skip to main content
10.1145/2384592.2384607acmconferencesArticle/Chapter ViewAbstractPublication PagessplashConference Proceedingsconference-collections
research-article

Growing a pattern language (for security)

Published:19 October 2012Publication History

ABSTRACT

Researchers and practitioners have been successfully documenting software patterns for over two decades. But the next step--building pattern languages--has proven much more difficult. This paper describes an approach for building a large pattern language for security: an approach that can be used to create pattern languages for other software domains. We describe the mechanism of growing this pattern language: how we cataloged the security patterns from books, papers and pattern collections written by all security experts over the last 15 years, how we classified the patterns to help developers find the appropriate ones, and how we identified and described the relationships between patterns in the language. To our best knowledge, this is the largest pattern language in software. But the most significant contribution of this paper is the story behind how the pattern language is grown; it illustrates the steps that can be adapted to create and grow pattern languages for other domains.

References

  1. M. Adams, J. Coplien, R. Gamoke, R. Hanmer, F. Keeve, and K. Nicodemus. Pattern Languages of Program Design 2, chapter 33: Fault-Tolerant Telecommunication System Patterns. Addison-Wesley, 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. C. Alexander. The Timeless Way of Building. Number 1 in Center for Environmental Structure series. Oxford University Press, New York, 1980.Google ScholarGoogle Scholar
  3. C. Alexander, S. Ishakawa, and M. Silverstein. A Pattern Language: Towns, Building and Construction. Oxford University Press, New York, 1977.Google ScholarGoogle Scholar
  4. D. Bell and L. LaPadula. Secure computer systems: Mathematical foundations. Technical Report ESD-TR-73--278, MITRE Corporation, 1973.Google ScholarGoogle Scholar
  5. B. Blakley and C. Heath. Security design patterns technical guide--Version 1. Technical report, Open Group(OG), 2004.Google ScholarGoogle Scholar
  6. F. L. Brown Jr., J. DiVietri, G. D. Villegas, and E. B. Fernandez. The authenticator pattern. 1999.Google ScholarGoogle Scholar
  7. F. Buschmann, R. Meunier, H. Rohnert, P. Sommerlad, and M. Stal. Pattern-Oriented Software Architecture: A System of Patterns. Wiley series in Software design patterns. John Wiley & Sons, 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. J. Coplien. Advanced C+ Programming Styles and Idioms. Addison-Wesley, 1992. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. E. Evans. Domain-Driven Design: Tacking Complexity In the Heart of Software. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. E. B. Fernandez and J. C. Sinibaldi. More patterns for operating systems access control. In Proceedings of the European Conference on Patterns Language of Programming (EuroPLoP'03), 2003.Google ScholarGoogle Scholar
  11. M. Fowler. Patterns of Enterprise Application Architecture. Addison-Wesley, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. E. Gamma, R. Helm, R. Johnson, and J. Vlissides. Design Patterns. Addison-Wesley, 1995.Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. M. Goodyear, editor. Enterprise System Architectures: Building Client Server and Web Based Systems. CRC Press, Sep 28 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. M. Hafiz. A Pattern Language for Developing Privacy Enhancing Technologies. To appear in Software--Practice and Experience, 2012.Google ScholarGoogle Scholar
  15. M. Hafiz, P. Adamczyk, and R. E. Johnson. Organizing security patterns. IEEE Software, 24(4):52--60, July/August 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. M. Hafiz and R. Johnson. Evolution of the MTA architecture: The impact of security. Software--Practice and Experience, 38(15):1569--1599, Dec 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. M. Hafiz, R. Johnson, and R. Afandi. The security architecture oftextitqmail. In Proceedings of the 11th Conference on Patterns Language of Programming (PLoP'04)., 2004.Google ScholarGoogle Scholar
  18. R. Hanmer. Patterns For Fault Tolerant Software. Wiley, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. J. Heaney, D. Hybertson, A. Reedy, S.Chapin, T. Bollinger, D. Williams, and M. Kirwan Jr. Information assurance for enterprise engineering. In Proceedings of the 9th Conference on Patterns Language of Programming (PLoP'02), 2002.Google ScholarGoogle Scholar
  20. J. Heer and M. Agrawala. Software design patterns for information visualization. IEEE Transactions on Visualization and Computer Graphics, 12:853--860, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. J. Hogg, D. Smith, F. Chong, D. Taylor, L. Wall, and P. Slater. Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0. Microsoft Press, March 2006.Google ScholarGoogle Scholar
  22. D. Hybertson, J. Heaney, and A. Reedy. Conceptual aspects of security patterns. 2002.Google ScholarGoogle Scholar
  23. IEEE Std 1471--2000. IEEE recommended practice for architectural description of software-intensive systems, 2000.Google ScholarGoogle Scholar
  24. R. E. Johnson. Documenting frameworks using patterns. In A. Paepke, editor, Proceedings of the Conference on Object-Oriented Programming, Systems, Languages and Applications, pages 63--76. ACM Press, Oct. 1992. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. D. Kienzle, M. Elder, D. Tyree, and J. Edwards-Hewitt. Security patterns repository version 1.0. http://www.scrypt.net/ celer/securitypatterns/repository.pdf, 2002.Google ScholarGoogle Scholar
  26. G. Meszaros. Pattern Languages of Program Design 1, chapter 8: Pattern: Half-objectGoogle ScholarGoogle Scholar
  27. Protocol (HOPP). Addison-Wesley, 1995.Google ScholarGoogle Scholar
  28. R. Porter, J. O. Coplien, and T. Winn. Sequences as a basis for pattern language composition. Science of Computer Programming, 56(1--2):231 -- 249, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. S. Romanosky. Security design patterns part 1. http: //citeseer.ist.psu.edu/575199.html, Nov 2001.Google ScholarGoogle Scholar
  30. S. Romanosky. Enterprise security patterns.\ http://citeseer.ist.psu.edu/romanosky02enter-\\ prise.html, 2002.Google ScholarGoogle Scholar
  31. J. Saltzer and M. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, Sep 1975.Google ScholarGoogle ScholarCross RefCross Ref
  32. M. Schumacher, E. Fernandez-Buglioni, D. Hybertson, F. Buschmann, and P. Sommerlad. Security Patterns: Integrating Security and Systems Engineering. John Wiley and Sons, December 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. M. Schumacher and U. Roedig. Security engineering with patterns. In Proceedings of the 8th Conference on Patterns Language of Programming (PLoP'01)., 2001.Google ScholarGoogle Scholar
  34. C. Steel, R. Nagappan, and R. Lai. Core Security Patterns : Best Practices and Strategies for J2EE(TM), Web Services, and Identity Management. Prentice Hall PTR, Oct 2005.Google ScholarGoogle Scholar
  35. F. Swiderski and W. Snyder. Threat Modeling. Microsoft Press, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. J. Tidwell. Designing interfaces : Patterns for Effective Interaction Design. O'Reilly, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. D. Trowbridge, W. Cunningham, M. Evans, L. Brader, and P. Slater. Describing the enterprise architectural space. MSDN, June 2004.Google ScholarGoogle Scholar
  38. R. Veryard and A. Ward. Trusting components and services, 2001.Google ScholarGoogle Scholar
  39. J. Viega and G. McGraw. Building Secure Software: How to Avoid Security Problems The Right Way. Addison-Wesley, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. K. Wolf and C. Liu. Pattern Languages of Program Design 1, chapter 4. New Clients with Old Servers: A Pattern Language for Client/Server Frameworks. Addison-Wesley, 1995. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. J. Yoder and J. Barcalow. Architectural patterns for enabling application security. In Proceedings of the 4th Conference on Patterns Language of Programming (PLoP'97)., 1997.Google ScholarGoogle Scholar
  42. J. A. Zachman. A framework for information systems architecture. IBM Systems Journal, 26(3), 1987. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Growing a pattern language (for security)

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in
        • Published in

          cover image ACM Conferences
          Onward! 2012: Proceedings of the ACM international symposium on New ideas, new paradigms, and reflections on programming and software
          October 2012
          258 pages
          ISBN:9781450315623
          DOI:10.1145/2384592

          Copyright © 2012 ACM

          Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 19 October 2012

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article

          Acceptance Rates

          Onward! 2012 Paper Acceptance Rate13of43submissions,30%Overall Acceptance Rate40of105submissions,38%

          Upcoming Conference

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader