Use Of Security Patterns Research Articles

Application of security reference architecture to Big Data ecosystems in an industrial scenario

SummaryBig Data environments are typically very complex ecosystems; this means that implementing them is complicated. One possible technique with which to address this complexity is the use of abstraction. Reference architecture (RA) can be useful for an improved understanding of the main components of Big Data. Herein, we propose a security RA that includes the management of security concerns and provides the main elements of a Big Data ecosystem. Application of this architecture to real‐world scenarios facilitates its refinement and improves its usefulness. In this article, we present a case study of a real‐world Big Data ecosystem implemented in a banking environment. This ecosystem was developed by everis, an NTT company with which we collaborated for this study. To conduct this validation case study, a map was established between the elements of the Big Data ecosystem implemented and our proposal. Consequently, a series of valuable lessons that can improve both our architecture and the security of the Big Data environment were obtained. These include recommendations for a set of best practices such as the use of security patterns.

Use of Security Patterns for Development of Secure Healthcare Information System

Healthcare systems have recently received attention from industry related to the sensitive and confidential information stored in it. This information is shared among different physicians, surgeons and technicians in the distributed and heterogeneous environment. Bearing these security concerns in mind a model driven methodology of using security patterns for development of secure healthcare information systems is proposed. This methodology consists of an extension of Unified Modeling Language (UML) deployment diagram namely as Security Patterns Deployment Diagram (SPDD) and a tool that supports for extending the use of proposed diagram. The proposed method has been validated by performing a case study on Healthcare Information System.

Security knowledge representation artifacts for creating secure IT systems

The creation of secure applications is more than ever a complex task because it requires from system engineers increasing levels of knowledge in security requirements, design and implementation. In fact, the fast increasing size and volatility of this knowledge has reached a point in which it is unrealistic to expect that system engineers can keep up to date with it. The most prominent paradigm for addressing this problem is the use of security patterns to communicate security knowledge from experts to system designers. This, and other security artifacts, have proved their utility and benefits in the past years, improving the way security is taken into account by system engineers and developers. On the other hand, these artifacts have some limitations that have prevented them from becoming more widespread. In particular, security patterns are human-oriented and as such heavily based on natural language, which implies intrinsic high degrees of imprecision and ambiguity. In our opinion, we need to make the move from purely human-oriented artifacts to hybrid artifacts that convey information for both humans (engineers and designers) and computer tools (engineering and development environments). Therefore, we have created a new security knowledge representation artifact that aims to cover the needs of system engineers and help them not only in applying a solution, but also in understanding the security aspects of a given domain as a highly-related set of security concepts (e.g. properties, requirements, solutions, etc.). This artifact, called Domain Security Metamodel (DSM), is, as its name suggests, domain-specific and contains information about all security aspects that are relevant in a specific domain (e.g. embedded systems, web services, etc.). The DSM contains security solutions that implement the security properties of the specific domains. That way, when users apply them into their system models the solutions for development time can be integrated directly and naturally. In order to describe our approach in a useful way we use a running example based on the Web Service Security (WS-Security) specification.

ASE: A comprehensive pattern-driven security methodology for distributed systems

Incorporating security features is one of the most important and challenging tasks in designing distributed systems. Over the last decade, researchers and practitioners have come to recognize that the incorporation of security features should proceed by means of a structured, systematic approach, combining principles from both software and security engineering. Such systematic approaches, particularly those implying some sort of process aligned with the development life-cycle, are termed security methodologies. There are a number of security methodologies in the literature, of which the most flexible and, according to a recent survey, most satisfactory from an industry-adoption viewpoint are methodologies that encapsulate their security solutions in some fashion, especially via the use of security patterns. While the literature does present several mature pattern-driven security methodologies with either a general or a highly specific system applicability, there are currently no (pattern-driven) security methodologies specifically designed for general distributed systems. Going further, there are also currently no methodologies with mixed specific applicability, e.g. for both general and peer-to-peer distributed systems. In this paper we aim to fill these gaps by presenting a comprehensive pattern-driven security methodology – arrived at by applying a previously devised approach to engineering security methodologies – specifically designed for general distributed systems, which is also capable of taking into account the specifics of peer-to-peer systems as needed. Our methodology takes the principle of encapsulation several steps further, by employing patterns not only for the incorporation of security features (via security solution frames), but also for the modeling of threats, and even as part of its process. We illustrate and evaluate the presented methodology in detail via a realistic example – the development of a distributed system for file sharing and collaborative editing. In both the presentation of the methodology and example our focus is on the early life-cycle phases (analysis and design).

Incorporating Security Features in Service-Oriented Architecture using Security Patterns

Service-Oriented Architecture is an architectural style where different heterogeneous components share information with each other by using special types of messages based on the protocol known as Simple Object Access Protocol. Various technologies, such as Common Object Request Broker Architecture, Java 2 Platform, Enterprise Edition, Java Message Service etc. are applied to realize Service-Oriented Architecture for different applications. Besides these approaches, two other techniques, REpresentational State Transfer, and web services are applied for the realization of Service-Oriented Architecture. Web services provide a platform independent communication scheme between applications. The security preservation among the composition of services is an important task for Service-Oriented Architecture. In this study, an attempt is made to incorporate security features in Service- Oriented Architecture with the help of software security patterns. This scheme is described by developing an architectural model integrated with security goals and security patterns. The structural and behavioral aspects of composition of web services incorporated with security features are presented using a Unified Modeling Language class diagram and a sequence diagram respectively. At the end of this study, an evaluation is performed between identified security patterns and critical security properties along with Service-Oriented Architecture design principles. A case study of an online banking system is considered to explain the use of security patterns.

Standardising business application security assessments with pattern-driven audit automations

In the light of recent corporate corruption scandals the requirement for Corporate Governance and Responsibility has emerged as a top management priority, as reflected on the recent regulatory environment and compliance requirements e.g. Sarbanes–Oxley Act. The need for explicitly demonstrated assurance of the financial and accounting information in an IT-fuelled business environment has shifted interest to the information and the IT systems themselves. Assurance of information is based on the art and science of IT audit, a set of recurring tasks by nature both in time and in space. In environments of integrated business applications and enterprise resource planning systems, auditing is particularly laborious and the requirement for automation of auditing tasks was never more demanding. The belief that audit automation is part of the means to achieve governance is developing amongst scholars and practitioners alike. However there is no common understanding yet developed as of how such automation could be achieved across different systems and applications. We argue that through appropriate standardisation of the automation requirements such cross-system implementation may be possible and we propose as a means of standardisation the use of security design patterns. In this paper we explore the use of security patterns for audit automation and we implement them as a means of supporting its standardisation within integrated business application systems.

MODELING SECURE SYSTEMS USING AN AGENT-ORIENTED APPROACH AND SECURITY PATTERNS

In this paper we describe an approach for modeling security issues in information systems. It is based on an agent-oriented approach, and extends it with the use of security patterns. Agent-oriented software engineering provides advantages when modeling security issues, since agents are often a natural way of conceptualizing an information system, in particular at the requirements stage, when the viewpoints of multiple stakeholders need to be considered. Our approach uses the Tropos methodology for modeling a system as a set of agents and their social dependencies, with specific extensions for representing security constraints. As an extension to the existing methodology we propose the use of security patterns. These patterns capture proven solutions to common security issues, and support the systematic and structured mapping of these constraints to an architectural model of the system, in particular for non-security specialists.