Preface
El que lee mucho y anda mucho, ve mucho y sabe mucho.
(The one who reads a lot and goes around a lot, sees much and knows much.)
Miguel de Cervantes, El ingenioso hidalgo don Quijote de la Mancha
I started working on security when I joined IBM, where I worked for almost nine years doing security research. I coauthored a book on database security while there, one of the first to appear on this topic. I later realized that a large amount of security knowledge was wasted, because practitioners had not read the variety of books and papers that had started to appear; they kept repeating the same mistakes. In particular, software developers knew little about security. Later I participated in a conference about patterns and realized that expressing security knowledge as patterns could be an effective way to spread this knowledge. Around that time, Yoder and Barcalow [Yod97] published a paper about expressing security solutions as patterns that further convinced me that this was a good direction. I found later that security patterns could do more than propagate security knowledge to inexperienced developers; they could also be useful for security experts, to help them apply security in a systematic way to build new applications or products, understand complex standards, audit complex applications and reengineer legacy systems. I was coauthor of a book that published most of the security patterns known up to 2005. However, since that book was published, many more patterns have appeared.
I have written over 80 patterns, most of which are shown in this book. Other authors have presented patterns which complement ours (see Chapter 1). I have listed most of them in the See Also sections of each pattern. Note that they may use a different notation or pattern form to ours.
I did not try to be exhaustive, and I may have left out some useful patterns. I hope to include those discovered later, or that appear later, on the book’s web page at http://www.wiley.com/go/securitypatterns or in a new edition of this book. Patterns can be improved after one uses them or understands them better. Some of these patterns were written as long as 15 years ago, while others are still under development. When I looked at the older patterns, I realized that I could write them better now, which delayed the completion of this book. It is not a second volume or a continuation of our 2006 book [Sch06b], but it reflects my own views and my own work. Some of my patterns from the earlier book are included here for completeness; my intention is to eventually produce a complete catalog, although I am not there yet. Other authors have also produced some good patterns, and altogether there is a good quantity of patterns that developers and researchers can use. My audience is mostly made up from software developers who are trying to incorporate security in their work. However, there is material here for researchers and computer science students, as well as for anybody interested in systems security.
A difficult point was to unify the style of patterns produced over a long time span. All the patterns presented here have either been discussed at a pattern conference or presented at a research conference. However, I have reworked all of them for this book, some extensively. I also participated very actively in the original versions, having usually provided the initial ideas, read every line of them and improved their contents. In other words, I am really a full author of this book, not just an editor of past works or a presenter of my students’ work.
Patterns alone are not enough: the final objective is to build secure systems. For that purpose, I have been working on a methodology for building secure systems using patterns, of which several examples are shown here. The approach I use is strictly an engineering one. This does not mean avoidance of theory, but I use it only when necessary. It does not mean code either: although I give some code examples, I use mostly models. To handle the complexity of current systems, we need the abstraction power of models. An important value of patterns is that they lead to systems thinking. A system is more than the sum of its parts; looking at isolated code and hardware components is a microscopic view that cannot lead to secure systems.
Patterns can be described from single page ideas to 30-page detailed descriptions. I have chosen an intermediate level, where I give enough detail for a user to understand the meaning of the pattern and evaluate its possibilities. I have found this level of detail the most useful in my work. I have resisted the temptation of adding background material on security: several good textbooks exist (see Chapter 1).
Because I work in a university, I have been accused a few times of not being ‘practical enough’. I did work in industry for about ten years, and I occasionally do consulting for companies, so I do have some industrial experience. Some of my students have also provided an important industrial perspective, since many of them were working in local industry when we wrote these patterns. In some respect, this is an interdisciplinary book, in that it connects security to software architecture.
I would greatly appreciate comments or corrections. These patterns encompass all areas of computer systems architecture, and I am sure I may have misunderstood some aspects. I am also particularly interested to hear of any interesting use of security patterns in industrial projects. Write to me at ed@cse.fau.edu. Markus Schumacher and I will publish comments on patterns at securitypatterns.org.
BOOK STRUCTURE
The book is divided into three parts. The first three chapters describe motivation, experience in using patterns, the objectives of the book, and present my secure development methodology. Part II is a pattern catalog, including patterns for different architectural levels of a computer system. Part III shows some examples of application of the patterns, has tables of patterns, and indicates possible research directions.
ACKNOWLEDGEMENTS
This work is the result of my work on security over many years, attending security and patterns conferences, listening and talking to many colleagues around the world, all of whom contributed to this work. More specifically, my students, in particular Nelly Delessy, Keiko Hashizume, Ola Ajaj, Juan C. Pelaez and Ajoy Kumar, wrote several versions of these patterns. My colleagues Maria M. Larrondo-Petrie and Mike Van Hilst collaborated in some of the published patterns. My international collaborators included Nobukazu Yoshioka and Hironori Washizaki (Japan), Günther Pernul (Germany), David LaRed (Argentina), Anton Uzunov (Australia), Fabricio Braz (Brazil), Jaime Muñoz Arteaga (Mexico) and Antonio Maña (Spain).
The shepherds and workshop participants in the Pattern Languages conferences (PLoP, EuroPLoP, Asian PLoP and Latin American PLoP) gave valuable comments, in particular Joe Yoder, Fabio Kon, Richard Gabriel, Rosana Braga, Ralph Johnson, Lior Schachter, and others. Craig Heath commented on the first three chapters.
The editorial staff of Wiley UK – Ellie Scott, Birgit Gruber and Sara Shlaer – and Steve Rickaby of WordMongers, were very helpful and encouraging. Markus Schumacher was an ideal shepherd, in that he caught important errors or missing aspects. My thanks to all of them.