A security pattern is a well-understood solution to a recurring information security problem. They are patterns in the sense originally defined by Christopher Alexander (the basis for much of the later work in design patterns and pattern languages of programs), applied to the domain of information security. A security pattern encapsulates security expertise in the form of worked solutions to these recurring problems, presenting issues and trade-offs in the usage of the pattern. This page presents our completed research into security patterns for Web application development.
We have produced a Security Patterns Repository consisting of 26 patterns and 3 mini-patterns. (A mini-pattern is a shorter, less formal discussion of security expertise in terms of just a problem and its solution.) We focused on the domain of Web application security to bound the scope of the problems that our patterns address. We also constructed a worked example system using some of our security patterns to help validate the approach; this example system was a patterns repository to present our security patterns, spur discussion, and collect feedback. Unfortunately, we have been unable to maintain the patterns repository application, so please disregard all references to the repository at www.securitypatterns.com in the documents below.
Our final report for the Security Patterns project can be found here.
Our first deliverable, a security patterns template and tutorial can be found here.
A document containing the repository of security patterns can be found here