Most security books are targeted at security engineers and specialists. Few show how build security into software. None breakdown the different concerns facing security at different levels of the system: the enterprise, architectural and operational layers.
Security Patterns addresses the full spectrum of security in systems design, using best practice solutions to show how to integrate security in the broader engineering process.Essential for designers building large-scale systems who want best practice solutions to typical security problemsReal world case studies illustrate how to use the patterns in specific domains
For more information visit www.securitypatterns.org
Chapter 1 The Pattern Approach 1
Patterns at a Glance 2
No Pattern is an Island 4
Patterns Everywhere 4
Humans are the Target 5
Patterns Resolve Problems and Shape Environments 6
Towards Pattern Languages 7
Documenting Patterns 9
A Brief Note on The History of Patterns 11
The Pattern Community and its Culture 12
Chapter 2 Security Foundations 15
Overview 16
Security Taxonomy 17
General Security Resources 26
Chapter 3 Security Patterns 29
The History of Security Patterns 30
Characteristics of Security Patterns 31
Why Security Patterns? 34
Sources for Security Pattern Mining 37
Chapter 4 Patterns Scope and Enterprise Security 47
The Scope of Patterns in the Book 48
Organization Factors 49
Resulting Organization 51
Mapping to the Taxonomy 53
Organization in the Context of an Enterprise Framework 53
Chapter 5 The Security Pattern Landscape 59
Enterprise Security and Risk Management Patterns 59
Identification& Authentication (I&A) Patterns 62
Access Control Model Patterns 67
System Access Control Architecture Patterns 69
Operating System Access Control Patterns 71
Accounting Patterns 73
Firewall Architecture Patterns 77
Secure Internet Applications Patterns 78
Cryptographic Key Management Patterns 80
Related Security Pattern Repositories Patterns 83
Chapter 6 Enterprise Security and Risk Management 85
Security Needs Identification for Enterprise Assets 89
Asset Valuation 103
Threat Assessment 113
Vulnerability Assessment 125
Risk Determination 137
Enterprise Security Approaches 148
Enterprise Security Services 161
Enterprise Partner Communication 173
Chapter 7 Identification and Authentication (I&A) 187
I&A Requirements 192
Automated I&A Design Alternatives 207
Password Design and Use 217
Biometrics Design Alternatives 229
Chapter 8 Access Control Models 243
Authorization 245
Role-Based Access Control 249
Multilevel Security 253
Reference Monitor 256
Role Rights Definition 259
Chapter 9 System Access Control Architecture 265
Access Control Requirements 267
Single Access Point 279
Check Point 287
Security Session 297
Full Access with Errors 305
Limited Access 312
Chapter 10 Operating System Access Control 321
Authenticator 323
Controlled Process Creator 328
Controlled Object Factory 331
Controlled Object Monitor 335
Controlled Virtual Address Space 339
Execution Domain 343
Controlled Execution Environment 346
File Authorization 350
Chapter 11 Accounting 355
Security Accounting Requirements 360
Audit Requirements 369
Audit Trails and Logging Requirements 378
Intrusion Detection Requirements 388
Non-Repudiation Requirements 396
Chapter 12 Firewall Architectures 403
Packet Filter Firewall 405
Proxy-Based Firewall 411
Stateful Firewall 417
Chapter 13 Secure Internet Applications 423
Information Obscurity 426
Secure Channels 434
Known Partners 442
Demilitarized Zone 449
Protection Reverse Proxy 457
Integration Reverse Proxy 465
Front Door 473
Chapter 14 Case Study: IP Telephony 481
IP Telephony at a Glance 482
The Fundamentals of IP Telephony 483
Vulnerabilities of IP Telephony Components 488
IP Telephony Use Cases 488
Securing IP telephony with patterns 493
Applying Individual Security Patterns 497
Conclusion 500
Chapter 15 Supplementary Concepts 503
Security Principles and Security Patterns 504
Enhancing Security Patterns with Misuse Cases 525
Chapter 16 Closing Remarks 531
References 535
Index 555