Description

1. Motivation and problem statement

The significant increase in Common Vulnerabilities and Exposures (CVE) records, rising from 321 in 1999 to 17,308 in 2019, and reaching 40,077 in 2024 [1], highlights the importance of implementing secure software practices. However, the increasing complexity of modern software systems, driven by factors such as distributed architectures and interconnected services, presents a major challenge for industrial software engineering in effectively implementing secure solutions. Moreover, the lack of security experts on one side, and the lack of security-relevant information as well as the limited practical application of existing approaches to security modelling [2] on the other side, further add to the complexity of developing secure systems. To address these challenges, the SCAM Project aims to develop a new usable approach to security modelling. In this regard, two metamodels have been developed: the Security Design Pattern (SDP) Description Metamodel, which provides a foundation for creating SDPs that encapsulate essential security information, and the SDP Knowledge Bases Metamodel, that aims to support architects in selecting appropriate SDPs [3]. To facilitate this, a security recommender approach, SecuRe , was proposed, which utilises a Constraint-based Recommender System (CBRS) to suggest suitable Authentication SDPs that align with the specific security requirements by leveraging the information from the SDP Knowledge Bases [4]. In this regard, there is a pressing need for reusable, quantifiable knowledge to develop such Knowledge Bases, which not only facilitate the recommendation process, but also allow developers and stakeholders to reason about security patterns and assess their effectiveness. By establishing measurable security pattern property metrics, architects can better understand vulnerabilities and make informed decisions to enhance the security posture of their applications.

2. Research questions

This thesis will look only into security patterns of the authentication (AuthN) security control. Thus, we refer to these as Authentication Design Patterns (AuthN DP).

RQ1: Which properties characterize AuthN DPs? This is essential to create a comprehensive Knowledge Base catalogue and eases understanding of different AuthN DPs.

RQ2: What metrics can be defined to measure these security pattern properties? This RQ aimes to facilitate the recommendation process and enable reasoning about AuthN DPs.

3. Methodology

To identify Authentication Security Pattern properties, first, a bottom-up approach will be used, where a review of existing literature, standards and guidelines on Authentication Security Patterns will be conducted and from there different Authentication Security Patterns will be put side by side to extract properties that differentiate them from one another. Next, Large Language Models (LLMs) will be used as guidance to identify other properties, and the results will be validated through literature research and/or an appropriate explanation if the property is simply plausible. The results of both approaches will be combined to obtain a set of Authentication Security Pattern properties. Then an iterative approach will be used to develop metrics for the obtained properties. In each iteration a new property will be covered as follows:

1. Define property and a suitable metric for it.
2. Attempt to scale each SP based on this metric. (“Evaluation by Demonstration”)
3. Refine metric based on the gained insights.