7

In software engineering, a design pattern is a general reusable solution to a commonly occurring problem within a given context in software design. Wikipedia lists many different design patterns for example, but security is never mentioned.

Open SAMM includes the following question in the audit checklist for Secure Architecture: Are project teams provided with prescriptive design patterns based on their application architecture?

I never came across any established security design patterns that are considered state of the art from the community. Am I missing something here or are there no such security design patterns?

AviD
  • 72,138
  • 22
  • 136
  • 218
Demento
  • 7,249
  • 5
  • 36
  • 45

2 Answers2

4

The thing about security is that it's never a one-size-fits-all sort of deal. Because of that you always have to adapt designs to apply to the threats you're willing to counter. A good security design pattern is just a good software design pattern.

If you take a look at Wikipedia it lists a few: http://en.wikipedia.org/wiki/Security_Patterns

There is also an interesting website I came across while Googling: http://www.securitypatterns.org/patterns.html

Or if you take a look at CERT ( http://www.cert.org/archive/pdf/09tr010.pdf ) it lists a few. Here are some just from it's list of figures:

  • Defer to Kernel Pattern
  • Secure Factory Pattern Structure
  • Secure Strategy Factory Pattern Structure
  • Secure Builder Factory Pattern Structure
  • Secure Chain of Responsibility Pattern Example
  • Secure Chain of Responsibility Pattern Structure
  • Secure State Machine Pattern Structure
  • Secure State Machine Example Code Collaboration Diagram
  • Secure Visitor Pattern Structure
  • Secure Visitor Example Code Collaboration Diagram
  • Secure Logger Pattern Structure
  • Clear Sensitive Information Pattern Structure
  • Structure of the Input Validation Pattern
Steve
  • 15,155
  • 3
  • 37
  • 66
  • These patterns are mostly relevant for applets and other situations when your code executes in untrusted environment. They are generally useless for, say, web apps. – Vitaly Osipov Nov 28 '12 at 04:09
0

While we wait for this book, you can read and postulate the writings of Rohit Sethi in [PDF] Securing the Core JEE Patterns2 [PDF].

Also be sure to check out the project he runs on a Security Analysis of Core J2EE Design Patterns.

atdre
  • 18,885
  • 6
  • 58
  • 107