Security Patterns Repository

Patterns

all | design | requirement | architectural | implementation | procedural

(source: SBHBS06)

This pattern aids the selection of appropriate biometric mechanisms to satisfy I&A requirements. Biometric mechanisms considered are face recognition, finger image, hand geometry, iris recognition, retinal scanning, signature verification, and speaker verification. Additional mechanisms, including DNA, are identified for completeness.

(source: HSCTW+06)

A client needs to access a Web service. The Web service requires the application to present credentials for authentication so that additional controls such as authorization and auditing can be implemented.

(source: HSCTW+06)

Web services must authenticate clients so that additional controls, such as authorization and auditing, can be implemented. The organization has decided to use an authentication broker to provide a common access control infrastructure for a group of applications. The authentication broker negotiates trust between client applications and Web services, which removes the need for a direct relationship. The authentication broker should issue signed security tokens that can be used for authentication.

(source: HSCTW+06)

Web services need to authenticate clients in a heterogeneous environment so that additional controls such as authorization and auditing can be implemented. The organization has decided to use an authentication broker to provide a common access control infrastructure for a group of applications. The authentication broker negotiates trust between client applications and Web services; this removes the need for a direct relationship. The authentication broker should issue signed security tokens that can be used for authentication.

(source: HSCTW+06)

Web services must authenticate clients so that additional controls, such as authorization and auditing, can be implemented. The organization has decided to use brokered authentication, based on the need for a single sign on (SSO) solution and to allow multiple Web services to share a standard access control infrastructure. The authentication broker should issue signed security tokens that can be used for authentication.

(source: KE01)

Many Web compromises and defacements occur because of unnecessary and potentially vulnerable services present on the Web server. Default installations of many operating systems and applications are the source of many of these services. This pattern advocates building the server from the ground up: understanding the default installation of the operating system and applications, simplifying the configuration as much as possible, removing any unnecessary services, and investigating the vulnerable services that are a part of the Web server configuration.

(source: SBHBS06)

Once you have secured a system using SINGLE ACCESS POINT (279), a means of identification and authentication (I&A) and response to unauthorized break-in attempts is required for securing the system. CHECK POINT (287) makes such an effective I&A and access control mechanism easy to deploy and evolve.

(source: BH04)

Structure a system so that its state can be recovered and restored to a known valid state in case a component fails.

(source: KE01)

Many security problems can be avoided during system design if components, languages, and tools are selected with security in mind. This is not to say that security is the only criterion of concern – merely that it should not be ignored while making these decisions. This pattern provides guidance in selecting appropriate Commercial-Off-the-Shelf components and in deciding whether to use build custom components.