|IT Security Patterns|
In this article we discuss how the evolution of design patterns has shaped the prevalent understanding of security patterns. We then analyse that particularly in the area of security the best practices are also manifested in other ways than only design patterns (e.g. Standard of Good Practice, Security Principles, and Control Catalogues). Finally we conclude that combining the idea of a structured controls catalogue and design patterns (as proposed by OSA) is particularly appealing and helps both the designer as well as the quality assuror and auditor.
History of Design Patterns
The history of design patterns started with the seminal book “A Pattern Language” , written in 1977 by Christopher Alexander a professor for architecture in Berkley. The ideas of Alexander were translated into the area of software design by several authors, among them Kent Beck, Ward Cunningham and later Erich Gamma et al. It is interesting to note that Christopher Alexander himself sees the evolution of the design pattern idea in the software development community much more critical than most of software design pattern experts do.
Today we find patterns for many different areas in IT such as design patterns, architectural patterns and interaction design patterns but also security patterns. All these patterns use very similar pattern languages. It is interesting to observe how close all these pattern languages stick to the original language proposed by Christopher Alexander.
The below two citations are only samples, the former discusses the derivation of a design pattern and the latter discusses the structure of a design pattern.
Let us assume that the notion of "design pattern" can be translated directly to IT security, for example: "A security pattern is a general reusable solution to a commonly occurnting problem in creating and maintaining secure information systems". It is then interesting to see how security design patterns can be combined with other ways to describe best practices for securing information systems. Both NIST 800-53 as well as ISO 27001 are best practices that describe technical, organizational as well process controls. While both of them are far more complete than any of the security pattern collections that can be found on the web ,, neither of them leverages the power of visually illustrated design patterns. In the Open Security Architecture community we try to improve the expression power of best practice standards by combining them with visually illustrated (design) patterns.