Design Patterns are now widely accepted and used in software engineering; they represent generic and reusable solutions to common problems in software design. Security patterns are specialised patterns whose purpose is to help design applications that should meet security requirements. The enthusiasm surrounding security patterns has made emerge several catalogues listing up to 180 different patterns at the moment. This growing number brings an increased difficulty in choosing the most appropriate patterns for a given design problem. We propose a security pattern classification to facilitate the security pattern choice and a classification method based on data integration. The classification exposes relationships among software attacks, security principles and security patterns. It expresses the pattern combinations that are countermeasures to a given attack. This classification is semi-automatically inferred by means of a data-store integrating disparate publicly available security data. The data-store is also used to generate Attack Defense Trees. In our context, these illustrate, for a given attack, its sub-attacks, steps, techniques and the related defenses given under the form of security pattern combinations. Such trees make the pattern classification more readable even for beginners in security patterns. Finally, we evaluate on human subjects the benefits of using a pattern classification established for Web applications, which covers 215 attacks, 66 security principles and 26 security patterns.
A.K.Alvi and M.Zulkernine, A natural classification scheme for software security patterns, in: 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing, 2011, pp. 113–120. doi:10.1109/DASC.2011.42.
2.
A.K.Alvi and M.Zulkernine, A comparative study of software security pattern classifications, in: 2012 Seventh International Conference on Availability, Reliability and Security, 2012, pp. 582–589. doi:10.1109/ARES.2012.43.
3.
P.Anand, J.Ryoo and R.Kazman, Vulnerability-based security pattern categorization in search of missing patterns, in: 2014 Ninth International Conference on Availability, Reliability and Security, 2014, pp. 476–483. doi:10.1109/ARES.2014.71.
4.
L.Bass, P.Clements and R.Kazman, Software Architecture in Practice, 3rd edn, Addison-Wesley Professional, 2012.
5.
M.Bunke, R.Koschke and K.Sohr, Organizing security patterns related to security and pattern recognition requirements, International Journal on Advances in Security5 (2012).
6.
M.Daun, C.Hübscher and T.Weyer, Controlled experiments with student participants in software engineering: Preliminary results from a systematic mapping study, CoRR, abs/1708.04662, 2017.
7.
V.Dialani, S.Miles, L.Moreau, D.De Roure and M.Luck, Transparent fault tolerance for web services based architectures, in: Euro-Par 2002 Parallel Processing, Springer, 2002, pp. 889–898. doi:10.1007/3-540-45706-2_126.
8.
E.B.Fernandez, Security patterns and secure systems design, in: Dependable Computing, A.Bondavalli, F.Brasileiro and S.Rajsbaum, eds, Springer, Berlin, Heidelberg, 2007, pp. 233–234. doi:10.1007/978-3-540-75294-3_18.
9.
E.B.Fernandez, H.Astudillo and G.Pedraza-García, Revisiting architectural tactics for security, in: Software Architecture, D.Weyns, R.Mirandola and I.Crnkovic, eds, Springer International Publishing, Cham, 2015, pp. 55–69. doi:10.1007/978-3-319-23727-5_5.
10.
D.Harb, C.Bouhours and H.Leblanc, Using an Ontology to Suggest Software Design Patterns Integration, Springer, Berlin Heidelberg, 2009, pp. 318–331.
11.
R.Jhawar, B.Kordy, S.Mauw, S.Radomirović and R.Trujillo-Rasua, Attack trees with sequential conjunction, in: IFIP International Information Security Conference, Springer, 2015, pp. 339–353.
12.
B.Kordy, P.Kordy, S.Mauw and P.Schweitzer, ADTool: Security analysis with attack–defense trees, in: International Conference on Quantitative Evaluation of Systems, Springer, 2013, pp. 173–176. doi:10.1007/978-3-642-40196-1_15.
13.
B.Kordy, S.Mauw, S.Radomirović and P.Schweitzer, Attack–defense trees, Journal of Logic and Computation (2012), exs029.
L.Regainia and S.Salva, A methodology of security pattern classification and of attack-defense tree generation, in: Proceedings of the 3nd International Conference on Information Systems Security and Privacy (ICISSP 2017, Porto, Portugal, 02 2017, O.Camp, S.Furnell and P.Mori, eds, SciTePress.
21.
L.Regainia and S.Salva, Security pattern classification, companion site, 2018, http://regainia.com/research/companion.html.
22.
L.Regainia, S.Salva and C.Bouhours, A classification methodology for security patterns to help fix software weaknesses, in: 13th ACS/IEEE International Conference on Computer Systems and Applications AICCSA 2016, Agadir, Morocco, 11 2016, IEEE Computer Society.
23.
L.Reigaigna, C.Bouhours and S.Salva, A systematic approach to assist designers in security pattern integration, in: The Second International Conference on Advances and Trends in Software Engineering (SOFTENG 2016), Lisbon, Portugal, 02 2016.
J.H.Saltzer and M.D.Schroeder, The protection of information in computer systems, Proceedings of the IEEE63(9) (1975), 1278–1308. doi:10.1109/PROC.1975.9939.
26.
J.Scambray and E.Olson, Improving Web Application Security, 2003.
27.
M.Schumacher, Security Engineering with Patterns: Origins, Theoretical Models, and New Applications, Springer-Verlag, New York, 2003.
28.
R.Slavin and J.Niu, Security patterns repository, 2017, http://sefm.cs.utsa.edu/repository/.
29.
P.-N.Tan, M.Steinbach and V.Kumar, Introduction to Data Mining, 1st edn, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 2005.
30.
I.A.Tøndel, J.Jensen and L.Røstad, Combining misuse cases with attack trees and security activity models, in: Availability, Reliability, and Security, 2010. ARES’10 International Conference on, IEEE, 2010, pp. 438–445. doi:10.1109/ARES.2010.101.
31.
A.V.Uzunov and E.B.Fernandez, An extensible pattern-based library and taxonomy of security threats for distributed systems, Computer Standards & Interfaces36(4) (2014), 734–747. doi:10.1016/j.csi.2013.12.008.
32.
J.Viega and G.McGraw, Building Secure Software: How to Avoid Security Problems the Right Way, Portable Documents, Pearson Education, 2001.
33.
R.Wassermann and B.H.Cheng, Security patterns, in: Michigan State University, PLoP Conf., 2003, Citeseer.
34.
A.Wiesauer and J.Sametinger, A security design pattern taxonomy based on attack patterns, in: International Joint Conference on E-Business and Telecommunications, 2009, pp. 387–394.
35.
P.Willett, Recent trends in hierarchic document clustering: A critical review, Information Processing & Management24(5) (1988), 577–597. doi:10.1016/0306-4573(88)90027-1.
36.
J.Yoder, J.Yoder, J.Barcalow and J.Barcalow, Architectural patterns for enabling application security, in: Proceedings of PLoP 1997, 1998, 51:31.
37.
K.Yskout, T.Heyman, R.Scandariato and W.Joosen, A system of security patterns, technical report cw-469, 2006.
38.
K.Yskout, R.Scandariato and W.Joosen, Do security patterns really help designers? in: Proceedings of the 37th International Conference on Software Engineering – Volume 1, ICSE ’15, IEEE Press, Piscataway, NJ, USA, 2015, pp. 292–302.
