A security pattern classification based on Data integration

Revised paper from the third International Conference, ICISSP 2017, Porto, Portugal, February 19-21, 2017International audienceSecurity patterns are design patterns specialised to provide reusable and general solutions to recurring security problems. These patterns , which capture the strengths of different security approaches, are intended to make the design of maintainable and secure applications easier. The pattern community is continuously providing new security patterns (180 patterns are available at the moment). For a given problem, this growing pattern set along with their abstract presentations make the security pattern choice tedious, even for experts in software design. We contribute in this issue by presenting a method of security pattern classification based upon data extraction and integration. The pattern classification is semi-automatically inferred by means of a data-store integrating disparate publicly available security data. This classification exposes relationships among software attacks, weaknesses, security principles and security patterns. It expresses the pattern combinations that can counter a given attack. Besides the pattern classification, we show that the data-store can be used to generate Attack Defense Trees. In our context, these illustrate, for a given attack, its sub-attacks and the related defenses given under the form of security pattern combinations. Such trees make the pattern classification more readable even for beginners in security patterns. Finally, we evaluate on 25 human subjects the benefits of using Attack Defense Trees and a classification established for Web applications, which covers 215 attacks, 136 software weaknesses, 66 security principles and 26 security patterns

Multi-dimensional Model Driven Policy Generation

International audienceAs Cloud Computing provides agile and scalable IT infrastructure, QoS-assured services and customizable computing environment, it increases the call for agile and dynamic deployment and governance environments over mul-ti-cloud infrastructure. By now, governance and Non Functional Properties (such as security, QoS…) are managed in a static way, limiting the global bene-fits of deploying service-based information system over multi-cloud environments. To overcome this limit, we propose a contextualised policy generation process to allow both an agile management NFP in a multi-cloud context and a secured deployment of the service-based information system. The last step of this Model Driven Policy Engineering approach uses policies as Mod-el@runtime to select, compose, deploy and orchestrate NFP management func-tions depending on the exact execution context. Moreover, a dynamic govern-ance loop including autonomic KPI management is used to control continuously the governance results

Security Patterns Modeling and Formalization for Pattern-based Development of Secure Software Systems

International audiencePattern-based development of software systems has gained more attention recently by addressing new challenges such as security and dependability. However, there are still gaps in existing modeling languages and/or formalisms dedicated to modeling design patterns and the way how to reuse them in the automation of software development. The solution envisaged here is based on combining metamodeling techniques and formal methods to represent security patterns at two levels of abstraction to fostering reuse. The goal of the paper is to advance the state of the art in model and pattern-based security for software and systems engineering in three relevant areas: (1) develop a modeling language to support the definition of security patterns using metamodeling techniques; (2) provide a formal representation and its associated validation mechanisms for the verification of security properties; and (3) derive a set of guidelines for the modeling of security patterns within the integration of these two kinds of representations