Security Patterns Repository

Patterns

all | design | requirement | architectural | implementation | procedural

(source: DSS+09)

The intent of this pattern is to clearly separate functionality that requires elevated privileges from functionality that does not require elevated privileges and to take advantage of existing user veri- fication functionality available at the kernel level. Using existing user verification kernel functio- nality leverages the kernel’s established role in arbitrating security decisions rather than reinvent- ing the means to arbitrate security decisions at the user level.

(source: SBHBS06)

Any organization conducting e-commerce or publishing information over Web technologies must make their service easily accessible to their users. However, any form of Web site or e-commerce system is a potential target for attack, especially those on the Internet. A Demilitarized Zone (DMZ) separates the business functionality and information from the Web servers that deliver it, and places the Web servers in a secure area. This reduces the ‘surface area’ of the system that is open to attack.

(source: DSS+09)

Distrustful Decomposition secure design pattern is to move separate functions into mutually untrusting programs, thereby reducing the: attack surface of the individual programs that make up the system, functionality and data exposed to an attacker if one of the mutually untrusting programs is compromised

(source: SBHBS06)

All systems are potentially liable to attack, whether from internal or external sources. If the information held by a system is sensitive, it should be protected. Part of this protection can take the form of obscuring the data itself, probably through some form of encryption, and obscuring information about the environment surrounding the data.

(source: SBHBS06)

A Web site constructed from applications from different sources might require several different servers because of the heterogeneous operating requirement of the different applications. Because of the Internet addressing scheme, this distribution across several hosts is visible to the end user. Any change of the distribution or switch of parts of the site to a different host can invalidate URLs used so far, either cross-links to the Web site or bookmarks set up by users. An INTEGRATION REVERSE PROXY (465) alleviates this situation by providing a homogenous view of a collection of servers, without leaking the physical distribution of the individual machines to end users.

(source: SBHBS06)

Some of the hosts in other networks may try to attack the local network through their IP-level payloads. These payloads may include viruses or application-specific attacks. We need to identify and block those hosts. A packet filter firewall filters incoming and outgoing network traffic in a computer system based on packet inspection at the IP level.

(source: DSS+09)

The intent of the PrivSep pattern is to reduce the amount of code that runs with special privilege without affecting or limiting the functionality of the program. The PrivSep pattern is a more specific instance of the Distrustful Decomposition pattern.

(source: SBHBS06)

Putting a Web server or an application server directly on the Internet gives attackers direct access to any vulnerabilities of the underlying platform (application, Web server, libraries, operating system). However, to provide a useful service to Internet users, access to your server is required. A packet filter firewall shields your server from attacks at the network level. In addition, a PROTECTION REVERSE PROXY (457) protects the server software at the level of the application protocol.

(source: SBHBS06)

A proxy-based firewall inspects and filters incoming and outgoing network traffic based on the type of application service to be accessed, or performing the access. This pattern interposes a proxy between the request and the access, and applies controls through this proxy. This is usually done in addition to the normal filtering based on addresses.