Security Patterns Repository

Patterns

all | design | requirement | architectural | implementation | procedural

(source: KETEH01)

Passwords are the only approach to remote user authentication that has gained widespread user acceptance. However, password- guessing attacks have proven to be very successful at discovering poorly chosen, weak passwords. Worse, the Web environment lends itself to high-speed, anonymous guessing attacks. Account lockout protects customer accounts from automated password-guessing attacks, by implementing a limit on incorrect password attempts before further attempts are disallowed.

(source: SBHBS06)

Most I&A approaches involve identifying and authenticating an actor against a pre- viously-established known record. Determining how the known record is established is the function of actor registration. This pattern helps you to design a registration mechanism for an actor or user. The type of information recorded depends on the I&A mechanism used. For example, if you are using an ID and password mechanism, then you need to define a user account ID and establish a password. If you are using signature verification, you need to capture user signature samples. This pattern covers the more common types of I&A mechanisms, such as those identified in this book.

(source: KBZ01)

In RBAC environment, user-role assignment and role-privileges assignment is the major administrative task. Each user has a unique subject that describes the user’s permitted roles and user must activate roles associated with his subject to access information. This pattern creates subjects for users and delegates administrative responsibilities.

(source: DGFRLP04)

This pattern filters calls and responses to/from enterprise applications, based on an institution access control policies. It does this by interposing a firewall that can analyze incoming requests for application services and check them for authorization.

(source: SNL05)

To intercept and audit requests to the business tier, use an audit interceptor which centralizes the auditing functionality and enables declarative audit event definitions.

(source: KETEH01)

An authenticated session allows a Web user to access multiple access-restricted pages on a Web site without having to re- authenticate on every page request. Most Web application development environments provide basic session mechanisms. This pattern incorporates user authentication into the basic session model

(source: SNL05)

To reduce authentication code duplication and allow for easy changes to the authentication mechanism, create a centralized authentication enforcer that performs authentication of users and encapsulates the details of the authentication mechanism.

(source: BH04)

(source: SBHBS06)

This pattern addresses the problem of how to verify that a subject is who it says it is. Use a SINGLE ACCESS POINT (279) to receive the interactions of a subject with the system and apply a protocol to verify the identity of the subject.