Security Design Patterns: Survey and Evaluation M-A. Laverdi` ere Computer Security Laboratory, CIISE, Concordia University, Montreal, Canada ma laver@ciise.concordia.ca A. Mourad Computer Security Laboratory, CIISE, Concordia University, Montreal, Canada mourad@ciise.concordia.ca A. Hanna Computer Science and Software Engineering, Concordia University, Montreal, Canada ahanna@cse.concordia.ca M. Debbabi Computer Security Laboratory, CIISE, Concordia University, Montreal, Canada debbabi@ciise.concordia.ca Abstract Security design patterns have been proposed recently as a tool for the improvement of software security during the architecture and de- sign phases. Since the apperance of this research topic in 1997, sev- eral catalogs have emerged, and the security pattern community has produced significant contributions, with many related to design. In this paper, we survey major contributions in the state of the art in the field of security design patterns and assess their quality in the con- text of an established classification. From our results, we determined a classification of inappropriate pattern qualities. Using a Six Sigma approach, we propose a set of desirable properties that would prevent flaws in new design patterns, as well as a template for expressing them. 1. Motivations Computer security professionals have been promoting, for many years, tools and best practices guidelines to be used by the software development industry, with little adop- tion so far. Developers, often pressed by a dominating time- to-market priority, must deal with a large set of technical and non-technical issues, in which case security concerns are not thoroughly addressed. The practical help for devel- oppers are typically centered around frameworks, standard and design guidelines, which can be of limited use for both implementers and maintainers. Security design patterns approach the problem from a different perspective, by encapsulating expert knowledge in the form of proven solutions to common problems. The idea of patterns was introduced by Christopher Alexander et al. [4] in the field of building architecture, and was later reused in the object-oriented world. Security patterns are such patterns, but applied for information security. These patterns will fit at different levels of abstraction and areas of concerns, resulting in many patterns that are not “design patterns” in the common sense of the expression. The current research on the topic is characterized by var- ious publications. The most comprehensive catalog so far was published by the Open Group in 2004 [5], which at- tempts to summarize into pattern a very wide variety of sources, such as security framework standards. However, the field is lacking a core reference similar to the Gang of Four patterns [8] in typical software design. Moreover, the patterns published so far typically fit at the “concept” and “example” levels of Kienzle et al. classification of pattern abstraction [11], with various templates and no established criteria for evaluation. This situation makes the security de- sign patterns hard to use for software designers and main- tainers alike, which limits their adoption in the industry, and thus lowers their positive impact on security. The twofold contribution of this paper is to evaluate the current state of research on the topic of security design pat- terns, and draw out their undesirable properties. In section 2, we present the related work. Section 3 consists of the evaluation of the existing security design patterns. Section 4 presents the desired properties, the pattern template and the state of our work in progress. Section 5 gives some con- cluding remarks on this work as well as a few statements on future work. 2. Related Work Yoder et al., in [15] introduced a 7-pattern catalog. Al- though some of these patterns are related to each others, it is not clear whether or not the proposed patterns should be considered as a core set of patterns for building all kinds of security-enabled systems. In fact, the proposed patterns by Yoder et al. were not meant to be a complete set of security patterns; rather just as starting point towards a collection of patterns that can help developers address security issues when developing applications. Kienzle et al. [11], [12] have created a 29-pattern secu- rity pattern repository, which categorized security patterns as either structural or procedural patterns. Structural pat- terns are implementable patterns in an application whereas procedural patterns are patterns that were aimed to im- prove the development process of security-critical software. The presented patterns were implementations of specific web application security policies. Romanosky [14] introduced another set of design pat- terns. The discussion however has focused on architectural and procedural guidelines more than security patterns. For example, the “White Hats, Hack Thyself” pattern indicated that implementation must be verified through testing. Brown et al. [10] introduced a single security pattern, the authenticator, which described a general mechanism for providing identification and authentication to a server from a client. Although authentication is a very important feature of secure systems, the pattern, as was described, was limited to distributed object systems. Braga et al. [6] also investigated security-related patterns specialized for cryptographic operations. They showed how cryptographic transformations over messages could be structured as a composite of instantiations of the crypto- graphic meta-pattern. This meta-pattern would effectively allow designers to apply cryptography in their applications, 1-4244-0038-4 2006 IEEE CCECE/CCGEI, Ottawa, May 2006 1605 Authorized licensed use limited to: CONCORDIA UNIVERSITY LIBRARIES. Downloaded on September 30, 2009 at 17:27 from IEEE Xplore. Restrictions apply.