Top

Published in:

2014 | OriginalPaper | Chapter

16. Evaluating the Implications of Attack and Security Patterns with Premortems

Authors : Shamal Faily, Simon Parkin, John Lyle

Published in: Cyberpatterns

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Security patterns are a useful way of describing, packaging and applying security knowledge which might otherwise be unavailable. However, because patterns represent partial knowledge of a problem and solution space, there is little certainty that addressing the consequences of one problem won’t introduce or exacerbate another. Rather than using patterns exclusively to explore possible solutions to security problems, we can use them to better understand the security problem space. To this end, we present a framework for evaluating the implications of security and attack patterns using premortems: scenarios describing a failed system that invites reasons for its failure. We illustrate our approach using an example from the EU FP 7 webinos project.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Security Design Patterns in the MASTER Workbench

next chapter An Overview of Artificial Intelligence Based Pattern Matching in a Security and Digital Forensic Context

Schumacher M, Fernandez E, Hybertson D, Buschmann F. Security patterns: integrating security and systems engineering. Chichester: Wiley; 2005.

McGraw G, Migues S, West J. Building Security In Maturity model: BSIMMV. October 2013. http://bsimm.com. Accessed March 2014

Fernandez EB, Yoshioka N, Washizaki H, Jürjens J, VanHilst M, Pernul G. Using security patterns to develop secure systems. In: Mouratidis H, editor. Software engineering for secure systems: industrial and research perspectives. , New York: IGI Global; 2011. p. 16–31.

Chiesa R, Ducci S, Ciappi S. Profiling hackers: the science of criminal profiling as applied to the world of hacking. 1st ed. Boston: Auerbach Publications; 2008.CrossRef

Atzeni A, Cameroni C, Faily S, Lyle J, Flechais I. Here’s johnny: a methodology for developing attacker personas. In: Proceedings of the 2011 sixth international conference on availability, reliability and security. ARES ’11. Washington: IEEE Computer Society; 2011. p. 722–7. http://dx.doi.org/10.1109/ARES.2011.115.

Faily S, Flechais I. To boldly go where invention isn’t secure: applying security entrepreneurship to secure systems design. In: Proceedings of the 2010 workshop on new security paradigms. NSPW ’10. New York: ACM; 2010. p. 73–84. http://doi.acm.org/10.1145/1900546.1900557.

Klein G. Performing a project premortem. Harvard Bus Rev. 2007;85(9):18–9.

van Lamsweerde A. Requirements engineering: from system goals to UML models to software specifications. West Sussex: Wiley; 2009.

Faily S, Fléchais I. Towards tool-support for usable secure requirements engineering with CAIRIS. Int J Secure Software Eng. 2010;1(3):56–70.

10.

Faily S. CAIRIS web site; 2013. http://github.com/failys/CAIRIS.

11.

Faily S, Fléchais I. Eliciting policy requirements for critical national infrastructure using the iris framework. Int J Secure Software Eng. 2011;2(4):114–9.CrossRef

12.

Gamma E, Helm R, Johnson R, Vlissides J. Design patterns: elements of reusable object-oriented software. Boston: Addison-Wesley Longman; 1995.

13.

Faily S, Fléchais I. A meta-model for usable secure requirements engineering. In: Proceedings of the 2010 ICSE workshop on software engineering for secure systems. SESS ’10. New York: ACM; 2010. p. 29–35. http://doi.acm.org/10.1145/1809100.1809105.

14.

Faily S, Lyle J, Namiluko C, Atzeni A, Cameroni C. Model-driven architectural risk analysis using architectural and contextualised attack patterns. In: Proceedings of the workshop on model-driven security. MDsec ’12. New York: ACM; 2012. p. 3:1–3:6. http://doi.acm.org/10.1145/2422498.2422501.

15.

Faily S, Fléchais I. Analysing and visualising security and usability in iris. 2012 seventh international conference on availability, reliability and security 2010; p. 543–8.

16.

Sindre G, Opdahl AL. Eliciting security requirements with misuse cases. Requir Eng. 2005;10(1):34–44. http://dx.doi.org/10.1007/s00766-004-0194-4.

17.

Fuhrhop C, Lyle J, Faily S. The webinos project. In: Proceedings of the 21st international conference companion on World Wide Web. WWW ’12 Companion. New York: ACM; 2012. p. 259–62. Available from: http://doi.acm.org/10.1145/2187980.2188024.

18.

Lyle J, Monteleone S, Faily S, Patti D, Ricciato F. Cross-platform access control for mobile web applications. In: 2012 IEEE international symposium on policies for distributed systems and networks (POLICY);2012. p. 37–44.

19.

webinos Consortium. Context Policy Management Architectural Pattern; July. https://github.com/webinos/webinos-design-data/blob/master/architecture/architecturalpatterns/ContextPolicyManagement.xml.

20.

The MITRE Corporation. Common Attack Pattern Enumeration and Classification (CAPEC) web site; 2012. http://capec.mitre.org.

21.

The MITRE Corporation. Common Weakness Enumeration (CWE) web site; 2012. http://cwe.mitre.org.

22.

webinos Consortium. Ethan Attacker Persona; 2011. https://github.com/webinos/webinos-design-data/blob/master/personas/ethan.xml.

23.

webinos Consortium. Test Footprinting Attack Pattern; July. https://github.com/webinos/webinos-design-data/blob/master/architecture/attackpatterns/TestFootprinting.xml.

24.

Chesbrough HW. Open innovation: the new imperative for creating and profiting from technology. Boston: Harvard Business School Press; 2003.

Title: Evaluating the Implications of Attack and Security Patterns with Premortems
Authors: Shamal Faily
Simon Parkin
John Lyle
Publisher: Springer International Publishing
Book: Cyberpatterns
Print ISBN: 978-3-319-04446-0

Electronic ISBN: 978-3-319-04447-7

Copyright Year: 2014
DOI: https://doi.org/10.1007/978-3-319-04447-7_16

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner