Validating Security Design Pattern Applications Using Model Testing
Takanori Kobashi, Nobukazu Yoshioka, Takao Okubo, Haruhiko Kaiya, Hironori Washizaki and Yoshiaki Fukazawa.
In Proceedings of International Conference on Availability, Reliability and Security (ARES 2013),
pp. 62-71, IEEE CPS, 2-6 Sep., Regensburg, Germany.
Software developers are not necessarily security
specialists, security patterns provide developers with the
knowledge of security specialists. Although security patterns are
reusable and include security knowledge, it is possible to
inappropriately apply a security pattern or that a properly
applied pattern does not mitigate threats and vulnerabilities.
Herein we propose a method to validate security pattern
applications. Our method provides extended security patterns,
which include requirement- and design-level patterns as well as a
new model testing process using these patterns. Developers
specify the threats and vulnerabilities in the target system during
an early stage of development, and then our method validates
whether the security patterns are properly applied and assesses
whether these vulnerabilities are resolved.