Architecting software with security patterns

Security patterns, as domain-independent expert knowledge packaged in a reusable format, are able to offer significant guidance to the software engineer in developing secure systems. However, the overabundance of published security patterns complicates the process of finding the right pattern to solve the problem at hand. This is due to three reasons. First, not all security patterns are relevant to the software engineer. Second, the domain independence of patterns sometimes complicates finding a solution to a domain specific problem. Third, patterns exist on different levels of abstraction. Not all patterns can be applied to every step in the development process of a system. This report proposes a method to facilitate the selection of a suitable set of security patterns to realize a specific set of security requirements. It is comprised of two parts. First, additional structure is superimposed on this collection. Second, a methodology is proposed that, given this structured inventory of patterns, guides the software engineer from the security requirements to an appropriate solution using patterns, taking into account various trade-offs and relations between patterns. ispartof: CW Reports nrpages: 26 status: published