Wednesday 28 July 2010

Book Review: Security Patterns

Integrating Security and Systems Engineering

From the excellent Wiley series in Software Design Patterns comes an impressively ambitious tome, claiming to cover "real-world knowledge and experience from international security experts." It uses the hugely successful paradigm of design patterns, an approach to provision of vocabulary and communication between software professionals, which has become the norm in recent years.

Like all the best software design patterns books, this one sports a handful of authors (in this case a gang of five), acting both as expert contributors in their own right, and also as editors / leaders of a much larger team of contributors (in this case 21). Such a spread of expertise and experience is understandably necessary, given the ambitious scope of this book.

Also in the tradition of the best patterns books, we find the articles categorised into functional groups. In particular, after five satisfyingly brief chapters of introduction, chapters 6 through 13 deal with the subfields of Risk, Authentication, Access Control, System Access, OS Access, Audits, Firewalls and Intetnet Apps, each of which can be studied almost independently of the others (though there are some cross references). The volume is rounded off with a substantial case study (IP Telephony) and finally some remarks on Antipatterns and Misuse Cases.

Within the main sequence of pattern-related chapters, adherence to a stencil or template aids digestion, as with the original Go4 book. In all, 46 instances are delivered. Each has a name, with possible alternative AKAs, and includes sections titled Example, Context, Problem, Solution, Dynamics, Implementation, Example Resolved, Variants, Known Uses and Consequences. Additional sections e.g. Structure are added as appropriate in the context of the individual pattern or family.

Examples are particularly well handled, and comprise an (inevitable, but) excellent compromise between the complexities of real life scenarios, and the conflicting constraints of abstraction and teachability.

Overall, the patterns approach works particularly well. Which is unsurprising; after all, it was originally applied with unprecedented success to the field of software design generally. But then, most software bugs are security bugs, in the sense that they expose something to the user that was not intended to be revealed by the developers. There is therefore a sizable intersection in the Venn Diagram of Software v Security, where the applicability of any given approach transfers seamlessly.

The scope of the book is enormous, extending often outwith the limits of software and IT. And just like the huge subject of security itself, the book is a part of its own ecosystem, rooted at its main website www.securitypatterns.org, and with an active forum at its (members only) Yahoo! Group, http://tech.groups.yahoo.com/group/securitypatterns/.

One reviewer at Amazon.com says, "this isn't a book you'd sit down and read from cover to cover"; but I'd respectfully disagree. It is exactly the kind of book readily consumed in that way by anyone appreciative of the patterns structure and approach - and, of course, with an accompanying interest in security.

Security Patterns: Integrating Security and Systems Engineering
Wiley Software Patterns Series [Hardcover]
Authors: Frank Buschmann, Eduardo Fernandez-Buglioni, Duane Hybertson, Peter Sommerlad, Markus Schumacher.
2006
ISBN-10: 0470858842
ISBN-13: 978-0470858844

No comments:

Post a Comment