ABSTRACT
Researchers and practitioners have been successfully documenting software patterns for over two decades. But the next step--building pattern languages--has proven much more difficult. This paper describes an approach for building a large pattern language for security: an approach that can be used to create pattern languages for other software domains. We describe the mechanism of growing this pattern language: how we cataloged the security patterns from books, papers and pattern collections written by all security experts over the last 15 years, how we classified the patterns to help developers find the appropriate ones, and how we identified and described the relationships between patterns in the language. To our best knowledge, this is the largest pattern language in software. But the most significant contribution of this paper is the story behind how the pattern language is grown; it illustrates the steps that can be adapted to create and grow pattern languages for other domains.
- M. Adams, J. Coplien, R. Gamoke, R. Hanmer, F. Keeve, and K. Nicodemus. Pattern Languages of Program Design 2, chapter 33: Fault-Tolerant Telecommunication System Patterns. Addison-Wesley, 1996. Google ScholarDigital Library
- C. Alexander. The Timeless Way of Building. Number 1 in Center for Environmental Structure series. Oxford University Press, New York, 1980.Google Scholar
- C. Alexander, S. Ishakawa, and M. Silverstein. A Pattern Language: Towns, Building and Construction. Oxford University Press, New York, 1977.Google Scholar
- D. Bell and L. LaPadula. Secure computer systems: Mathematical foundations. Technical Report ESD-TR-73--278, MITRE Corporation, 1973.Google Scholar
- B. Blakley and C. Heath. Security design patterns technical guide--Version 1. Technical report, Open Group(OG), 2004.Google Scholar
- F. L. Brown Jr., J. DiVietri, G. D. Villegas, and E. B. Fernandez. The authenticator pattern. 1999.Google Scholar
- F. Buschmann, R. Meunier, H. Rohnert, P. Sommerlad, and M. Stal. Pattern-Oriented Software Architecture: A System of Patterns. Wiley series in Software design patterns. John Wiley & Sons, 1996. Google ScholarDigital Library
- J. Coplien. Advanced C+ Programming Styles and Idioms. Addison-Wesley, 1992. Google ScholarDigital Library
- E. Evans. Domain-Driven Design: Tacking Complexity In the Heart of Software. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 2003. Google ScholarDigital Library
- E. B. Fernandez and J. C. Sinibaldi. More patterns for operating systems access control. In Proceedings of the European Conference on Patterns Language of Programming (EuroPLoP'03), 2003.Google Scholar
- M. Fowler. Patterns of Enterprise Application Architecture. Addison-Wesley, 2002. Google ScholarDigital Library
- E. Gamma, R. Helm, R. Johnson, and J. Vlissides. Design Patterns. Addison-Wesley, 1995.Google ScholarDigital Library
- M. Goodyear, editor. Enterprise System Architectures: Building Client Server and Web Based Systems. CRC Press, Sep 28 1999. Google ScholarDigital Library
- M. Hafiz. A Pattern Language for Developing Privacy Enhancing Technologies. To appear in Software--Practice and Experience, 2012.Google Scholar
- M. Hafiz, P. Adamczyk, and R. E. Johnson. Organizing security patterns. IEEE Software, 24(4):52--60, July/August 2007. Google ScholarDigital Library
- M. Hafiz and R. Johnson. Evolution of the MTA architecture: The impact of security. Software--Practice and Experience, 38(15):1569--1599, Dec 2008. Google ScholarDigital Library
- M. Hafiz, R. Johnson, and R. Afandi. The security architecture oftextitqmail. In Proceedings of the 11th Conference on Patterns Language of Programming (PLoP'04)., 2004.Google Scholar
- R. Hanmer. Patterns For Fault Tolerant Software. Wiley, 2007. Google ScholarDigital Library
- J. Heaney, D. Hybertson, A. Reedy, S.Chapin, T. Bollinger, D. Williams, and M. Kirwan Jr. Information assurance for enterprise engineering. In Proceedings of the 9th Conference on Patterns Language of Programming (PLoP'02), 2002.Google Scholar
- J. Heer and M. Agrawala. Software design patterns for information visualization. IEEE Transactions on Visualization and Computer Graphics, 12:853--860, 2006. Google ScholarDigital Library
- J. Hogg, D. Smith, F. Chong, D. Taylor, L. Wall, and P. Slater. Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0. Microsoft Press, March 2006.Google Scholar
- D. Hybertson, J. Heaney, and A. Reedy. Conceptual aspects of security patterns. 2002.Google Scholar
- IEEE Std 1471--2000. IEEE recommended practice for architectural description of software-intensive systems, 2000.Google Scholar
- R. E. Johnson. Documenting frameworks using patterns. In A. Paepke, editor, Proceedings of the Conference on Object-Oriented Programming, Systems, Languages and Applications, pages 63--76. ACM Press, Oct. 1992. Google ScholarDigital Library
- D. Kienzle, M. Elder, D. Tyree, and J. Edwards-Hewitt. Security patterns repository version 1.0. http://www.scrypt.net/ celer/securitypatterns/repository.pdf, 2002.Google Scholar
- G. Meszaros. Pattern Languages of Program Design 1, chapter 8: Pattern: Half-objectGoogle Scholar
- Protocol (HOPP). Addison-Wesley, 1995.Google Scholar
- R. Porter, J. O. Coplien, and T. Winn. Sequences as a basis for pattern language composition. Science of Computer Programming, 56(1--2):231 -- 249, 2005. Google ScholarDigital Library
- S. Romanosky. Security design patterns part 1. http: //citeseer.ist.psu.edu/575199.html, Nov 2001.Google Scholar
- S. Romanosky. Enterprise security patterns.\ http://citeseer.ist.psu.edu/romanosky02enter-\\ prise.html, 2002.Google Scholar
- J. Saltzer and M. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, Sep 1975.Google ScholarCross Ref
- M. Schumacher, E. Fernandez-Buglioni, D. Hybertson, F. Buschmann, and P. Sommerlad. Security Patterns: Integrating Security and Systems Engineering. John Wiley and Sons, December 2005. Google ScholarDigital Library
- M. Schumacher and U. Roedig. Security engineering with patterns. In Proceedings of the 8th Conference on Patterns Language of Programming (PLoP'01)., 2001.Google Scholar
- C. Steel, R. Nagappan, and R. Lai. Core Security Patterns : Best Practices and Strategies for J2EE(TM), Web Services, and Identity Management. Prentice Hall PTR, Oct 2005.Google Scholar
- F. Swiderski and W. Snyder. Threat Modeling. Microsoft Press, 2004. Google ScholarDigital Library
- J. Tidwell. Designing interfaces : Patterns for Effective Interaction Design. O'Reilly, 2005. Google ScholarDigital Library
- D. Trowbridge, W. Cunningham, M. Evans, L. Brader, and P. Slater. Describing the enterprise architectural space. MSDN, June 2004.Google Scholar
- R. Veryard and A. Ward. Trusting components and services, 2001.Google Scholar
- J. Viega and G. McGraw. Building Secure Software: How to Avoid Security Problems The Right Way. Addison-Wesley, 2002. Google ScholarDigital Library
- K. Wolf and C. Liu. Pattern Languages of Program Design 1, chapter 4. New Clients with Old Servers: A Pattern Language for Client/Server Frameworks. Addison-Wesley, 1995. Google ScholarDigital Library
- J. Yoder and J. Barcalow. Architectural patterns for enabling application security. In Proceedings of the 4th Conference on Patterns Language of Programming (PLoP'97)., 1997.Google Scholar
- J. A. Zachman. A framework for information systems architecture. IBM Systems Journal, 26(3), 1987. Google ScholarDigital Library
Index Terms
Growing a pattern language (for security)
Recommendations
A pattern language for creating pattern languages: 364 patterns for pattern mining, writing, and symbolizing
PLoP '16: Proceedings of the 23rd Conference on Pattern Languages of ProgramsIn this paper, we present the purpose, creating process, and overview of a pattern language for creating pattern languages, consisting 364 patterns for pattern mining, pattern writing, and pattern symbolizing. For the past 10 years, we, Iba Lab, have ...
From pattern languages to "a project language": a shift proposal from existing pattern community
PLoP '13: Proceedings of the 20th Conference on Pattern Languages of ProgramsPatterns and pattern languages are accepted worldwide and used in various areas of IT such as Design Patterns, Analysis Patterns, Domain Driven Developments, and AGILE SOFTWARE DEVELOPMENT. Although patterns are successful in such areas, they are less ...
Treating Pattern Sublanguages as Patterns with an Application to Organizational Patterns
EuroPLoP '17: Proceedings of the 22nd European Conference on Pattern Languages of ProgramsOrganizing people is very important and one of the great challenges, and in particular in software development. Organizational patterns are the key to piecemeal growth of organizations. To deal with the complexity of choosing right pattern sequences and ...
Comments