Most security books are targeted at security engineers and
specialists. Few show how build security into software. None
breakdown the different concerns facing security at different
levels of the system: the enterprise, architectural and operational
layers. Security Patterns addresses the full
spectrum of security in systems design, using best practice
solutions to show how to integrate security in the broader
engineering process.
* Essential for designers building large-scale systems who want
best practice solutions to typical security problems
* Real world case studies illustrate how to use the patterns in
specific domains
For more information visit www.securitypatterns.org
Autorentext
Markus Schumacher, SAP AG, Germany.
Eduardo Fernandez-Buglioni, Florida Atlantic University, USA.
Duane Hybertson, The MITRE Corp, USA.
Frank Buschmann, Siemens AG, Germany.
Peter Sommerlad, Hochschule für Technik Rapperswil, Germany.
Klappentext
International security experts explain the full spectrum of security in systems design
Security can be an intimidating subject area, but this need not be the case. Although time constraints may prevent systems engineers from becoming security specialists, guarding systems against attack is essential. With the growing success of the Internet, computer and software systems have become more and more networked. Written from the heart of the patterns community, the authors address key questions and present corresponding proven solutions, clearly showing you how to build secure systems.
In a time where systems are constantly at risk, it is essential that you arm yourself with the knowledge of different security measures. This pioneering title breaks down security at various levels of the system: the enterprise, architectural and operational layers. It acts as an extension to the larger enterprise contexts and shows you how to integrate security in the broader engineering process.
Essential security topics include:
Enterprise level security security management, principles, institutional policies (such as need-to-know) and enterprise needs (including confidentiality, integrity, availability, accountability, I&A, access control and audit).
Architectural level security system level solutions responding to enterprise level policies and the most important level for facilitating building security into a system.
User level security concerned with achieving security in operational contexts
Zusammenfassung
Most security books are targeted at security engineers and specialists. Few show how build security into software. None breakdown the different concerns facing security at different levels of the system: the enterprise, architectural and operational layers. Security Patterns addresses the full spectrum of security in systems design, using best practice solutions to show how to integrate security in the broader engineering process.
- Essential for designers building large-scale systems who want best practice solutions to typical security problems
- Real world case studies illustrate how to use the patterns in specific domains
For more information visit www.securitypatterns.org
Inhalt
Chapter 1 The Pattern Approach 1
Patterns at a Glance 2
No Pattern is an Island 4
Patterns Everywhere 4
Humans are the Target 5
Patterns Resolve Problems and Shape Environments 6
Towards Pattern Languages 7
Documenting Patterns 9
A Brief Note on The History of Patterns 11
The Pattern Community and its Culture 12
Chapter 2 Security Foundations 15
Overview 16
Security Taxonomy 17
General Security Resources 26
Chapter 3 Security Patterns 29
The History of Security Patterns 30
Characteristics of Security Patterns 31
Why Security Patterns? 34
Sources for Security Pattern Mining 37
Chapter 4 Patterns Scope and Enterprise Security 47
The Scope of Patterns in the Book 48
Organization Factors 49
Resulting Organization 51
Mapping to the Taxonomy 53
Organization in the Context of an Enterprise Framework 53
Chapter 5 The Security Pattern Landscape 59
Enterprise Security and Risk Management Patterns 59
Identification & Authentication (I&A) Patterns 62
Access Control Model Patterns 67
System Access Control Architecture Patterns 69
Operating System Access Control Patterns 71
Accounting Patterns 73
Firewall Architecture Patterns 77
Secure Internet Applications Patterns 78
Cryptographic Key Management Patterns 80
Related Security Pattern Repositories Patterns 83
Chapter 6 Enterprise Security and Risk Management 85
Security Needs Identification for Enterprise Assets 89
Asset Valuation 103
Threat Assessment 113
Vulnerability Assessment 125
Risk Determination 137
Enterprise Security Approaches 148
Enterprise Security Services 161
Enterprise Partner Communication 173
Chapter 7 Identification and Authentication (I&A) 187
I&A Requirements 192
Automated I&A Design Alternatives 207
Password Design and Use 217
Biometrics Design Alternatives 229
Chapter 8 Access Control Models 243
Authorization 245
Role-Based Access Control 249
Multilevel Security 253
Reference Monitor 256
Role Rights Definition 259
Chapter 9 System Access Control Architecture 265
Access Control Requirements 267
Single Access Point 279
Check Point 287
Security Session 297
Full Access with Errors 305
Limited Access 312
Chapter 10 Operating System Access Control 321
Authenticator 323
Controlled Process Creator 328
Controlled Object Factory 331
Controlled Object Monitor 335
Controlled Virtual Address Space 339
Execution Domain 343
Controlled Execution Environment 346
File Authorization 350
Chapter 11 Accounting 355
Security Accounting Requirements 360
Audit Requirements 369
Audit Trails and Logging Requirements 378
Intrusion Detection Requirements 388
Non-Repudiation Requirements 396
Chapter 12 Firewall Architectures 403
Packet Filter Firewall 405
Proxy-Based Firewall 411
Stateful Firewall 417
Chapter 13 Secure Internet Applications 423
Information Obscurity 426
Secure Channels 434
Known Partners 442
Demilitarized Zone 449
Protection Reverse Proxy 457
Integration Reverse Proxy 465
Front Door 473
Chapter 14 Case Study: IP Telephony 481
IP Telephony at a Glance 482
...