Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000010304290 | TK5105.59 F47 2013 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
Learn to combine security theory and code to produce secure systems
Security is clearly a crucial issue to consider during the design and implementation of any distributed software architecture. Security patterns are increasingly being used by developers who take security into serious consideration from the creation of their work. Written by the authority on security patterns, this unique book examines the structure and purpose of security patterns, illustrating their use with the help of detailed implementation advice, numerous code samples, and descriptions in UML.
Provides an extensive, up-to-date catalog of security patterns Shares real-world case studies so you can see when and how to use security patterns in practice Details how to incorporate security from the conceptual stage Highlights tips on authentication, authorization, role-based access control, firewalls, wireless networks, middleware, VoIP, web services security, and more Author is well known and highly respected in the field of security and an expert on security patternsSecurity Patterns in Practice shows you how to confidently develop a secure system step by step.
Author Notes
Eduardo B. Fernandez (FL, USA - www.cse.fau.edu/~ed) is a professor in the Department of Computer Science and Engineering at the Florida Atlantic University in Boca Raton, Florida. Ed has published numerous papers and four books on authorization models, object-oriented analysis & design, and security patterns. He has lectured all over the world at both academic and industrial meetings. His current interests include security patterns, web services, cloud computing security and fault tolerance. He holds a MS degree in Electrical Engineering from Purdue University and a Ph.D. in Computer Science from UCLA. Ed is an active consultant for industry, including assignments with IBM, Allied Signal, Motorola, Lucent, and others.
Table of Contents
Foreword | p. xvii |
Preface | p. xix |
Part I Introduction | |
Chapter 1 Motivation and Objectives | p. 1 |
Why Do We Need Security Patterns? | p. 1 |
Some Basic Definitions | p. 3 |
The History of Security Patterns | p. 5 |
Industrial Use of Security Patterns | p. 6 |
Other Approaches to Building Secure Systems | p. 6 |
Chapter 2 Patterns and Security Patterns | p. 7 |
What is a Security Pattern? | p. 7 |
The Nature of Security Patterns | p. 8 |
Pattern Descriptions and Catalogs | p. 10 |
The Anatomy of a Security Pattern | p. 11 |
Pattern Diagrams | p. 17 |
How Can We Classify Security Patterns? | p. 17 |
Pattern Mining | p. 19 |
Uses for Security Patterns | p. 20 |
How to Evaluate Security Patterns and their Effect on Security | p. 21 |
Threat Modeling and Misuse Patterns | p. 22 |
Fault Tolerance Patterns | p. 22 |
Chapter 3 A Secure Systems Development Methodology | p. 23 |
Adding Information to Patterns | p. 23 |
A Lifecyle-Based Methodology | p. 24 |
Using Model-Driven Engineering | p. 27 |
Part II Patterns | |
Chapter 4 Patterns for Identity Management | p. 31 |
Introduction | p. 32 |
Circle of Trust | p. 34 |
Identity Provider | p. 36 |
Identity Federation | p. 38 |
Liberty Alliance Identity Federation | p. 44 |
Chapter 5 Patterns for Authentication | p. 51 |
Introduction | p. 51 |
Authenticator | p. 52 |
Remote Authenticator/Authorizer | p. 56 |
Credential | p. 62 |
Chapter 6 Patterns for Access Control | p. 71 |
Introduction | p. 71 |
Authorization | p. 74 |
Role-Based Access Control | p. 78 |
Multilevel Security | p. 81 |
Policy-Based Access Control | p. 84 |
Access Control List | p. 91 |
Capability | p. 96 |
Reified Reference Monitor | p. 100 |
Controlled Access Session | p. 104 |
Session-Based Role-Based Access Control | p. 107 |
Security Logger and Auditor | p. 111 |
Chapter 7 Patterns for Secure Process Management | p. 117 |
Introduction | p. 117 |
Secure Process/Thread | p. 120 |
Controlled-Process Creator | p. 126 |
Controlled-Object Factory | p. 129 |
Controlled-Object Monitor | p. 132 |
Protected Entry Points | p. 136 |
Protection Rings | p. 139 |
Chapter 8 Patterns for Secure Execution and File Management | p. 145 |
Introduction | p. 145 |
Virtual Address Space Access Control | p. 146 |
Execution Domain | p. 149 |
Controlled Execution Domain | p. 151 |
Virtual Address Space Structure Selection | p. 156 |
Chapter 9 Patterns for Secure OS Architecture and Administration | p. 163 |
Introduction | p. 163 |
Modular Operating System Architecture | p. 165 |
Layered Operating System Architecture | p. 169 |
Microkernel Operating System Architecture | p. 174 |
Virtual Machine Operating System Architecture | p. 179 |
Administrator Hierarchy | p. 184 |
File Access Control | p. 187 |
Chapter 10 Security Patterns for Networks | p. 193 |
Introduction | p. 194 |
Abstract Virtual Private Network | p. 195 |
IP Sec VPN | p. 200 |
TLS Virtual Private Network | p. 202 |
Transport Layer Security | p. 205 |
Abstract IDS | p. 214 |
Signature-Based IDS | p. 219 |
Behavior-Based IDS | p. 224 |
Chapter 11 Patterns for Web Services Security | p. 231 |
Introduction | p. 231 |
Application Firewall | p. 234 |
XML Firewall | p. 242 |
XACML Authorization | p. 248 |
XACML Access Control Evaluation | p. 254 |
Web Services Policy Language | p. 260 |
WS-Policy | p. 263 |
WS-Trust | p. 272 |
SAML Assertion | p. 279 |
Chapter 12 Patterns for Web Services Cryptography | p. 285 |
Introduction | p. 286 |
Symmetric Encryption | p. 288 |
Asymmetric Encryption | p. 295 |
Digital Signature with Hashing | p. 301 |
XML Encryption | p. 309 |
XML Signature | p. 317 |
WS-Security | p. 330 |
Chapter 13 Patterns for Secure Middleware | p. 337 |
Introduction | p. 337 |
Secure Broker | p. 339 |
Secure Pipes and Filters | p. 347 |
Secure Blackboard | p. 353 |
Secure Adapter | p. 358 |
Secure Three-Tier Architecture | p. 362 |
Secure Enterprise Service Bus | p. 366 |
Secure Distributed Publish/Subscribe | p. 372 |
Secure Model-View-Controller | p. 375 |
Chapter 14 Misuse Patterns | p. 383 |
Introduction | p. 383 |
Worm | p. 390 |
Denial-of-Service in VoIP | p. 397 |
Spoofing Web Services | p. 403 |
Chapter 15 Patterns for Cloud Computing Architecture | p. 411 |
Introduction | p. 411 |
Infrastructure-as-a-Service | p. 413 |
Platform-as-a-Service | p. 423 |
Software-as-a-Service | p. 431 |
Part III Use of the Patterns | |
Chapter 16 Building Secure Architectures | p. 441 |
Enumerating Threats | p. 442 |
The Analysis Stage | p. 445 |
The Design Stage | p. 448 |
Secure Handling of Legal Cases | p. 451 |
SCADA Systems | p. 459 |
Medical Applications | p. 466 |
Conclusions | p. 478 |
Chapter 17 Summary and the Future of Security Patterns | p. 479 |
Summary of Patterns | p. 479 |
Future Research Directions for Security Patterns | p. 494 |
Security Principles | p. 496 |
The Future | p. 497 |
Appendix A Pseudocode for XACML Access Control Evaluation | p. 499 |
Glossary | p. 501 |
References | p. 509 |
Index of Patterns | p. 543 |
Index | p. 547 |