Description

A security pattern (SP) is a solution to a recurring security problem that aims to stop or mitigate a certain type of threat by defining a security mechanism or a way to implement a security policy or regulation in a given context. Since their introduction in 1997 by Yoder and Barcalow, hundreds of SPs and multiple SP catalogs, that group and classify them, have been proposed by the research community. SPs are usually designed with the specific intent to support non- security developers, engineers, and architects in designing and developing secure systems. Consequently, they address the challenges arising from the fact that, in practice, non-security experts are often involved in security-related activities and decision-making. However, in contrast to other pattern families, such as the Gang of Four design patterns, the adoption of SPs remains limited in practice. One fundamental reason for their limited use is a misalignment between what SPs model and the security issues that designers actually face in their daily tasks. To better understand this, reference implementations of SPs are needed, that help understanding the difference between what SPs model and how a technical solution to the SPs actually looks like.

In this thesis project, we aim to implement such reference implementations for common security patterns for authentication, one of many security controls for which SPs are formulated.