Evaluating the degree of security of a system built using security patterns

Eduardo B. Fernandez, Nobukazu Yoshioka, Hironori Washizaki

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    A variety of methodologies to build secure systems have been proposed. However, most of them do not say much about how to evaluate the degree of security of their products. In fact, we have no generally-accepted ways to measure if the product of some methodology has reached some degree of security. However, if the system has been built with a methodology that uses patterns as artifacts, we believe that a simple evaluation is possible. We propose a metric for the security of systems that have been built using security patterns: We perform threat enumeration, we check if the patterns in the product have stopped the threats, and calculate the coverage of these threats by the patterns. We indicate how to take advantage of the Twin Peaks approach to arrive to a refined measure of security. In early work, we have proposed a secure systems development methodology that uses security patterns and we use it as example.

    Original languageEnglish
    Title of host publicationARES 2018 - 13th International Conference on Availability, Reliability and Security
    PublisherAssociation for Computing Machinery
    ISBN (Electronic)9781450364485
    DOIs
    Publication statusPublished - 2018 Aug 27
    Event13th International Conference on Availability, Reliability and Security, ARES 2018 - Hamburg, Germany
    Duration: 2018 Aug 272018 Aug 30

    Other

    Other13th International Conference on Availability, Reliability and Security, ARES 2018
    CountryGermany
    CityHamburg
    Period18/8/2718/8/30

    Keywords

    • Security evaluation
    • Security patterns
    • Software architecture
    • Software security
    • Systems security

    ASJC Scopus subject areas

    • Human-Computer Interaction
    • Computer Networks and Communications
    • Computer Vision and Pattern Recognition
    • Software

    Cite this

    Fernandez, E. B., Yoshioka, N., & Washizaki, H. (2018). Evaluating the degree of security of a system built using security patterns. In ARES 2018 - 13th International Conference on Availability, Reliability and Security [3232821] Association for Computing Machinery. https://doi.org/10.1145/3230833.3232821

    Evaluating the degree of security of a system built using security patterns. / Fernandez, Eduardo B.; Yoshioka, Nobukazu; Washizaki, Hironori.

    ARES 2018 - 13th International Conference on Availability, Reliability and Security. Association for Computing Machinery, 2018. 3232821.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Fernandez, EB, Yoshioka, N & Washizaki, H 2018, Evaluating the degree of security of a system built using security patterns. in ARES 2018 - 13th International Conference on Availability, Reliability and Security., 3232821, Association for Computing Machinery, 13th International Conference on Availability, Reliability and Security, ARES 2018, Hamburg, Germany, 18/8/27. https://doi.org/10.1145/3230833.3232821
    Fernandez EB, Yoshioka N, Washizaki H. Evaluating the degree of security of a system built using security patterns. In ARES 2018 - 13th International Conference on Availability, Reliability and Security. Association for Computing Machinery. 2018. 3232821 https://doi.org/10.1145/3230833.3232821
    Fernandez, Eduardo B. ; Yoshioka, Nobukazu ; Washizaki, Hironori. / Evaluating the degree of security of a system built using security patterns. ARES 2018 - 13th International Conference on Availability, Reliability and Security. Association for Computing Machinery, 2018.
    @inproceedings{b65f73f7d92f433e87c8388d4149bce2,
    title = "Evaluating the degree of security of a system built using security patterns",
    abstract = "A variety of methodologies to build secure systems have been proposed. However, most of them do not say much about how to evaluate the degree of security of their products. In fact, we have no generally-accepted ways to measure if the product of some methodology has reached some degree of security. However, if the system has been built with a methodology that uses patterns as artifacts, we believe that a simple evaluation is possible. We propose a metric for the security of systems that have been built using security patterns: We perform threat enumeration, we check if the patterns in the product have stopped the threats, and calculate the coverage of these threats by the patterns. We indicate how to take advantage of the Twin Peaks approach to arrive to a refined measure of security. In early work, we have proposed a secure systems development methodology that uses security patterns and we use it as example.",
    keywords = "Security evaluation, Security patterns, Software architecture, Software security, Systems security",
    author = "Fernandez, {Eduardo B.} and Nobukazu Yoshioka and Hironori Washizaki",
    year = "2018",
    month = "8",
    day = "27",
    doi = "10.1145/3230833.3232821",
    language = "English",
    booktitle = "ARES 2018 - 13th International Conference on Availability, Reliability and Security",
    publisher = "Association for Computing Machinery",

    }

    TY - GEN

    T1 - Evaluating the degree of security of a system built using security patterns

    AU - Fernandez, Eduardo B.

    AU - Yoshioka, Nobukazu

    AU - Washizaki, Hironori

    PY - 2018/8/27

    Y1 - 2018/8/27

    N2 - A variety of methodologies to build secure systems have been proposed. However, most of them do not say much about how to evaluate the degree of security of their products. In fact, we have no generally-accepted ways to measure if the product of some methodology has reached some degree of security. However, if the system has been built with a methodology that uses patterns as artifacts, we believe that a simple evaluation is possible. We propose a metric for the security of systems that have been built using security patterns: We perform threat enumeration, we check if the patterns in the product have stopped the threats, and calculate the coverage of these threats by the patterns. We indicate how to take advantage of the Twin Peaks approach to arrive to a refined measure of security. In early work, we have proposed a secure systems development methodology that uses security patterns and we use it as example.

    AB - A variety of methodologies to build secure systems have been proposed. However, most of them do not say much about how to evaluate the degree of security of their products. In fact, we have no generally-accepted ways to measure if the product of some methodology has reached some degree of security. However, if the system has been built with a methodology that uses patterns as artifacts, we believe that a simple evaluation is possible. We propose a metric for the security of systems that have been built using security patterns: We perform threat enumeration, we check if the patterns in the product have stopped the threats, and calculate the coverage of these threats by the patterns. We indicate how to take advantage of the Twin Peaks approach to arrive to a refined measure of security. In early work, we have proposed a secure systems development methodology that uses security patterns and we use it as example.

    KW - Security evaluation

    KW - Security patterns

    KW - Software architecture

    KW - Software security

    KW - Systems security

    UR - http://www.scopus.com/inward/record.url?scp=85055289536&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=85055289536&partnerID=8YFLogxK

    U2 - 10.1145/3230833.3232821

    DO - 10.1145/3230833.3232821

    M3 - Conference contribution

    BT - ARES 2018 - 13th International Conference on Availability, Reliability and Security

    PB - Association for Computing Machinery

    ER -