CHAPTER recent years, pattern-based approaches to software development,



We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now

1.1      Research

In recent years, pattern-based
approaches to software development, applied to different domains, have received
significant attention in the software engineering community. In the security
domain, it is challenging to capture and convey information in order to
facilitate security, which is a very abstract goal. In this research we give a
collection of security patterns that have been identified by the community. We
use a variation of the design pattern template that better suits the
presentation of security-specific information in order to facilitate reuse of
security knowledge.

Providing expertise that significantly
improves system development with respect to security is an ambitious goal. In
contrast to functional requirements that have a concrete solution, security is
difficult to measure and highly dependent on the environment. Other
pattern-based approaches like the well-known Design Patterns from Gamma et al.are
believed to greatly enhance productivity of the software development process by
conveying expertise. Unfortunately, the structure provided by various pattern
templates is not sufficient to portray all security relevant aspects. Some
approaches that apply patterns to the field of security use the regular or a
slightly modified Design Pattern template. The enhanced Security Pattern
Template presented herein contains additional information, including behavior,
constraints and related security principles that address difficulties inherent
to the design of security critical systems.

The security
needs of a system depend highly on the environment in which the system is
deployed. As the pattern approach is not capable of fully covering all possible
constellations of security, it is crucial that a developer is provided with
information that enables an evaluation of the situation that will lead to the
selection of appropriate patterns. By introducing and connecting general
security principles with a pattern’s substance, the developer gains security
insight by read- 1 ing and applying the pattern. Furthermore, behavioral
information and security-related constraints are added in our pattern template.
The developer can use this information to check if a specific implementation of
the pattern is consistent with the essential security properties.

patterns can speed up the development process by providing tested, proven
development paradigms. Effective software design requires considering issues
that may not become visible until later in the implementation. Reusing design
patterns helps to prevent subtle issues that can cause major problems and
improves code readability for coders and architects familiar with the patterns.

people only understand how to apply certain software design techniques to
certain problems. These techniques are difficult to apply to a broader range of
problems. Design patterns provide general solutions, documented in a format
that doesn’t require specifics tied to a particular problem.

In addition, patterns
allow developers to communicate using well-known, well understood names for
software interactions. Common design patterns can be improved over time, making
them more robust than ad-hoc designs.


2.   Literature Review

It’s common among developers when they start coding for an
application, a specific design pattern not found in the road map of development
and it becomes a vulnerable point to exploit. Applications enveloped without
design pattern difficult to change and understand. It is possible to reduce
vulnerability at minimum level and it results in the reduction of maintenance
cost. An application was developed for this paper using design patterns, two
pages visitor information page and school member verification form were build
using Factory design pattern and Interpreter design patter. SFDP and SIDP are
the two secured design patterns proposed for making application secure and more
reliable than before using encryption-decryption hashing algorithm encoding
scheme. The points expressed in proposed model clearly explain the expected
vulnerable points. A secure design will keep application more reliable and available
as it was before. (Zia Ahmad, Adeel
Rauf, Mian Ali Asghar, 2016)

Social sign-on and social sharing are becoming an ever more
popular feature of web applications. This success is largely due to the APIs
and support offered by prominent social networks, such as Facebook, Twitter and
Google, on the basis of new open standards such as the OAuth 2.0 authorization protocol.
A formal analysis of these protocols must account for malicious websites and
common web application vulnerabilities, such as cross-site request forgery and
open redirectors. We model several configurations of the OAuth 2.0 protocol in
the applied pi-calculus and verify them using ProVerif. Our models rely on
WebSpi, a new library for modeling web applications and web-based attackers
that is designed to help discover concrete attacks on websites. To ease the
task of writing formal models in our framework, we present a model extraction
tool that automatically translates programs written in subsets of PHP and JavaScript
to the applied pi-calculus. Our approach is validated by finding dozens of
previously unknown vulnerabilities in popular websites. (Chetan Bansal, Karthikeyan Bhargavan, Antoine Delignat-Lavaud and
Sergio Maffeis. 2014)

Current Security Pattern evaluation techniques are demonstrated
to be incomplete with respect to quantitative measurement and comparison. A
proposal for a dynamic tested system is presented as a potential mechanism for
evaluating patterns within a constrained environment. (Ishbel Duncan, Jan de Muijnck-Hughes, 2014)



The cost of fixing system vulnerabilities and the risk
associated with vulnerabilities after system deployment are high for both
developers and end users. While there are a number of best practices available
to address the issue of software security vulnerabilities, these practices are
often difficult to reuse due to the implementation-specific nature of the best
practices. In addition, greater understanding of the root causes of security
flaws has led to a greater appreciation of the importance of taking security
into account in all phases in the software development life cycle, not just in
the implementation and deployment phases. This report describes a set of secure
design patterns, which are descriptions or templates describing a general
solution to a security problem that can be applied in many different
situations. Rather than focus on the implementation of specific security mechanisms,
the secure design patterns detailed in this report are meant to eliminate the
accidental insertion of vulnerabilities into code or to mitigate the
consequences of vulnerabilities. The patterns were derived by generalizing
existing best security design practices and by extending existing design
patterns with security-specific functionality. They are categorized according
to their level of abstraction: architecture, design, or implementation. (Dougherty, C.R., Sayre, K., Seacord, R., Svoboda, D., and Togashi,
K, 2009)

Building software with an adequate level of security
assurance for its mission becomes more and more challenging every day as the
size, complexity, and tempo of software creation increases and the number and
the skill level of attackers continues to grow. These factors each exacerbate
the issue that, to build secure software, builders must ensure that they have
protected every relevant potential vulnerability; yet, to attack software,
attackers often have to find and exploit only a single exposed vulnerability.
To identify and mitigate relevant vulnerabilities in software, the development
community needs more than just good software engineering and analytical
practices, a solid grasp of software security features, and a powerful set of
tools. All of these things are necessary but not sufficient. To be effective,
the community needs to think outside of the box and to have a firm grasp of the
attacker’s perspective and the approaches used to exploit software Hoglund 04,
Koizol 04. This paper discusses the concept of attack patterns as a mechanism
to capture and communicate the attacker’s perspective. Attack patterns are
descriptions of common methods for exploiting software. They derive from the
concept of design patterns Gamma 95 applied in a destructive rather than
constructive context and are generated from in-depth analysis of specific
real-world exploit examples. (Barnum,
S., and Sethi, 2007)





I'm Simon!

Would you like to get a custom essay? How about receiving a customized one?

Check it out