{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,13]],"date-time":"2026-06-13T09:45:10Z","timestamp":1781343910986,"version":"3.54.1"},"reference-count":38,"publisher":"SAGE Publications","issue":"1","license":[{"start":{"date-parts":[[2018,9,11]],"date-time":"2018-09-11T00:00:00Z","timestamp":1536624000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[2019,1,11]]},"abstract":"Design Patterns are now widely accepted and used in software engineering; they represent generic and reusable solutions to common problems in software design. Security patterns are specialised patterns whose purpose is to help design applications that should meet security requirements. The enthusiasm surrounding security patterns has made emerge several catalogues listing up to 180 different patterns at the moment. This growing number brings an increased difficulty in choosing the most appropriate patterns for a given design problem. We propose a security pattern classification to facilitate the security pattern choice and a classification method based on data integration. The classification exposes relationships among software attacks, security principles and security patterns. It expresses the pattern combinations that are countermeasures to a given attack. This classification is semi-automatically inferred by means of a data-store integrating disparate publicly available security data. The data-store is also used to generate Attack Defense Trees. In our context, these illustrate, for a given attack, its sub-attacks, steps, techniques and the related defenses given under the form of security pattern combinations. Such trees make the pattern classification more readable even for beginners in security patterns. Finally, we evaluate on human subjects the benefits of using a pattern classification established for Web applications, which covers 215 attacks, 66 security principles and 26 security patterns.<\/jats:p>","DOI":"10.3233\/jcs-171063","type":"journal-article","created":{"date-parts":[[2018,9,11]],"date-time":"2018-09-11T17:08:13Z","timestamp":1536685693000},"page":"49-74","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":7,"title":["A catalogue associating security patterns and attack steps to design secure applications"],"prefix":"10.1177","volume":"27","author":[{"given":"S\u00e9bastien","family":"Salva","sequence":"first","affiliation":[{"name":"University Clermont Auvergne, IUT of Clermont-Ferrand, Limos, France. E-mail:\u00a0"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Loukmen","family":"Regainia","sequence":"additional","affiliation":[{"name":"University Clermont Auvergne, Limos, France. E-mail:\u00a0"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"179","published-online":{"date-parts":[[2018,9,11]]},"reference":[{"key":"ref001","doi-asserted-by":"crossref","unstructured":"A.K.\u00a0Alvi and M.\u00a0Zulkernine, A natural classification scheme for software security patterns, in: 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing, 2011, pp.\u00a0113\u2013120. doi:10.1109\/DASC.2011.42.","DOI":"10.1109\/DASC.2011.42"},{"key":"ref002","doi-asserted-by":"crossref","unstructured":"A.K.\u00a0Alvi and M.\u00a0Zulkernine, A comparative study of software security pattern classifications, in: 2012 Seventh International Conference on Availability, Reliability and Security, 2012, pp.\u00a0582\u2013589. doi:10.1109\/ARES.2012.43.","DOI":"10.1109\/ARES.2012.43"},{"key":"ref003","doi-asserted-by":"crossref","unstructured":"P.\u00a0Anand, J.\u00a0Ryoo and R.\u00a0Kazman, Vulnerability-based security pattern categorization in search of missing patterns, in: 2014 Ninth International Conference on Availability, Reliability and Security, 2014, pp.\u00a0476\u2013483. doi:10.1109\/ARES.2014.71.","DOI":"10.1109\/ARES.2014.71"},{"key":"ref004","unstructured":"L.\u00a0Bass, P.\u00a0Clements and R.\u00a0Kazman, Software Architecture in Practice, 3rd edn, Addison-Wesley Professional, 2012."},{"key":"ref005","unstructured":"M.\u00a0Bunke, R.\u00a0Koschke and K.\u00a0Sohr, Organizing security patterns related to security and pattern recognition requirements, International Journal on Advances in Security 5 (2012)."},{"key":"ref006","unstructured":"M.\u00a0Daun, C.\u00a0H\u00fcbscher and T.\u00a0Weyer, Controlled experiments with student participants in software engineering: Preliminary results from a systematic mapping study,\n CoRR\n , abs\/1708.04662, 2017."},{"key":"ref007","doi-asserted-by":"crossref","unstructured":"V.\u00a0Dialani, S.\u00a0Miles, L.\u00a0Moreau, D.\u00a0De Roure and M.\u00a0Luck, Transparent fault tolerance for web services based architectures, in: Euro-Par 2002 Parallel Processing, Springer, 2002, pp.\u00a0889\u2013898. doi:10.1007\/3-540-45706-2_126.","DOI":"10.1007\/3-540-45706-2_126"},{"key":"ref008","doi-asserted-by":"crossref","unstructured":"E.B.\u00a0Fernandez, Security patterns and secure systems design, in: Dependable Computing, A.\u00a0Bondavalli, F.\u00a0Brasileiro and S.\u00a0Rajsbaum, eds, Springer, Berlin, Heidelberg, 2007, pp.\u00a0233\u2013234. doi:10.1007\/978-3-540-75294-3_18.","DOI":"10.1007\/978-3-540-75294-3_18"},{"key":"ref009","doi-asserted-by":"crossref","unstructured":"E.B.\u00a0Fernandez, H.\u00a0Astudillo and G.\u00a0Pedraza-Garc\u00eda, Revisiting architectural tactics for security, in: Software Architecture, D.\u00a0Weyns, R.\u00a0Mirandola and I.\u00a0Crnkovic, eds, Springer International Publishing, Cham, 2015, pp.\u00a055\u201369. doi:10.1007\/978-3-319-23727-5_5.","DOI":"10.1007\/978-3-319-23727-5_5"},{"key":"ref010","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-01648-6_34"},{"key":"ref011","doi-asserted-by":"crossref","unstructured":"R.\u00a0Jhawar, B.\u00a0Kordy, S.\u00a0Mauw, S.\u00a0Radomirovi\u0107 and R.\u00a0Trujillo-Rasua, Attack trees with sequential conjunction, in: IFIP International Information Security Conference, Springer, 2015, pp.\u00a0339\u2013353.","DOI":"10.1007\/978-3-319-18467-8_23"},{"key":"ref012","doi-asserted-by":"crossref","unstructured":"B.\u00a0Kordy, P.\u00a0Kordy, S.\u00a0Mauw and P.\u00a0Schweitzer, ADTool: Security analysis with attack\u2013defense trees, in: International Conference on Quantitative Evaluation of Systems, Springer, 2013, pp.\u00a0173\u2013176. doi:10.1007\/978-3-642-40196-1_15.","DOI":"10.1007\/978-3-642-40196-1_15"},{"key":"ref013","doi-asserted-by":"crossref","unstructured":"B.\u00a0Kordy, S.\u00a0Mauw, S.\u00a0Radomirovi\u0107 and P.\u00a0Schweitzer, Attack\u2013defense trees, Journal of Logic and Computation (2012), exs029.","DOI":"10.1093\/logcom\/exs029"},{"key":"ref014","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2006.109"},{"key":"ref015","unstructured":"Mitre corporation, Common attack pattern enumeration and classification, 2018, https:\/\/capec.mitre.org\/."},{"key":"ref016","unstructured":"Mitre corporation, Common weakness enumeration, 2018, https:\/\/cwe.mitre.org\/."},{"key":"ref017","unstructured":"H.\u00a0Munawar, Security pattern catalog, http:\/\/www.munawarhafiz.com\/securitypatterncatalog\/."},{"key":"ref018","unstructured":"Offensive Security, Exploit database archive, 2018, https:\/\/capec.mitre.org\/."},{"key":"ref019","unstructured":"OWASP, Owasp testing guide v3.0 project, 2003, http:\/\/www.owasp.org\/index.php\/Category:OWASP_Testing_Project#OWASP_Testing_Guide_v3."},{"key":"ref020","doi-asserted-by":"crossref","unstructured":"L.\u00a0Regainia and S.\u00a0Salva, A methodology of security pattern classification and of attack-defense tree generation, in: Proceedings of the 3nd International Conference on Information Systems Security and Privacy (ICISSP 2017, Porto, Portugal, 02 2017, O.\u00a0Camp, S.\u00a0Furnell and P.\u00a0Mori, eds, SciTePress.","DOI":"10.5220\/0006198301360146"},{"key":"ref021","unstructured":"L.\u00a0Regainia and S.\u00a0Salva, Security pattern classification, companion site, 2018, http:\/\/regainia.com\/research\/companion.html."},{"key":"ref022","doi-asserted-by":"crossref","unstructured":"L.\u00a0Regainia, S.\u00a0Salva and C.\u00a0Bouhours, A classification methodology for security patterns to help fix software weaknesses, in: 13th ACS\/IEEE International Conference on Computer Systems and Applications AICCSA 2016, Agadir, Morocco, 11 2016, IEEE Computer Society.","DOI":"10.1109\/AICCSA.2016.7945693"},{"key":"ref023","unstructured":"L.\u00a0Reigaigna, C.\u00a0Bouhours and S.\u00a0Salva, A systematic approach to assist designers in security pattern integration, in: The Second International Conference on Advances and Trends in Software Engineering (SOFTENG 2016), Lisbon, Portugal, 02 2016."},{"key":"ref024","unstructured":"E.\u00a0Rodriguez, Security design patterns, in: 19th Annual Computer Security Application Conference (ACSAC\u201903), 2003."},{"key":"ref025","doi-asserted-by":"publisher","DOI":"10.1109\/PROC.1975.9939"},{"key":"ref026","unstructured":"J.\u00a0Scambray and E.\u00a0Olson, Improving Web Application Security, 2003."},{"key":"ref027","unstructured":"M.\u00a0Schumacher, Security Engineering with Patterns: Origins, Theoretical Models, and New Applications, Springer-Verlag, New York, 2003."},{"key":"ref028","unstructured":"R.\u00a0Slavin and J.\u00a0Niu, Security patterns repository, 2017, http:\/\/sefm.cs.utsa.edu\/repository\/."},{"key":"ref029","unstructured":"P.N.\u00a0Tan, M.\u00a0Steinbach and V.\u00a0Kumar, Introduction to Data Mining, 1st edn, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 2005."},{"key":"ref030","doi-asserted-by":"crossref","unstructured":"I.A.\u00a0T\u00f8ndel, J.\u00a0Jensen and L.\u00a0R\u00f8stad, Combining misuse cases with attack trees and security activity models, in: Availability, Reliability, and Security, 2010. ARES\u201910 International Conference on, IEEE, 2010, pp.\u00a0438\u2013445. doi:10.1109\/ARES.2010.101.","DOI":"10.1109\/ARES.2010.101"},{"key":"ref031","doi-asserted-by":"publisher","DOI":"10.1016\/j.csi.2013.12.008"},{"key":"ref032","unstructured":"J.\u00a0Viega and G.\u00a0McGraw, Building Secure Software: How to Avoid Security Problems the Right Way, Portable Documents, Pearson Education, 2001."},{"key":"ref033","unstructured":"R.\u00a0Wassermann and B.H.\u00a0Cheng, Security patterns, in: Michigan State University, PLoP Conf., 2003, Citeseer."},{"key":"ref034","doi-asserted-by":"crossref","unstructured":"A.\u00a0Wiesauer and J.\u00a0Sametinger, A security design pattern taxonomy based on attack patterns, in: International Joint Conference on E-Business and Telecommunications, 2009, pp.\u00a0387\u2013394.","DOI":"10.5220\/0002232503870394"},{"key":"ref035","doi-asserted-by":"publisher","DOI":"10.1016\/0306-4573(88)90027-1"},{"key":"ref036","unstructured":"J.\u00a0Yoder, J.\u00a0Yoder, J.\u00a0Barcalow and J.\u00a0Barcalow, Architectural patterns for enabling application security, in: Proceedings of PLoP 1997, 1998, 51:31."},{"key":"ref037","unstructured":"K.\u00a0Yskout, T.\u00a0Heyman, R.\u00a0Scandariato and W.\u00a0Joosen, A system of security patterns, technical report cw-469, 2006."},{"key":"ref038","doi-asserted-by":"crossref","unstructured":"K.\u00a0Yskout, R.\u00a0Scandariato and W.\u00a0Joosen, Do security patterns really help designers? in: Proceedings of the 37th International Conference on Software Engineering\u00a0\u2013 Volume 1, ICSE \u201915, IEEE Press, Piscataway, NJ, USA, 2015, pp.\u00a0292\u2013302.","DOI":"10.1109\/ICSE.2015.49"}],"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-171063","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.3233\/JCS-171063","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-171063","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T20:45:16Z","timestamp":1777495516000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-171063"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,9,11]]},"references-count":38,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2019,1,11]]}},"alternative-id":["10.3233\/JCS-171063"],"URL":"https:\/\/doi.org\/10.3233\/jcs-171063","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"value":"0926-227X","type":"print"},{"value":"1875-8924","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,9,11]]}}}