Quality-centric security pattern mutations

Abstract

Security patterns are a means to encapsulate and communicate proven security solutions. They are well-established approaches for integrating security into the software development process. The literature includes a large array of security patterns categorized into various catalogs, from which the designers can choose a pattern suitable to the problem at hand. Previous efforts to choose appropriate security patterns have only considered the different functionality of the patterns. However, the solution structure of the chosen pattern will integrate with the overall software design and therefore affect many quality attributes such as flexibility and security. Thus, nonfunctional requirements should also be taken into account when opting to add a pattern to an existing software design. This will allow the designers to choose between alternative solutions not solely based on functionality, but also the quality requirements put forth by different stakeholders. We propose the concept of quality-centric security pattern mutations which are created by mutating current patterns using design refactoring rules. These mutations offer the same behavior as the initial pattern but with varying effects on quality attributes such as flexibility, reusability, extendibility, and security. We have selected two well-established access-control patterns as our case studies. We have used both object-oriented quality metrics and design security assessment metrics for quality evaluation and utilized petri-nets to analyze behavior preservation. Our assessments demonstrate that the newly created mutations offer varying levels of quality while preserving the original pattern functionality.