Towards Computer-oriented Security Patterns

Security patterns are a mature paradigm for the development of secure systems. For years, security patterns have proven their usefulness, and have demonstrated that their use, especially at the software architecture level, provides important advantages. Security patterns have also proven their value as a communication vehicle and as an educational tool. However, the ever-growing complexity and heterogeneity of software systems, which now range from tiny pieces of extremely delicate software for the control of embedded devices to internet-scale applications that are used by millions of users, are slowly but inevitably degrading the usefulness and applicability of security patterns in their current text-based form. Moreover, as new applications and technologies appear, the amount of new security solutions grows and with them the number and variety of security patterns representing them. The need to support the selection of the most appropriate pattern based on different parameters and criteria is not well-served by document-based patterns, which are more appropriate for educational purposes than for supporting current model-based and computer-assisted engineering activities. In fact, the engineering and development of software systems cannot be conceived today without a high level of automated support. Finally, security patterns in their current form provide limited support for their integration in the systems under development, resulting in different problems that may even reduce or ruin the intended security property that was meant to be provided by the pattern. The previous reasoning takes us to the core of the content of this paper: the need for a computer-oriented form of patterns, along with mechanisms for automating their use.