Security Engineering with Patterns
Markus Schumacher and Utz Roedig
Presented by Joe Combs 15 March 2006
Agenda• What do patterns seek to accomplish?
• Other approaches
• How do the authors define a pattern?
• Security engineering using patterns
• Related work
What Problem are We Trying to Solve?
• Allow novices to act as security experts
• Give security experts a mechanism to identify, name and discuss both problems and solutions more effectively
• Solve problems in a structured way
• Identify and consider dependencies between components
Other approaches• Security policy
• Evaluation criteria
• Tree representations
• Formal methods
• Semi-formal approaches
Schumacher & Roedig Pattern Template
• Name
• Context and related patterns
• Problem
• Solution
• Other optional sections include aliases, structure and interactions of participants, consequences, examples and counter-examples
Pattern System Examples• Virtual Private Networks - Transport data over an
untrustworthy network
• Network Encryption Protocol - establish security/confidentiality between endpoints
• Network Authentication Protocol - establish identity and handshake between participants
• Cryptographic Protocol - need to decide which mechanism
Pattern System Examples
Security Engineering w/Patterns• Does this template does meet the criteria for
the problem we’re trying to solve?• security by non-experts• structured problem solution• scope & time dependencies
• Tool support needed:• maintenance• classification• modeling• reasoning
An Engineering Example
An Engineering Example
Conclusions• Need a way to support both formal & informal approaches to
achieve security
• Average programmers need a mechanism to design secure systems
• Several patterns offered as examples - need a classification scheme to develop a pattern system
• Need to establish a larger pattern community with repositories of patterns, tool support and so on for this to be effective
Top Related