A classification methodology for security patterns to help fix software weaknesses

 

AICCSA 2016

Authors : Loukmen REGAINIA, Sébastien SALVA, Cédric BOUHOURS

Presented by :  Loukmen REGAINIA

LIMOS, Auvergne Clermont University, Clermont-Ferrand, France

Introduction

Web applications are usually badly designed,  or not at all !!!

Most of badly designed  applications are Vulnerable

Secure design skills are not common in all the members of a development team 

Security patterns are abstract, generic and reusable solutions to recurrent security problems

Security patterns

A security pattern has:

- an intent : The main aim of the pattern

- a problem : In which the pattern is advised

- forces : why this pattern and not an other

- a solution :

- a structure and a behavior

- consequences : how the application will

be with the use of the pattern

- a set of related patterns:

depend, benifit, impair, alternative,

conflictual

Security patterns

The strong points of a pattern:

The security properties contributed by the use of the security patterns

 

Manually extracted from :

- forces : why this pattern and not an other

 

- consequences : how the application will

be with the use of the pattern

 

Security patterns

Limited view pattern

Full view with errors

Security patterns

Security patterns

- A pattern P1 may (Depend, benefit, impair, alternative, conflict) a pattern P2.

- The abstract presentation of patterns

- Growing number of patterns

Why using security patterns stills difficult ?

A security pattern cannot completely cover a weakness

The combination of patterns to mitigate a weakness, OR not !

Two patterns can be conflictual when used together

What is the best combination of patterns against a weakness ?

Exemple : access control security principles

Data consolidation with

Online database

http://regainia.com/research/database.html

Text

Example

conclusion

A data base of :

185 CWE weaknesses

26 security patterns

66 elemental security principles

An accurate classification of patterns and weaknesses

The presentation of  the classification methodology 

The generation of SAG (security activity graphs) to get the best combination of patterns against a weakness

 

work in progress

thank you for your attention

Made with Slides.com