Evaluating the degree of security of a system built using security patterns

Eduardo B. Fernandez; Nobukazu Yoshioka; Hironori Washizaki

doi:10.1145/3230833.3232821

Evaluating the degree of security of a system built using security patterns

Eduardo B. Fernandez, Nobukazu Yoshioka, Hironori Washizaki

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

A variety of methodologies to build secure systems have been proposed. However, most of them do not say much about how to evaluate the degree of security of their products. In fact, we have no generally-accepted ways to measure if the product of some methodology has reached some degree of security. However, if the system has been built with a methodology that uses patterns as artifacts, we believe that a simple evaluation is possible. We propose a metric for the security of systems that have been built using security patterns: We perform threat enumeration, we check if the patterns in the product have stopped the threats, and calculate the coverage of these threats by the patterns. We indicate how to take advantage of the Twin Peaks approach to arrive to a refined measure of security. In early work, we have proposed a secure systems development methodology that uses security patterns and we use it as example.

Original language	English
Title of host publication	ARES 2018 - 13th International Conference on Availability, Reliability and Security
Publisher	Association for Computing Machinery
ISBN (Electronic)	9781450364485
DOIs	https://doi.org/10.1145/3230833.3232821
Publication status	Published - 2018 Aug 27
Event	13th International Conference on Availability, Reliability and Security, ARES 2018 - Hamburg, Germany Duration: 2018 Aug 27 → 2018 Aug 30

Other

Other	13th International Conference on Availability, Reliability and Security, ARES 2018
Country	Germany
City	Hamburg
Period	18/8/27 → 18/8/30

Keywords

Security evaluation
Security patterns
Software architecture
Software security
Systems security

ASJC Scopus subject areas

Human-Computer Interaction
Computer Networks and Communications
Computer Vision and Pattern Recognition
Software

Cite this

Fernandez, E. B., Yoshioka, N., & Washizaki, H. (2018). Evaluating the degree of security of a system built using security patterns. In ARES 2018 - 13th International Conference on Availability, Reliability and Security [3232821] Association for Computing Machinery. https://doi.org/10.1145/3230833.3232821

Evaluating the degree of security of a system built using security patterns. / Fernandez, Eduardo B.; Yoshioka, Nobukazu; Washizaki, Hironori.

ARES 2018 - 13th International Conference on Availability, Reliability and Security. Association for Computing Machinery, 2018. 3232821.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Fernandez, EB, Yoshioka, N & Washizaki, H 2018, Evaluating the degree of security of a system built using security patterns. in ARES 2018 - 13th International Conference on Availability, Reliability and Security., 3232821, Association for Computing Machinery, 13th International Conference on Availability, Reliability and Security, ARES 2018, Hamburg, Germany, 18/8/27. https://doi.org/10.1145/3230833.3232821

Fernandez EB, Yoshioka N, Washizaki H. Evaluating the degree of security of a system built using security patterns. In ARES 2018 - 13th International Conference on Availability, Reliability and Security. Association for Computing Machinery. 2018. 3232821 https://doi.org/10.1145/3230833.3232821

Fernandez, Eduardo B. ; Yoshioka, Nobukazu ; Washizaki, Hironori. / Evaluating the degree of security of a system built using security patterns. ARES 2018 - 13th International Conference on Availability, Reliability and Security. Association for Computing Machinery, 2018.

@inproceedings{b65f73f7d92f433e87c8388d4149bce2,

title = "Evaluating the degree of security of a system built using security patterns",

abstract = "A variety of methodologies to build secure systems have been proposed. However, most of them do not say much about how to evaluate the degree of security of their products. In fact, we have no generally-accepted ways to measure if the product of some methodology has reached some degree of security. However, if the system has been built with a methodology that uses patterns as artifacts, we believe that a simple evaluation is possible. We propose a metric for the security of systems that have been built using security patterns: We perform threat enumeration, we check if the patterns in the product have stopped the threats, and calculate the coverage of these threats by the patterns. We indicate how to take advantage of the Twin Peaks approach to arrive to a refined measure of security. In early work, we have proposed a secure systems development methodology that uses security patterns and we use it as example.",

keywords = "Security evaluation, Security patterns, Software architecture, Software security, Systems security",

author = "Fernandez, {Eduardo B.} and Nobukazu Yoshioka and Hironori Washizaki",

year = "2018",

month = "8",

day = "27",

doi = "10.1145/3230833.3232821",

language = "English",

booktitle = "ARES 2018 - 13th International Conference on Availability, Reliability and Security",

publisher = "Association for Computing Machinery",

}

TY - GEN

T1 - Evaluating the degree of security of a system built using security patterns

AU - Fernandez, Eduardo B.

AU - Yoshioka, Nobukazu

AU - Washizaki, Hironori

PY - 2018/8/27

Y1 - 2018/8/27

N2 - A variety of methodologies to build secure systems have been proposed. However, most of them do not say much about how to evaluate the degree of security of their products. In fact, we have no generally-accepted ways to measure if the product of some methodology has reached some degree of security. However, if the system has been built with a methodology that uses patterns as artifacts, we believe that a simple evaluation is possible. We propose a metric for the security of systems that have been built using security patterns: We perform threat enumeration, we check if the patterns in the product have stopped the threats, and calculate the coverage of these threats by the patterns. We indicate how to take advantage of the Twin Peaks approach to arrive to a refined measure of security. In early work, we have proposed a secure systems development methodology that uses security patterns and we use it as example.

AB - A variety of methodologies to build secure systems have been proposed. However, most of them do not say much about how to evaluate the degree of security of their products. In fact, we have no generally-accepted ways to measure if the product of some methodology has reached some degree of security. However, if the system has been built with a methodology that uses patterns as artifacts, we believe that a simple evaluation is possible. We propose a metric for the security of systems that have been built using security patterns: We perform threat enumeration, we check if the patterns in the product have stopped the threats, and calculate the coverage of these threats by the patterns. We indicate how to take advantage of the Twin Peaks approach to arrive to a refined measure of security. In early work, we have proposed a secure systems development methodology that uses security patterns and we use it as example.

KW - Security evaluation

KW - Security patterns

KW - Software architecture

KW - Software security

KW - Systems security

UR - http://www.scopus.com/inward/record.url?scp=85055289536&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85055289536&partnerID=8YFLogxK

U2 - 10.1145/3230833.3232821

DO - 10.1145/3230833.3232821

M3 - Conference contribution

BT - ARES 2018 - 13th International Conference on Availability, Reliability and Security

PB - Association for Computing Machinery

ER -

Access to Document

10.1145/3230833.3232821