Abstract
The importance of Software Security has been evident, since it has been shown that most attacks to software systems are based on vulnerabilities caused by software poorly designed and developed. Furthermore, it has been discovered that it is desirable to embed security already at design phase. Therefore, patterns aiming at enhancing the security of a software system, called security patterns, have been suggested. The main target of this paper is to propose a mathematical model, based on fuzzy set theory, in order to quantify the security characteristics of systems using security patterns. In order to achieve this we first determine experimentally to what extent specific security patterns enhance several security aspects of systems. To determine this, we have developed two systems, one without security patterns and one containing them and have experimentally determined the level of the higher robustness to attacks of the latter. The proposed mathematical model follows.
An erratum to this chapter can be found at http://dx.doi.org/10.1007/11915034_125.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Amoroso, E.: Fundamentals of Computer Security Technology. Prentice-Hall, Englewood Cliffs (1994)
Anley, C.: Advanced SQL Injection in SQL Server Applications, NGSSoftware whitepaper (2002)
Berry, C.A., Carnell, J., Juric, M.B., Kunnumpurath, M.M., Nashi, N., Romanosky, S.: J2EE Design Patterns Applied, Wrox Press (2002)
Blakley, B., Heath, C. and Members of the Open Group Security Forum: Security Design Patterns, Open Group Technical Guide (2004)
Braga, A., Rubira, C., Dahab, R.: Tropyc: A Pattern Language for Cryptographic Software. In: Proceedings of the 5th Conference on Pattern Languages of Programming (PLoP 1998) (1998)
Brooke, P.J., Paige, R.F.: Fault Trees for Security System Design and Analysis. Computers and Security 22(3), 256–264 (2003)
Cai, K.-Y.: Introduction to Fuzzy Reliability. Kluwer Academic Publishers, Dordrecht (1996)
Cai, K.-Y.: System Failure Engineering and Fuzzy Methodology, An Introductory Overview. Fuzzy Sets and Systems 83, 113–133 (1996)
Chen, S.-J., Chen, S.-M.: Fuzzy Risk Analysis Based on Similarity Measures of Generalized Fuzzy Numbers. IEEE Transactions on Fuzzy Sets and Systems 11(1) (2003)
Cgisecurity.com, Cross Site Scripting questions and answers, http://www.cgisecurity.com/articles/xss-faq.shtml
Fernandez, E.: Metadata and authorization patterns (2000), http://www.cse.fau.edu/~ed/MetadataPatterns.pdf
Friedl, S.: SQL Injection Attacks by Example, http://www.unixwiz.net/techtips/sql-injection.html
Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns, Elements of Reusable Object-Oriented Software. Addison-Wesley, Reading (1995)
Halkidis, S.T., Chatzigeorgiou, A., Stephanides, G.: A Qualitative Evaluation of Security Patterns. In: López, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, Springer, Heidelberg (2004)
Hoglund, G., McGraw, G.: Exploiting Software, How to Break Code. Addison-Wesley, Reading (2004)
Howard, M., LeBlanc, D.: Writing Secure Code. Microsoft Press (2002)
Hu, D.: Preventing Cross-Site Scripting Vulnerability, SANS Institute whitepaper (2004)
Kienzle, D., Elder, M.: Security Patterns for Web Application Development, Univ. of Virginia Technical Report (2002)
Klein, A.: Divide and Conquer. HTTP Response Splitting, Web Cache Poisoning Attacks and Related Topics, Sanctum whitepaper (2004)
Lee Brown, F., Di Vietri, J., Diaz de Villegas, G., Fernandez, E.: The Authenticator Pattern. In: Proceedings of the 6th Conference on Pattern Languages of Programming (PLoP 1999) (1999)
Livshits, B., Lam, M.S.: Proceedings of the 14th USENIX Security Symposium (2005)
Livshits, B., Lam, M.S.: Finding Security Vulnerabilities in Java Applications with Static Analysis, Stanford University Technical Report (2005)
Mahmoud, Q.: Security Policy: A Design Pattern for Mobile Java Code. In: Proceedings of the 7th Conference on Pattern Languages of Programming (PLoP 2000) (2000)
Mouratidis, H., Giorgini, P., Schumacher, M.: Security Patterns for Agent Systems. In: Proceedings of the Eighth European Conference on Pattern Languages of Programs (EuroPLoP 2003) (2003)
Pullum, L.L.: Software Fault Tolerance Techniques and Implementation. Artech House Publishers (2001)
Roman, E., Sriganesh, R.P., Brose, G.: Mastering Enterprise JavaBeans, 3rd edn. Wiley, Chichester (2005)
Romanosky, S.: Enterprise Security Patterns (2002), http://www.romanosky.net/papers/EnterpriseSecurityPatterns.pdf
Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger Password Authentication Using Browser Extensions. In: Proceedings of the 14th USENIX Security Symposium (2005)
Scambray, J., Shema, M.: Hacking Exposed Web Applications. McGraw-Hill, New York (2002)
Spett, K.: Cross-Site Scripting, Are your web applications vulnerable? SPI Labs whitepaper
SPI Labs, SQL Injection, Are Your Web Applications Vulnerable? SPI Labs whitepaper
Spinnelis, D.: Code Quality: The Open Source Perspective. Addison-Wesley, Reading (2006)
Steel, C., Nagappan, R., Lai, R.: Core Security Patterns, Best Practices and Strategies for J2EE, Web Services, and Identity Management. Prentice-Hall, Englewood Cliffs (2006)
Viega, J., McGraw, G.: Building Secure Software, How to Avoid Security Problems the Right Way. Addison-Wesley, Reading (2002)
Yoder, J., Barcalow, J.: Architectural Patterns for enabling application security. In: Proceedings of the 4th Conference on Pattern Languages of Programming (PLoP 1997) (1997)
Weiss, M.: Patterns for Web Applications. In: Proceedings of the 10th Conference on Pattern Languages of Programming (PLoP 2003) (2003)
Wu, T.: A Real-World Analysis of Kerberos Password Security. In: Proceedings of the 1999 Network and Distributed System Symposium (1999)
Zimmerman, H.-J.: Fuzzy Set Theory and its Applications, 3rd edn. Kluwer Academic, Dordrecht (1996)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Halkidis, S.T., Chatzigeorgiou, A., Stephanides, G. (2006). Quantitative Evaluation of Systems with Security Patterns Using a Fuzzy Approach. In: Meersman, R., Tari, Z., Herrero, P. (eds) On the Move to Meaningful Internet Systems 2006: OTM 2006 Workshops. OTM 2006. Lecture Notes in Computer Science, vol 4277. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11915034_79
Download citation
DOI: https://doi.org/10.1007/11915034_79
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-48269-7
Online ISBN: 978-3-540-48272-7
eBook Packages: Computer ScienceComputer Science (R0)