Security Patterns Repository

Patterns

all | design | requirement | architectural | implementation | procedural

(source: SBHBS06)

A service that captures security audit trails and audit logs must satisfy a set of requirements for both the service and the quality of service. The audit trails and logging function is to capture audit logs and audit trails about events and activities that occur within an organization or system, to enable reconstruction and analysis of those events and activities. While each situation that calls for an audit trail is unique, there are common generic requirements that apply to all audit trails and logging situations. This pattern provides a common generic set of audit trail requirements. The pattern also helps you to apply the general requirements to your specific situation, and helps you to determine the relative importance of conflicting requirements.

(source: KETEH01)

An authenticated session allows a Web user to access multiple access-restricted pages on a Web site without having to re- authenticate on every page request. Most Web application development environments provide basic session mechanisms. This pattern incorporates user authentication into the basic session model

(source: HHS07)

Authentication of users and other systems is an important issue for many security-critical systems. Authentication is the problem to verify a claimed identity

(source: SNL05)

To reduce authentication code duplication and allow for easy changes to the authentication mechanism, create a centralized authentication enforcer that performs authentication of users and encapsulates the details of the authentication mechanism.

(source: BH04)

(source: SBHBS06)

This pattern addresses the problem of how to verify that a subject is who it says it is. Use a SINGLE ACCESS POINT (279) to receive the interactions of a subject with the system and apply a protocol to verify the identity of the subject.

(source: SBHBS06)

This pattern describes who is authorized to access specific resources in a system, in an environment in which we have resources whose access needs to be controlled. It indicates, for each active entity that can access resources, which resources it can ac- cess, and how it can access them.

(source: SNL05)

To verify that each request is authorized, create an access controller that will perform authorization checks using standard mechanisms.

(source: SBHBS06)

This pattern describes alternative techniques for automated I&A, as opposed to procedural or physical I&A. It helps you to select an appropriate I&A strategy that consists of a single technique, or a combination of techniques, to satisfy I&A requirements. Techniques considered include password, biometrics, hardware token, PKI, and I&A of unregistered users.