Contextualizing of Architectural Security Patterns as a Knowledge Management Challenge

Abstract

Security-by-design as adoption of security solutions for a system design is in focus of this work. This field is treated as requiring expert knowledge and heavy for automation. A perspective way to improve exiting security design methodologies is the use of security patterns as a mechanism of collecting secure design artifacts. To apply security patterns as a part of automation of secure design, it requires well-formed collections of security patterns and innovative method to support the design decisions. This work considers a contextualizing challenge as a way to define the necessity of a security pattern in a given case. Understanding of context includes two main questions: "Is the security pattern suitable for a system design?" and "Does the security pattern affect a particular security challenge?". We approach a direct architectural contextualizing as a basic mechanism of automatic mapping of security artifacts (threats, security solutions) to components of a computer system during early design stages (requirements, design). Also, this work describes two use cases of the architectural contextualizing based on an ontological cloud threat pattern catalog: the use of a query language for finding relevant security patterns and analysis of graphical system representations based on an ontology driven threat modeling. This work uses a strict ontological approach, implemented with Web Ontology Language (OWL) and automatic reasoning procedures.