A Reimagined Catalogue of Software Security Patterns

Abstract

Since their introduction, security patterns had the promise to aid non-security experts to design secure software, yet in practice adoption and thus impact of security patterns remains limited. We believe one of the reasons is that existing security patterns are a mixture of security advice and advice on software design, such as encapsulation for maintainability. To address this, we propose a new security pattern catalogue in which we approach patterns from a security-centric perspective instead of a generic software engineering perspective. More specifically, we treat security as a first-class citizen while relying as much as possible on the vast body of knowledge from the security domain. Furthermore, our catalogue is structured to enable easy navigation for identifying relevant security problems and selecting appropriate solutions. In order to ensure a consistent level of abstraction and allow easier combination of multiple patterns, we describe our catalogue in a uniform description language and metamodel. An initial evaluation shows that our catalogue has good coverage of common security problems and solutions, indicating the catalogue's potential, but further evaluation is required to evaluate its impact in practice.