security patterns
play

Security Patterns M. Schumacher, E. Fernandez-Buglioni, D. - PowerPoint PPT Presentation

Aug 21, 2023 •210 likes •1.04k views

Security Patterns M. Schumacher, E. Fernandez-Buglioni, D. Hybertson, F. Bushmann, and P. Sommerlad, Security Patterns: Integrating Security and Systems Engineering, John Wiley and Sons Ltd., 2006 Lecture outline What is pattern? What is

  1. Security Patterns M. Schumacher, E. Fernandez-Buglioni, D. Hybertson, F. Bushmann, and P. Sommerlad, Security Patterns: Integrating Security and Systems Engineering, John Wiley and Sons Ltd., 2006

  2. Lecture outline • What is pattern? • What is security pattern? • Security pattern landscape • SREBP • Examples of security risk-oriented patterns • Pattern identification and security requirements elicitation • Case study 410 ¡

  3. Lecture outline • What is pattern? • What is security pattern? • Security pattern landscape • SREBP • Examples of security risk-oriented patterns • Pattern identification and security requirements elicitation • Case study 411 ¡

  4. What is a Pattern? A solution to a problem that arises within specific context Context – Problem – Solution 412 ¡

  5. How does pattern distinguish from an ordinary solution? • Pattern describes: – Configuration of elements • Design outline • Code – Set of instruction to create the configuration of elements • Process – Presents high-quality proven solution – Reusability – Well expressed - initiates a dialog 413 ¡

  6. No Pattern is an Island • A pattern provides a self-contained solution for a specific problem but they are not independent of one another • Refinement – Solution proposed by a particular pattern can often be implemented with help of other patterns • which resolve the problem of the original problem – Each pattern depends on the smaller patterns it contains and on the larger patterns in which it is contained 414 ¡

  7. Patterns are Everywhere • Mid 1990s - Object Oriented Design patterns – Most widely known patterns Gang-of-Four book in 1995 • Software architecture • Programming levels • Fundamental structure and workflow of application domain – Health Care, Corporate Finance • Patterns spread in many other specific areas: – Concurrent networked systems and programming – Server Components – Human-computer Interaction – .... Many other specific areas Security – interesting area 415 ¡

  8. Lecture outline • What is pattern? • What is security pattern? • Security pattern landscape • SREBP • Examples of security risk-oriented patterns • Pattern identification and security requirements elicitation • Case study 416 ¡

  9. Security ¡Pa3erns ¡ 417 ¡

  10. Security Patterns • A security pattern describes – a particular recurring security problem – that arises in a specific security context – presents a well-proven generic scheme for a security solution • Codify security knowledge in structured and understandable way • Presentation is familiar to the audience • Proven solutions improve the integration of security into enterprises where needed 418 ¡

  11. Lecture outline • What is pattern? • What is security pattern? • Security pattern landscape • SREBP • Examples of security risk-oriented patterns • Pattern identification and security requirements elicitation • Case study 419 ¡

  12. Security Pattern Landscape 1. Enterprise Security and Risk Management 2. Identification and Authentication 3. Access Control Model 4. System Access Control Architecture 5. Operating System Access Control 6. Accounting 7. Firewall Architecture 8. Secure Internet Applications 9. Cryptographic Key Management patterns 420 ¡

  13. Security Pattern Landscape 421 ¡

  14. 1. Enterprise Security and Risk Management • Content : The enterprise has some function or mission and wants to address security issues as they relate to that mission 422 ¡

  15. 2. Identification and Authentication • Content : Specific requirements and design for the identification and authentication services 423 ¡

  16. 3. Access Control Model • Content : High level models represent the security policies of the requirements. These models define security constraints at the architectural level, the application level, and are enforced by the lower levels. 424 ¡

  17. 4. System Access Control Architecture • Essential for systems that permit or deny their use explicitly. Patterns deal with the architecture of the software systems. 425 ¡

  18. 5. Operating System Access Control • Access control in operating systems – Authenticator – Controlled process creator – Controlled object factory – Controlled object monitor – Controlled virtual address space – Execution domain – Controlled execution environment – File authorization 426 ¡

  19. 6. Accounting • Security audit and accounting – Risk events are violations that occur during operational activities. Decision makers need to be aware of the events that occur involving the assets 427 ¡

  20. 7. Firewall Architecture • Represent trade-offs between complexity, speed, and security, and which are tailored to control attacks on specific layers of the network Keep ¡state ¡ Address ¡filtering ¡ Proxy-based firewall Proxy ¡filtering ¡ Address ¡filtering ¡ Packet filter firewall Statefull firewall Keep ¡state ¡ Firewall ¡pa3ern ¡relaDonship ¡ 428 ¡

  21. 8. Secure Internet Applications 429 ¡

  22. 9. Cryptographic Key Management • Fundamental role in secure communication – Secure communication – Cryptographic key generation – Session key exchange with public keys – Public key exchange – Public key database – Session key exchange with server-side certificate – Session key exchange with certificates – Certificate authority – Cryptographic smart card – Certificate revocation 430 ¡

  23. Patterns on Threats to the System Uzunov A. V. , E. B. Fernandez , An Extensible Pattern-based Library and Taxonomy of Security Threats for Distributed Systems , Computer Standards & Interfaces, 2014 First level threats Second level threats • Identify attacks • Cryptography attacks • Network communication attacks • Countermeasure design • Network protocol attacks • Configuration/ administration • Passing illegal data attacks • Network protocol threats • Stored data attacks • Remote information inference • Loss of accountability • Uncontrolled operations 431 ¡

  24. Lecture outline • What is pattern? • What is security pattern? • Security pattern landscape • SREBP • Examples of security risk-oriented patterns • Pattern identification and security requirements elicitation • Case study 432 ¡

  25. SREBP : Security Requirements Elicitation from Business Proceses 433

  26. Understanding ¡work ¡pracDces ¡and ¡their ¡changes ¡ Processing ¡of ¡Informa/on ¡ Everything that IT does, reduces to six functions • Capturing ¡informa/on ¡ • Retrieving ¡informa/on ¡ ¡ – Keyboard, ¡bar ¡code ¡reader, ¡ – From ¡any ¡storage ¡device ¡ digital ¡camera ¡ • Manipula/ng ¡informa/on ¡ • Transmi5ng ¡informa/on ¡ – CalculaDons, ¡combinaDons ¡of ¡ – Wired-­‑, ¡wireless-­‑phone ¡ data ¡ • Storing ¡informa/on ¡ • Displaying ¡informa/on ¡ – Hard ¡disk, ¡memory ¡card, ¡ – Monitor, ¡printer ¡ internet ¡ ¡434 ¡ ¡

  27. Football Federation Case ¡435 ¡ ¡ 435 ¡

  28. Football Federation Case ¡436 ¡ ¡ 436 ¡

  29. Lecture outline • What is pattern? • What is security pattern? • Security pattern landscape • SREBP • Examples of security risk-oriented patterns • Pattern identification and security requirements elicitation • Case study 437 ¡

  30. Security Risk-oriented Patterns SRP1 : Secure data from unauthorized access SRP2 : Secure data transmitted between business entities SRP3 : Secure business activity after data is submitted SRP4 : Secure business services against denial of service attacks SRP5 : Secure data stored in / retrieved from the data store [Ahmed and Matulevi č ius, 2014] ¡438 ¡ ¡ 438

  31. Pattern structure 439 ¡

  32. SRP2 : Securing data that flow between the business entities 440 ¡

  33. Security Risk-oriented Patterns SRP1 : Secure data from unauthorized access SRP2 : Secure data transmitted between business entities SRP3 : Secure business activity after data is submitted SRP4 : Secure business services against denial of service attacks SRP5 : Secure data stored in / retrieved from the data store [Ahmed and Matulevi č ius, 2014] ¡441 ¡ ¡ 441

  34. Security Risk-oriented Patterns SRP1 : Secure data from unauthorized access SRP2 : Secure data transmitted between business entities SRP3 : Secure business activity after data is submitted SRP4 : Secure business services against denial of service attacks SRP5 : Secure data stored in / retrieved from the data store [Ahmed and Matulevi č ius, 2014] ¡442 ¡ ¡ 442

  35. Security Risk-oriented Patterns SRP1 : Secure data from unauthorized access SRP2 : Secure data transmitted between business entities SRP3 : Secure business activity after data is submitted SRP4 : Secure business services against denial of service attacks SRP5 : Secure data stored in / retrieved from the data store [Ahmed and Matulevi č ius, 2014] ¡443 ¡ ¡ 443

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &

Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &

15th USENIX Security Symposium | July 31st August 4th 2006 | Vancouver, B.C. - Canada Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun & profit Ivn Arce Core Security Technologies Humboldt

767 views • 41 slides
patterns and anti-patterns m e a n s D E P E N D E N C I E S L I A B I L I T Y O P I N I O N AT

patterns and anti-patterns m e a n s D E P E N D E N C I E S L I A B I L I T Y O P I N I O N AT

patterns and anti-patterns m e a n s D E P E N D E N C I E S L I A B I L I T Y O P I N I O N AT E D P R O D F O R A L L Firebase Functions User Browser (Auth, Assets, DB, Security) (running Angular) Auth0 Firebase User Browser

609 views • 19 slides
Modern Web Security Patterns Chad Hollman Analyst, County of Sacramento Department of Technology

Modern Web Security Patterns Chad Hollman Analyst, County of Sacramento Department of Technology

Modern Web Security Patterns Chad Hollman Analyst, County of Sacramento Department of Technology Current Issues of Web Development Security Subresource Integrity Checking Content Security Policies HTTP Public Key Pinning Certificate

1.05k views • 61 slides
Tutorial: Security patterns and secure systems design using UML Eduardo B. Fernandez and Maria

Tutorial: Security patterns and secure systems design using UML Eduardo B. Fernandez and Maria

Tutorial: Security patterns and secure systems design using UML Eduardo B. Fernandez and Maria M. Larrondo Petrie Dept. of Computer Science and Eng. Florida Atlantic University www.cse.fau.edu/~security {ed, maria}@cse.fau.edu ICWMC/ICCGI

2.27k views • 184 slides
Design Patterns Applications Programming What is design patterns? The design patterns are

Design Patterns Applications Programming What is design patterns? The design patterns are

10/26/2011 G52APR Design Patterns Applications Programming What is design patterns? The design patterns are language- Design Patterns 1 independent strategies for solving common object-oriented design problems. Jiawei Li (Michael)

316 views • 8 slides
More Design Patterns Horstmann ch.10.1,10.4 Design patterns Structural design patterns

More Design Patterns Horstmann ch.10.1,10.4 Design patterns Structural design patterns

More Design Patterns Horstmann ch.10.1,10.4 Design patterns Structural design patterns Adapter Composite Decorator Proxy Behavioral design patterns Iterator Observer Strategy Template method

777 views • 16 slides
Map Reduce and Design Patterns Lecture 5 Fang Yu Software Security Lab. Department of

Map Reduce and Design Patterns Lecture 5 Fang Yu Software Security Lab. Department of

Chapter 5 Map Reduce and Design Patterns Lecture 5 Fang Yu Software Security Lab. Department of Management Information Systems College of Commerce, National Chengchi University http://soslab.nccu.edu.tw Cloud Computation, April 7, 2015 1 /

458 views • 7 slides
Map Reduce and Design Patterns Lecture 4 Fang Yu Software Security Lab. Department of

Map Reduce and Design Patterns Lecture 4 Fang Yu Software Security Lab. Department of

Chapter 4 Map Reduce and Design Patterns Lecture 4 Fang Yu Software Security Lab. Department of Management Information Systems College of Commerce, National Chengchi University http://soslab.nccu.edu.tw Cloud Computation, March 31, 2015 1 /

131 views • 10 slides
Security Patterns for Automotive Systems Betty H.C. Cheng with Bradley Doherty, Nick Polanco, and

Security Patterns for Automotive Systems Betty H.C. Cheng with Bradley Doherty, Nick Polanco, and

9/16/19 Security Patterns for Automotive Systems Betty H.C. Cheng with Bradley Doherty, Nick Polanco, and Matthew Pasco Overview Background Review of threat surfaces Automotive Security Pattern structure Excerpts from Automotive

327 views • 16 slides
Security Design Refinem ent through Mapping Tactics to Patterns Jungw oo Ryoo, Penn State Rick

Security Design Refinem ent through Mapping Tactics to Patterns Jungw oo Ryoo, Penn State Rick

Security Design Refinem ent through Mapping Tactics to Patterns Jungw oo Ryoo, Penn State Rick Kazm an, SEI / University of Haw aii SATURN, San Diego May 5 , 2 0 1 6 Goals of this Session To provide a quick look at Software security

753 views • 53 slides
Design Patterns in Eiffel Dr. Till Bay design patterns? [Design Patterns] are

Design Patterns in Eiffel Dr. Till Bay design patterns? [Design Patterns] are

Design Patterns in Eiffel Dr. Till Bay design patterns? [Design Patterns] are descriptions of communicating objects and classes that are customized to solve a general design problem in a particular context. Design Patterns,

1.44k views • 69 slides
Kernel Security Anti-Patterns: Low Hanging Fruit http://outflux.net/slides/2013/lss/fruit.pdf

Kernel Security Anti-Patterns: Low Hanging Fruit http://outflux.net/slides/2013/lss/fruit.pdf

Kernel Security Anti-Patterns: Low Hanging Fruit http://outflux.net/slides/2013/lss/fruit.pdf gholzer Linux Security Summit, New Orleans 2013 Kees Cook <keescook@google.com> (pronounced Case) Overview Anti-pattern awareness

254 views • 10 slides
Map Reduce and Design Patterns Lecture 1 Fang Yu Software Security Lab. Department of

Map Reduce and Design Patterns Lecture 1 Fang Yu Software Security Lab. Department of

Chapter 1 Chapter 2 Map Reduce and Design Patterns Lecture 1 Fang Yu Software Security Lab. Department of Management Information Systems College of Commerce, National Chengchi University http://soslab.nccu.edu.tw Cloud Computation, March

794 views • 14 slides
Local foods, community health, and food security latest research on patterns and relationships

Local foods, community health, and food security latest research on patterns and relationships

Local foods, community health, and food security latest research on patterns and relationships Amber Canto Poverty and Food Security Specialist University of Wisconsin-Extension, Cooperative Extension Laura Brown Community Development

416 views • 30 slides
Project Plan Detecting Security Threats from User Authentication Patterns The Capstone

Project Plan Detecting Security Threats from User Authentication Patterns The Capstone

Project Plan Detecting Security Threats from User Authentication Patterns The Capstone Experience Team Symantec Stephen Alfa Keerthana Kolisetty Robert Novak Abby Urbanski Xiaoyo Wu Department of Computer Science and Engineering Michigan

244 views • 13 slides
Design Patterns 1 What are Design Patterns? Design patterns describe common (and successful)

Design Patterns 1 What are Design Patterns? Design patterns describe common (and successful)

Design Patterns 1 What are Design Patterns? Design patterns describe common (and successful) ways of building software. 2 What are Design Patterns? A pattern describes a problem that occurs often, along with a tried solution to the

727 views • 48 slides
Political Science 17 . 20 Introduction to American Politics Professor Devin Caughey MIT

Political Science 17 . 20 Introduction to American Politics Professor Devin Caughey MIT

Political Science 17 . 20 Introduction to American Politics Professor Devin Caughey MIT Department of Political Science The Judiciary Lecture 10 (March 12, 2013) 1 / 14 Outline The Judiciary in a Democracy 1 Judicial Decision Making 2 3

593 views • 15 slides
ss strt trsts r

ss strt trsts r

ss strt trsts r t r r Pr s rsr

946 views • 35 slides
National Disaster Resilience Competition (NDRC) Q & A Session: Walk through FAQs September

National Disaster Resilience Competition (NDRC) Q & A Session: Walk through FAQs September

National Disaster Resilience Competition (NDRC) Q & A Session: Walk through FAQs September 24, 2015 U.S. Department of Housing and Urban Development Presenters Office of Community Planning and Development Jessie Handforth Kome, Deputy

618 views • 14 slides
Teoria dos Grafos Edson Prestes Teoria dos Grafos Grafos Enumerao de Passeios/Caminhos O

Teoria dos Grafos Edson Prestes Teoria dos Grafos Grafos Enumerao de Passeios/Caminhos O

Teoria dos Grafos Edson Prestes Teoria dos Grafos Grafos Enumerao de Passeios/Caminhos O processo associado enumerao de caminhos de um grafo/dgrafo semelhante ao processo de contagem com a diferena de que usaremos uma

338 views • 31 slides
Week 9 Welcome! Please Read the Handouts While You Wait for Class to Begin! Please

Week 9 Welcome! Please Read the Handouts While You Wait for Class to Begin! Please

Week 9 Welcome! Please Read the Handouts While You Wait for Class to Begin! Please help yourself to coffee and snacks Please make a name tag for yourself Please consider serving: Sign-up to bring refreshments to a class

406 views • 18 slides
Let the word of Christ dwell in you richly in all wisdom, teaching and admonishing one another in

Let the word of Christ dwell in you richly in all wisdom, teaching and admonishing one another in

Let the word of Christ dwell in you richly in all wisdom, teaching and admonishing one another in psalms and hymns and spiritual songs, singing with grace in your hearts to the Lord. Colossians 3:16 Colossians Commands Commands put to

2.61k views • 172 slides
Colossians Series Lesson #58 June 3, 2012 Dean Bible Ministries www.deanbible.org Dr. Robert

Colossians Series Lesson #58 June 3, 2012 Dean Bible Ministries www.deanbible.org Dr. Robert

Colossians Series Lesson #58 June 3, 2012 Dean Bible Ministries www.deanbible.org Dr. Robert L. Dean, Jr. C OLOSSIANS : Jesus Christ is All-Sufficient Peace: Inner Guide or External Standard? Colossians 3:15 A study by contrast: Jesus

294 views • 13 slides
Knowledge translation research and implementation science: the missing links between research and

Knowledge translation research and implementation science: the missing links between research and

Knowledge translation research and implementation science: the missing links between research and practice Brian Haynes McMaster University Conflict Disclosures None for this presentation Speaker: R Brian Haynes: Closing the loop on

770 views • 28 slides

More recommend