CHAPTER 11. INTRODUCTION1.1 ResearchBackgroundIn recent years, pattern-basedapproaches to software development, applied to different domains, have receivedsignificant attention in the software engineering community. In the securitydomain, it is challenging to capture and convey information in order tofacilitate security, which is a very abstract goal.
In this research we give acollection of security patterns that have been identified by the community. Weuse a variation of the design pattern template that better suits thepresentation of security-specific information in order to facilitate reuse ofsecurity knowledge.Providing expertise that significantlyimproves system development with respect to security is an ambitious goal. Incontrast to functional requirements that have a concrete solution, security isdifficult to measure and highly dependent on the environment.
Otherpattern-based approaches like the well-known Design Patterns from Gamma et al.arebelieved to greatly enhance productivity of the software development process byconveying expertise. Unfortunately, the structure provided by various patterntemplates is not sufficient to portray all security relevant aspects. Someapproaches that apply patterns to the field of security use the regular or aslightly modified Design Pattern template. The enhanced Security PatternTemplate presented herein contains additional information, including behavior,constraints and related security principles that address difficulties inherentto the design of security critical systems.The securityneeds of a system depend highly on the environment in which the system isdeployed.
As the pattern approach is not capable of fully covering all possibleconstellations of security, it is crucial that a developer is provided withinformation that enables an evaluation of the situation that will lead to theselection of appropriate patterns. By introducing and connecting generalsecurity principles with a pattern’s substance, the developer gains securityinsight by read- 1 ing and applying the pattern. Furthermore, behavioralinformation and security-related constraints are added in our pattern template.
The developer can use this information to check if a specific implementation ofthe pattern is consistent with the essential security properties.Designpatterns can speed up the development process by providing tested, provendevelopment paradigms. Effective software design requires considering issuesthat may not become visible until later in the implementation. Reusing designpatterns helps to prevent subtle issues that can cause major problems andimproves code readability for coders and architects familiar with the patterns.
Often,people only understand how to apply certain software design techniques tocertain problems. These techniques are difficult to apply to a broader range ofproblems. Design patterns provide general solutions, documented in a formatthat doesn’t require specifics tied to a particular problem.In addition, patternsallow developers to communicate using well-known, well understood names forsoftware interactions. Common design patterns can be improved over time, makingthem more robust than ad-hoc designs. 2.
Literature ReviewIt’s common among developers when they start coding for anapplication, a specific design pattern not found in the road map of developmentand it becomes a vulnerable point to exploit. Applications enveloped withoutdesign pattern difficult to change and understand. It is possible to reducevulnerability at minimum level and it results in the reduction of maintenancecost. An application was developed for this paper using design patterns, twopages visitor information page and school member verification form were buildusing Factory design pattern and Interpreter design patter. SFDP and SIDP arethe two secured design patterns proposed for making application secure and morereliable than before using encryption-decryption hashing algorithm encodingscheme. The points expressed in proposed model clearly explain the expectedvulnerable points.
A secure design will keep application more reliable and availableas it was before. (Zia Ahmad, AdeelRauf, Mian Ali Asghar, 2016)Social sign-on and social sharing are becoming an ever morepopular feature of web applications. This success is largely due to the APIsand support offered by prominent social networks, such as Facebook, Twitter andGoogle, on the basis of new open standards such as the OAuth 2.0 authorization protocol.A formal analysis of these protocols must account for malicious websites andcommon web application vulnerabilities, such as cross-site request forgery andopen redirectors. We model several configurations of the OAuth 2.0 protocol inthe applied pi-calculus and verify them using ProVerif.
(Ishbel Duncan, Jan de Muijnck-Hughes, 2014) 4thPENDINGThe cost of fixing system vulnerabilities and the riskassociated with vulnerabilities after system deployment are high for bothdevelopers and end users. While there are a number of best practices availableto address the issue of software security vulnerabilities, these practices areoften difficult to reuse due to the implementation-specific nature of the bestpractices. In addition, greater understanding of the root causes of securityflaws has led to a greater appreciation of the importance of taking securityinto account in all phases in the software development life cycle, not just inthe implementation and deployment phases. This report describes a set of securedesign patterns, which are descriptions or templates describing a generalsolution to a security problem that can be applied in many differentsituations. Rather than focus on the implementation of specific security mechanisms,the secure design patterns detailed in this report are meant to eliminate theaccidental insertion of vulnerabilities into code or to mitigate theconsequences of vulnerabilities. The patterns were derived by generalizingexisting best security design practices and by extending existing designpatterns with security-specific functionality. They are categorized accordingto their level of abstraction: architecture, design, or implementation.
(Dougherty, C.R., Sayre, K., Seacord, R., Svoboda, D., and Togashi,K, 2009)Building software with an adequate level of securityassurance for its mission becomes more and more challenging every day as thesize, complexity, and tempo of software creation increases and the number andthe skill level of attackers continues to grow.
These factors each exacerbatethe issue that, to build secure software, builders must ensure that they haveprotected every relevant potential vulnerability; yet, to attack software,attackers often have to find and exploit only a single exposed vulnerability.To identify and mitigate relevant vulnerabilities in software, the developmentcommunity needs more than just good software engineering and analyticalpractices, a solid grasp of software security features, and a powerful set oftools. All of these things are necessary but not sufficient. To be effective,the community needs to think outside of the box and to have a firm grasp of theattacker’s perspective and the approaches used to exploit software Hoglund 04,Koizol 04. This paper discusses the concept of attack patterns as a mechanismto capture and communicate the attacker’s perspective. Attack patterns aredescriptions of common methods for exploiting software.
They derive from theconcept of design patterns Gamma 95 applied in a destructive rather thanconstructive context and are generated from in-depth analysis of specificreal-world exploit examples. (Barnum,S., and Sethi, 2007)