de la misma en el ciclo de vida de desarrollo de software. Los patrones de seguridad aplican el concepto de patrón al dominio de la seguridad, describiendo un problema particular de seguridad recurrente que ocurre en un contexto específico y presentando una solución probada, permitiendo una transferencia eficiente de experiencia y de conocimientos. La descripción de un patrón debe ayudar a capturar de manera inmediata su esencia: cuál es el problema al que atiende y cuál es la solución propuesta. Los diferentes formatos existentes para su descripción y la multiplicidad de fuentes donde se encuentran disponibles, hacen que su descubrimiento demande esfuerzo que desalienta el uso sistemático por parte de los potenciales destinatarios. En este trabajo se presenta el prototipo de un catálogo que busca establecer un puente entre el conocimiento y la experiencia desarrollados por expertos en seguridad y las necesidades de conocimiento de los equipos de desarrollo de software.Sociedad Argentina de Informática e Investigación Operativ

Engineering security into distributed systems: a survey of methodologies

Rapid technological advances in recent years have precipitated a general shift towards software distribution as a central computing paradigm. This has been accompanied by a corresponding increase in the dangers of security breaches, often causing security attributes to become an inhibiting factor for use and adoption. Despite the acknowledged importance of security, especially in the context of open and collaborative environments, there is a growing gap in the survey literature relating to systematic approaches (methodologies) for engineering secure distributed systems. In this paper, we attempt to fill the aforementioned gap by surveying and critically analyzing the state-of-the-art in security methodologies based on some form of abstract modeling (i.e. model-based methodologies) for, or applicable to, distributed systems. Our detailed reviews can be seen as a step towards increasing awareness and appreciation of a range of methodologies, allowing researchers and industry stakeholders to gain a comprehensive view of the field and make informed decisions. Following the comprehensive survey we propose a number of criteria reflecting the characteristics security methodologies should possess to be adopted in real-life industry scenarios, and evaluate each methodology accordingly. Our results highlight a number of areas for improvement, help to qualify adoption risks, and indicate future research directions.Anton V. Uzunov, Eduardo B. Fernandez, Katrina Falkne

Using Codecharts for formally modelling and automating detection of patterns with application to Security Patterns

Software design patterns are solutions for recurring design problems. Many have introduced their catalogues in order to describe those patterns using templates which consist of informal statements as well as UML diagrams. Security patterns are design patterns for specific security problems domains, therefore, they are described in the same manner. However, the current catalogues describing security patterns contain a level of ambiguity and imprecision. These issues might result in incorrect implementations, which will be vital and at high cost security flaw, especially after delivery. In addition, software maintainability will be difficult thereafter, especially for systems with poor documentation. Therefore, it is important to overcome these issues by patterns formalisation in order to allow sharing the same understanding of the patterns to be implemented. The current patterns formalisation approaches aim to translate UML diagrams using different formal methods. However, these diagrams are incomplete or suffer from levels of ambiguity and imprecision. Furthermore, the employed diagrams notations cannot depict the abstraction shown in the patterns descriptions. In addition, the current formalisation approaches cannot formalise some security properties shown the diagrams, such as system boundary. Furthermore, detecting patterns in a source-code improves the overall software maintenance, especially when obsolete or lost system documentation is often the case of large and legacy systems. Current patterns detection approaches rely on translating the diagrams of the patterns. Consequently, the issue of detecting patterns with abstraction is not possible using such approaches. In addition, these approaches lack generality, abstraction detection, and efficiency. This research suggests the use of Codecharts for security patterns formalisation as well as studying relationships among patterns. Besides, it investigates relationships among patterns. Furthermore, it proposes a pattern detection approach which outperforms the current pattern detection approaches in terms of generality, and abstraction detection. The approach competes in performance with the current efficient pattern detection approaches

Security-Pattern Recognition and Validation

The increasing and diverse number of technologies that are connected to the Internet, such as distributed enterprise systems or small electronic devices like smartphones, brings the topic IT security to the foreground. We interact daily with these technologies and spend much trust on a well-established software development process. However, security vulnerabilities appear in software on all kinds of PC(-like) platforms, and more and more vulnerabilities are published, which compromise systems and their users. Thus, software has also to be modified due to changing requirements, bugs, and security flaws and software engineers must more and more face security issues during the software design; especially maintenance programmers must deal with such use cases after a software has been released. In the domain of software development, design patterns have been proposed as the best-known solutions for recurring problems in software design. Analogously, security patterns are best practices aiming at ensuring security. This thesis develops a deeper understanding of the nature of security patterns. It focuses on their validation and detection regarding the support of reviews and maintenance activities. The landscape of security patterns is diverse. Thus, published security patterns are collected and organized to identify software-related security patterns. The description of the selected software-security patterns is assessed, and they are compared against the common design patterns described by Gamma et al. to identify differences and issues that may influence the detection of security patterns. Based on these insights and a manual detection approach, we illustrate an automatic detection method for security patterns. The approach is implemented in a tool and evaluated in a case study with 25 real-world Android applications from Google Play