{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,13]],"date-time":"2026-06-13T09:45:10Z","timestamp":1781343910991,"version":"3.54.1"},"reference-count":47,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2022,4,1]],"date-time":"2022-04-01T00:00:00Z","timestamp":1648771200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2022,4,1]],"date-time":"2022-04-01T00:00:00Z","timestamp":1648771200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"published-print":{"date-parts":[[2022,12]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>During the initial stages of software development, the primary goal is to define precise and detailed requirements without concern for software realizations. Security constraints should be introduced then and must be based on the semantic aspects of applications, not on their software architectures, as it is the case in most secure development methodologies. In these stages, we need to identify threats as attacker goals and indicate what conceptual security defenses are needed to thwart these goals, without consideration of implementation details. We can consider the effects of threats on the application assets and try to find ways to stop them. These threats should be controlled with abstract security mechanisms that can be realized by <jats:italic>abstract security patterns (ASPs)<\/jats:italic>, that include only the core functions of these mechanisms, which must be present in every implementation of them. An abstract security pattern describes a conceptual security mechanism that includes functions able to stop or mitigate a threat or comply with a regulation or institutional policy. We describe here the properties of ASPs and present a detailed example. We relate ASPs to each other and to Security Solution Frames, which describe families of related patterns. We show how to include ASPs to secure an application, as well as how to derive concrete patterns from them. Finally, we discuss their practical value, including their use in \u201csecurity by design\u201d and IoT systems design.<\/jats:p>","DOI":"10.1186\/s42400-022-00109-w","type":"journal-article","created":{"date-parts":[[2022,4,1]],"date-time":"2022-04-01T10:18:45Z","timestamp":1648808325000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":17,"title":["Abstract security patterns and the design of secure systems"],"prefix":"10.1186","volume":"5","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5109-4591","authenticated-orcid":false,"given":"Eduardo B.","family":"Fernandez","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Nobukazu","family":"Yoshioka","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Hironori","family":"Washizaki","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Joseph","family":"Yoder","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2022,4,1]]},"reference":[{"key":"109_CR1","first-page":"1","volume":"342","author":"P Avgeriou","year":"2003","unstructured":"Avgeriou P (2003) Describing, instantiating and evaluating a reference architecture: a case study. Enterp Archit J 342:1\u201324","journal-title":"Enterp Archit J"},{"key":"109_CR2","unstructured":"Blakeley B, Heath C (2004) Members of the open group security forum: technical guide: security design patterns. The Open Group, London http:\/\/www.opengroup.org\/bookstore\/catalog\/g031.htm."},{"issue":"1","key":"109_CR3","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1186\/s13174-017-0064-1","volume":"8","author":"M Brambilla","year":"2017","unstructured":"Brambilla M et al (2017) \u201cModel-driven development of user interfaces for IoT systems via domain-specific components and patterns. J Internet Serv Appl 8(1):1\u201321","journal-title":"J Internet Serv Appl"},{"key":"109_CR4","volume-title":"Pattern- oriented software architecture","author":"F Buschmann","year":"1996","unstructured":"Buschmann F, Meunier R, Rohnert H, Sommerland P, Stal M (1996) Pattern- oriented software architecture. Wiley, New York"},{"key":"109_CR5","doi-asserted-by":"crossref","unstructured":"Dong J, Alencar P, Cowan D (2007) Formal specification and verification of design patterns, chapter 5. In: Taibi T (ed.) Design pattern formalization techniques. IGI Publishing, pp 94\u2013108","DOI":"10.4018\/978-1-59904-219-0.ch005"},{"key":"109_CR6","volume-title":"Security patterns in practice: building secure architectures using software patterns. Wiley series on software design patterns","author":"EB Fernandez","year":"2013","unstructured":"Fernandez EB (2013) Security patterns in practice: building secure architectures using software patterns. Wiley series on software design patterns. Wiley, New York"},{"key":"109_CR7","unstructured":"Fernandez EB, Yoshioka N (2018) Using a variety of patterns in a secure software development methodology. In: Proceedings 25th Asia-Pacific software engineering conference, Nara, Japan"},{"key":"109_CR8","doi-asserted-by":"crossref","unstructured":"Fernandez EB, Washizaki H, Yoshioka N (2008) Abstract security patterns. In: Position paper in Proceedings of the 2nd workshop on software patterns and quality (SPAQu'08), in conjunction with the 15th conference on pattern languages of programs (PLoP 2008), October 18\u201320, Nashville, TN","DOI":"10.1145\/1753196.1753198"},{"key":"109_CR9","doi-asserted-by":"crossref","unstructured":"Fernandez EB, Mujica S, Valenzuela f (2011) Two security patterns: least privilege and security logger\/auditor. In: Proceedings of Asian PLoP. http:\/\/patterns-wg.fuka.info.waseda.ac.jp\/asianplop\/proceedings2011\/asianplop2011_submission_7.pdf","DOI":"10.1145\/2524629.2524638"},{"key":"109_CR10","unstructured":"Fernandez EB, Yoshioka N, Washizaki H, Yoder J (2014) Abstract security patterns for requirements specification and analysis of secure systems. In: Proceedings of the WER 2014 conference, a track of the 17th Ibero-American conference on software engineering (CIbSE 2014), Pucon, Chile"},{"key":"109_CR11","doi-asserted-by":"publisher","DOI":"10.1007\/s00766-014-0218-7","author":"EB Fernandez","year":"2015","unstructured":"Fernandez EB, Monge R, Hashizume K (2015) Building a security reference architecture for cloud systems. Requir Eng. https:\/\/doi.org\/10.1007\/s00766-014-0218-7","journal-title":"Requir Eng"},{"key":"109_CR12","unstructured":"Fernandez EB, Washizaki H, Yoshioka N (2016) Patterns for secure cloud IaaS. In: 5th Asian conference on pattern languages of programs (AsianPLoP)"},{"key":"109_CR13","unstructured":"Fernandez EB, Yoshioka N, Washizaki H (2018) An abstract security pattern for Authentication and a derived concrete pattern, the Credential-based Authentication. In: Asian pattern languages of programs conference (AsianPLoP)"},{"key":"109_CR14","unstructured":"Fernandez EB, Yoshioka N, Washizaki H (2019) Abstract and IoT security patterns for network segmentation. In: Proceedings of the 8th Asian conference on pattern languages of programs (Asian PLoP)"},{"key":"109_CR15","unstructured":"Fernandez EB, Yoshioka N, Washizaki H (2020) Secure distributed publish\/subscribe (P\/S) pattern for IoT. AsianPLoP"},{"key":"109_CR16","doi-asserted-by":"publisher","first-page":"100408","DOI":"10.1016\/j.iot.2021.100408","volume":"15","author":"EB Fernandez","year":"2021","unstructured":"Fernandez EB, Washizaki H, Yoshioka N, Okubo T (2021) The design of secure IoT applications using patterns: State of the art and directions for research. Internet Things 15:100408. https:\/\/doi.org\/10.1016\/j.iot.2021.100408","journal-title":"Internet Things"},{"key":"109_CR17","volume-title":"Analysis patterns\u2014reusable object models","author":"M Fowler","year":"1997","unstructured":"Fowler M (1997) Analysis patterns\u2014reusable object models. Addison-Wesley, Reading"},{"key":"109_CR18","volume-title":"Design patterns\u2014elements of reusable object-oriented software","author":"E Gamma","year":"1994","unstructured":"Gamma E, Helm R, Johnson R, Vlissides J (1994) Design patterns\u2014elements of reusable object-oriented software. Addison-Wesley, Reading"},{"key":"109_CR19","volume-title":"Computer security","author":"D Gollmann","year":"2011","unstructured":"Gollmann D (2011) Computer security, 3rd edn. Wiley, New York","edition":"3"},{"key":"109_CR20","doi-asserted-by":"publisher","first-page":"109","DOI":"10.1007\/s11334-015-0259-1","volume":"12","author":"B Hamid","year":"2016","unstructured":"Hamid B, G\u00fcrgens S, Fuchs A (2016) Security patterns modeling and formalization for pattern-based development of secure software systems. Innov Syst Softw Eng 12:109\u2013140. https:\/\/doi.org\/10.1007\/s11334-015-0259-1","journal-title":"Innov Syst Softw Eng"},{"key":"109_CR21","doi-asserted-by":"crossref","unstructured":"Hatebur D, Heisel M, Schmidt H (2007) A pattern system for security requirements engineering. In: Proceedings of ARES, pp 356\u2013365","DOI":"10.1109\/ARES.2007.12"},{"key":"109_CR22","volume-title":"The security development lifecycle: SDL: a process for developing demonstrably more secure software","author":"M Howard","year":"2006","unstructured":"Howard M (2006) The security development lifecycle: SDL: a process for developing demonstrably more secure software, 1st edn. Microsoft Press, Redmond","edition":"1"},{"key":"109_CR23","volume-title":"Problem frames: analyzing & structuring software development problems","author":"M Jackson","year":"2001","unstructured":"Jackson M (2001) Problem frames: analyzing & structuring software development problems. Addison-Wesley, Reading"},{"key":"109_CR24","doi-asserted-by":"crossref","unstructured":"Le Guennec A, Suny\u00e9 G, J\u00e9z\u00e9quel J-M (2000) Precise modeling of design patterns. In: International conference on the unified modeling language, pp 482\u2013496","DOI":"10.1007\/3-540-40011-7_35"},{"key":"109_CR25","unstructured":"Ma\u00f1a A, Fernandez EB, Ruiz J, Rudolph C (2013) Towards computer-based security patterns. In: 20th Conference on pattern languages of programs (PLoP)"},{"issue":"11","key":"109_CR26","doi-asserted-by":"publisher","first-page":"1670","DOI":"10.1002\/sec.863","volume":"7","author":"S Moral-Garc\u00eda","year":"2014","unstructured":"Moral-Garc\u00eda S, Moral-Rubio S, Rosado DG, Fern\u00e1ndez EB, Fern\u00e1ndez-Medina E (2014) Enterprise security pattern: a new type of security pattern. Secur Commun Netw (wiley) 7(11):1670\u20131690. https:\/\/doi.org\/10.1002\/sec.863","journal-title":"Secur Commun Netw (wiley)"},{"key":"109_CR27","doi-asserted-by":"crossref","unstructured":"Morrison P, Fernandez EB (2006) The credential pattern. In: Proceedings of the conference on pattern languages of programs, PLoP 2006, Portland, OR. http:\/\/hillside.net\/plop\/2006\/","DOI":"10.1145\/1415472.1415483"},{"issue":"3","key":"109_CR28","doi-asserted-by":"publisher","first-page":"471","DOI":"10.1142\/S0218194006002823","volume":"16","author":"H Mouratidis","year":"2006","unstructured":"Mouratidis H, Weiss M, Georgini P (2006) Modelling secure systems using an agent-oriented approach and security patterns. Int J Soft Eng Knowl Eng 16(3):471\u2013498","journal-title":"Int J Soft Eng Knowl Eng"},{"key":"109_CR41","doi-asserted-by":"crossref","unstructured":"Pereira-Vale A, Fernandez EB (2019) An ontology for security patterns. In: 38th International conference of the chilean computer science society (SCCC 2019), Concepci\u00f3n\u2014Chile. November 4\u20138","DOI":"10.1109\/SCCC49216.2019.8966393"},{"key":"109_CR29","volume-title":"How to solve it","author":"G Polya","year":"1957","unstructured":"Polya G (1957) How to solve it, 2nd edn. Doubleday Anchor Books, New York","edition":"2"},{"key":"109_CR30","doi-asserted-by":"crossref","unstructured":"Priebe T, Fernandez EB, Mehlau JI, Pernul G (2004) A pattern system for access control. In: Research directions in data and applications security XVIII, Farkas C, Samarati P (Eds.) Proceedings of the 18th annual IFIP WG 11.3 working conference on da-ta and applications security, Sitges, Spain, July 25\u201328","DOI":"10.1007\/1-4020-8128-6_16"},{"key":"109_CR32","volume-title":"The unified modeling language reference manual","author":"J Rumbaugh","year":"1999","unstructured":"Rumbaugh J, Jacobson I, Booch G (1999) The unified modeling language reference manual. Addison-Wesley, Boston"},{"issue":"9","key":"109_CR33","doi-asserted-by":"publisher","first-page":"1278","DOI":"10.1109\/PROC.1975.9939","volume":"63","author":"J Saltzer","year":"1975","unstructured":"Saltzer J, Schroeder M (1975) The protection of information in computer systems. Proc IEEE 63(9):1278\u20131308","journal-title":"Proc IEEE"},{"key":"109_CR34","volume-title":"Security patterns: integrating security and systems engineering","author":"M Schumacher","year":"2006","unstructured":"Schumacher M, Fernandez EB, Hybertson D, Buschmann F, Sommerlad P (2006) Security patterns: integrating security and systems engineering. Wiley, New York"},{"key":"109_CR35","unstructured":"Song Z, Li Z, Dou W (2003) Different approaches for the formal definition of authentication property. In: 9th Asia-Pacific conference on communications"},{"key":"109_CR36","volume-title":"Core security patterns: best strategies for J2EE, web services, and identity management","author":"C Steel","year":"2005","unstructured":"Steel C, Nagappan R, Lai R (2005) Core security patterns: best strategies for J2EE, web services, and identity management. Prentice Hall, Upper Saddle River"},{"key":"109_CR37","volume-title":"Software architecture: foundation, theory, and practice","author":"RN Taylor","year":"2010","unstructured":"Taylor RN, Medvidovic N, Dashofy N (2010) Software architecture: foundation, theory, and practice. Wiley, New York"},{"key":"109_CR38","unstructured":"Uzunov AV, Fernandez EB (2021) Cryptography-based security patterns and security solution frames for networked and distributed systems. Submitted for publication (available from the authors)"},{"key":"109_CR39","doi-asserted-by":"publisher","first-page":"193","DOI":"10.1016\/j.cose.2015.08.003","volume":"55","author":"A Uzunov","year":"2015","unstructured":"Uzunov A, Fernandez EB, Falkner K (2015a) Security solution frames and security patterns for authorization in distributed, collaborative systems. Comput Secur 55:193\u2013234. https:\/\/doi.org\/10.1016\/j.cose.2015.08.003","journal-title":"Comput Secur"},{"key":"109_CR40","doi-asserted-by":"publisher","first-page":"112","DOI":"10.1016\/j.csi.2015.02","volume":"41","author":"A Uzunov","year":"2015","unstructured":"Uzunov A, Fernandez EB, Falkner K (2015b) ASE: a comprehensive pattern-driven security methodology for distributed systems. J Comput Stand Interfaces 41:112\u2013137. https:\/\/doi.org\/10.1016\/j.csi.2015.02","journal-title":"J Comput Stand Interfaces"},{"key":"109_CR42","unstructured":"van Heesch U, Hezavehi SM, Avgeriou P (2011) Combining architectural patterns and software technologies in one design language. In: Proceedings of the 16th European conference on pattern languages of programs (EuroPLoP)"},{"key":"109_CR43","doi-asserted-by":"crossref","unstructured":"Villagran-Velasco O, Fernandez EB, Ortega-Arjona J (2020) Refining the evaluation of the degree of security of a system built using security patterns. In: Proceedings 15th international conference on availability, reliability and security (ARES 2020), Dublin, Ireland","DOI":"10.1145\/3407023.3407070"},{"key":"109_CR44","unstructured":"Warmer J, Kleppe A (2003) The object constraint language, 2nd edn. Addison-Wesley, Reading"},{"key":"109_CR45","doi-asserted-by":"crossref","unstructured":"Washizaki H, Fernandez EB, Maruyama K, Kubo A, Yoshioka N (2009a) Improving the classification of security patterns. In: Proceedings 20th international workshop on database and expert systems application, pp 165\u2013170","DOI":"10.1109\/DEXA.2009.79"},{"key":"109_CR46","doi-asserted-by":"crossref","unstructured":"Washizaki H, Fernandez EB, Maruyama K, Kubo A, Yoshioka N (2009b) Improving the classification of security patterns. In: 20th International workshop on database and expert systems application, pp 165\u2013170","DOI":"10.1109\/DEXA.2009.79"},{"key":"109_CR47","doi-asserted-by":"crossref","unstructured":"Washizaki H, Hazeyama A, Okubo T, Kanuka H, Ogata S, Yoshioka N (2021) Analysis of IoT pattern descriptions. In: SERP4IoT","DOI":"10.1109\/SERP4IoT52556.2021.00010"},{"key":"109_CR48","unstructured":"Yoder J, Barcalow J (2000) Architectural patterns for enabling application security. In: Harrison N, Foote B, Rohnert H (eds.) Proceedings PLOP\u201997, Also, Chapter 15 in pattern languages of program design, vol 4. Addison-Wesley"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-022-00109-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-022-00109-w\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-022-00109-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,4,1]],"date-time":"2022-04-01T12:12:17Z","timestamp":1648815137000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-022-00109-w"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,4,1]]},"references-count":47,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2022,12]]}},"alternative-id":["109"],"URL":"https:\/\/doi.org\/10.1186\/s42400-022-00109-w","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,4,1]]},"assertion":[{"value":"22 July 2021","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"6 January 2022","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"1 April 2022","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"7"}}