Special Issue "Security Patterns in Industry"

A special issue of Future Internet (ISSN 1999-5903).

Deadline for manuscript submissions: 31 December 2018

Special Issue Editor

Guest Editor
Prof. Dr. Eduardo B. Fernandez

Department of Computer and Electrical Engineering and Computer Science, Florida Atlantic University, 777 Glades Road, Boca Raton, FL 33431, USA
Website | E-Mail
Phone: 015612973466
Fax: +1-561-297-2800
Interests: software architecture; systems security; web services; cloud computing

Special Issue Information

Dear Colleagues,

Security patterns are widely considered to be a good way to build secure systems, but they are still rarely used in industry. It is not that security patterns are not used, it is just that they should be used more. One reason is that are not considered easy to apply, a somewhat unfair critique since several pattern-based methodologies exist to build secure systems in a systematic way (Uzunov et al. 2012). We analyzed this problem in a recent paper [Fer16], where we considered the need for more experimental evaluations.

Security patterns are starting to be accepted, with some companies producing catalogs in books and in the web, including IBM (IBM2016), Sun (Oracle) (Steel et al. 2005), General Dynamics, and Microsoft (Botez, Microsoft). In particular, our patterns (Fernandez 2013) have appeared in industrial catalogs and have been used in a few industrial projects. We know of other projects: Hafiz and Johnson describe the improvements to a complex industrial software architecture using security and reliability patterns (Hafiz and Johnson 2008); the Tizen operating system includes several security patterns (Gadyatskaya et al. 2014); the Australian Center of Defense has used them in an advanced project (Docking et al.). We would like to hear from people using security patterns and find out their experiences with them. Another related question is: Do we have better alternatives: Tactics (Bass2012)? Aspects (Ray et al.)? Others?

Prof. Dr. Eduardo B. Fernandez
Guest Editor

Manuscript Submission Information

Manuscripts should be submitted online at www.mdpi.com by registering and logging in to this website. Once you are registered, click here to go to the submission form. Manuscripts can be submitted until the deadline. All papers will be peer-reviewed. Accepted papers will be published continuously in the journal (as soon as accepted) and will be listed together on the special issue website. Research articles, review articles as well as short communications are invited. For planned papers, a title and short abstract (about 100 words) can be sent to the Editorial Office for announcement on this website.

Submitted manuscripts should not have been published previously, nor be under consideration for publication elsewhere (except conference proceedings papers). All manuscripts are thoroughly refereed through a single-blind peer-review process. A guide for authors and other relevant information for submission of manuscripts is available on the Instructions for Authors page. Future Internet is an international peer-reviewed open access monthly journal published by MDPI.

Please visit the Instructions for Authors page before submitting a manuscript. The Article Processing Charge (APC) for publication in this open access journal is 850 CHF (Swiss Francs). Submitted papers should be well formatted and use good English. Authors may use MDPI's English editing service prior to publication or during author revisions.

Keywords

  • Security patterns
  • Software security
  • Secure systems design
  • Software patterns
  • Software engineering

Related Special Issue

Published Papers (1 paper)

View options order results:
result details:
Displaying articles 1-1
Export citation of selected articles as:

Research

Open AccessArticle Context Analysis of Cloud Computing Systems Using a Pattern-Based Approach
Future Internet 2018, 10(8), 72; https://doi.org/10.3390/fi10080072
Received: 14 June 2018 / Revised: 21 July 2018 / Accepted: 29 July 2018 / Published: 31 July 2018
PDF Full-text (2040 KB) | HTML Full-text | XML Full-text
Abstract
Cloud computing services bring new capabilities for hosting and offering complex collaborative business operations. However, these advances might bring undesirable side-effects, e.g., introducing new vulnerabilities and threats caused by collaboration and data exchange over the Internet. Hence, users have become more concerned about
[...] Read more.
Cloud computing services bring new capabilities for hosting and offering complex collaborative business operations. However, these advances might bring undesirable side-effects, e.g., introducing new vulnerabilities and threats caused by collaboration and data exchange over the Internet. Hence, users have become more concerned about security and privacy aspects. For secure provisioning of a cloud computing service, security and privacy issues must be addressed by using a risk assessment method. To perform a risk assessment, it is necessary to obtain all relevant information about the context of the considered cloud computing service. The context analysis of a cloud computing service and its underlying system is a difficult task because of the variety of different types of information that have to be considered. This context information includes (i) legal, regulatory and/or contractual requirements that are relevant for a cloud computing service (indirect stakeholders); (ii) relations to other involved cloud computing services; (iii) high-level cloud system components that support the involved cloud computing services; (iv) data that is processed by the cloud computing services; and (v) stakeholders that interact directly with the cloud computing services and/or the underlying cloud system components. We present a pattern for the contextual analysis of cloud computing services and demonstrate the instantiation of our proposed pattern with real-life application examples. Our pattern contains elements that represent the above-mentioned types of contextual information. The elements of our pattern conform to the General Data Protection Regulation. Besides the context analysis, our pattern supports the identification of high-level assets. Additionally, our proposed pattern supports the documentation of the scope and boundaries of a cloud computing service conforming to the requirements of the ISO 27005 standard (information security risk management). The results of our context analysis contribute to the transparency of the achieved security and privacy level of a cloud computing service. This transparency can increase the trust of users in a cloud computing service. We present results of the RestAssured project related to the context analysis regarding cloud computing services and their underlying cloud computing systems. The context analysis is the prerequisite to threat and control identification that are performed later in the risk management process. The focus of this paper is the use of a pattern at the time of design systematic context analysis and scope definition for risk management methods. Full article
(This article belongs to the Special Issue Security Patterns in Industry)
Figures

Figure 1

Back to Top