Security Patterns Repository

Patterns

all | design | requirement | architectural | implementation | procedural

(source: SBHBS06)

The function of the access control security service is to permit or deny someone the right to perform an action on an asset, such as create, read, modify, or delete a data file. While each situation that calls for access control is unique, there are common generic requirements that apply to all access-control situations. This pattern provides a common generic set of access control requirements. The requirements address both the access control function and the properties of the access control service, such as ease of use and flexibility. The pattern also helps you to apply the general requirements to your specific situation, and helps you to determine the relative importance of conflicting requirements.

(source: KETEH01)

Passwords are the only approach to remote user authentication that has gained widespread user acceptance. However, password- guessing attacks have proven to be very successful at discovering poorly chosen, weak passwords. Worse, the Web environment lends itself to high-speed, anonymous guessing attacks. Account lockout protects customer accounts from automated password-guessing attacks, by implementing a limit on incorrect password attempts before further attempts are disallowed.

(source: SBHBS06)

Most I&A approaches involve identifying and authenticating an actor against a pre- viously-established known record. Determining how the known record is established is the function of actor registration. This pattern helps you to design a registration mechanism for an actor or user. The type of information recorded depends on the I&A mechanism used. For example, if you are using an ID and password mechanism, then you need to define a user account ID and establish a password. If you are using signature verification, you need to capture user signature samples. This pattern covers the more common types of I&A mechanisms, such as those identified in this book.

(source: KBZ01)

In RBAC environment, user-role assignment and role-privileges assignment is the major administrative task. Each user has a unique subject that describes the user’s permitted roles and user must activate roles associated with his subject to access information. This pattern creates subjects for users and delegates administrative responsibilities.

(source: DGFRLP04)

This pattern filters calls and responses to/from enterprise applications, based on an institution access control policies. It does this by interposing a firewall that can analyze incoming requests for application services and check them for authorization.

(source: SW07)

Use the approval requirement pattern to specify that a particular action (or set of actions) must be approved (or, in some circumstances approved) by a second person before it takes place.

(source: SBHBS06)

Asset valuation helps you to determine the overall importance an enterprise places on the assets it owns and controls. Loss or compromise of such assets may result in anything from hard costs, such as fines and fees, to soft costs due to loss of market share and consumer confidence.

(source: SNL05)

To intercept and audit requests to the business tier, use an audit interceptor which centralizes the auditing functionality and enables declarative audit event definitions.

(source: SBHBS06)

An audit service must satisfy a set of requirements for both the service and the quality of service. The audit function is to analyze logs, audit trails or other captured information about an event, such as entering a building or accessing resources on a network, to find and report any indication of security violations. While each situation that calls for an audit is unique, there are common generic requirements that apply to all audit situations. This pattern provides a common generic set of audit requirements. The pattern also helps you to apply the general requirements to your specific situation, and helps you determine the relative importance of conflicting requirements.