Vulnerability anti-patterns: a timeless way to capture poor software practices (Vulnerabilities)

Research output: Chapter in Book/Report/Conference proceedingConference contribution

73 Downloads (Pure)

Abstract

There is a distinct communication gap between the software engineering and cybersecurity communities when it comes to addressing reoccurring security problems, known as vulnerabilities. Many vulnerabilities are caused by software errors that are created by software developers. Insecure software development practices are common due to a variety of factors, which include inefficiencies within existing knowledge transfer mechanisms based on vulnerability databases (VDBs), software developers perceiving security as an afterthought, and lack of consideration of security as part of the software development lifecycle (SDLC). The resulting communication gap also prevents developers and security experts from successfully sharing essential security knowledge. The cybersecurity community makes their expert knowledge available in forms including vulnerability databases such as CAPEC and CWE, and pattern catalogues such as Security Patterns, Attack Patterns, and Software Fault Patterns. However, these sources are not effective at providing software developers with an understanding of how malicious hackers can exploit vulnerabilities in the software systems they create. As developers are familiar with pattern-based approaches, this paper proposes the use of Vulnerability Anti-Patterns (VAP) to transfer usable vulnerability knowledge to developers, bridging the communication gap between security experts and software developers. The primary contribution of this paper is twofold: (1) it proposes a new pattern template – Vulnerability Anti-Pattern – that uses anti-patterns rather than patterns to capture and communicate knowledge of existing vulnerabilities, and (2) it proposes a catalogue of Vulnerability Anti-Patterns (VAP) based on the most commonly occurring vulnerabilities that software developers can use to learn how malicious hackers can exploit errors in software.
Original languageEnglish
Title of host publicationProceedings of the 24th Conference on Pattern Languages of Programs
PublisherThe Hillside Group
Number of pages17
ISBN (Print)9781941652060
Publication statusPublished - 29 Nov 2018
Event24th Conference on Pattern Languages of Programs - Hyatt Regency Vancouver Hotel, Vancouver, Canada
Duration: 22 Oct 201725 Oct 2017
http://www.hillside.net/plop/2017/index.php?nav=PLoP17

Conference

Conference24th Conference on Pattern Languages of Programs
Abbreviated titlePLoP '17
CountryCanada
CityVancouver
Period22/10/1725/10/17
Internet address

Fingerprint

Software engineering
Communication

Cite this

Nafees, T., Coull, N., Ferguson, I., & Sampson, A. (2018). Vulnerability anti-patterns: a timeless way to capture poor software practices (Vulnerabilities). In Proceedings of the 24th Conference on Pattern Languages of Programs The Hillside Group.
Nafees, Tayyaba ; Coull, Natalie ; Ferguson, Ian ; Sampson, Adam. / Vulnerability anti-patterns : a timeless way to capture poor software practices (Vulnerabilities). Proceedings of the 24th Conference on Pattern Languages of Programs. The Hillside Group, 2018.
@inproceedings{bb43cc1f6b0b406d8a61a34ad2dbf266,
title = "Vulnerability anti-patterns: a timeless way to capture poor software practices (Vulnerabilities)",
abstract = "There is a distinct communication gap between the software engineering and cybersecurity communities when it comes to addressing reoccurring security problems, known as vulnerabilities. Many vulnerabilities are caused by software errors that are created by software developers. Insecure software development practices are common due to a variety of factors, which include inefficiencies within existing knowledge transfer mechanisms based on vulnerability databases (VDBs), software developers perceiving security as an afterthought, and lack of consideration of security as part of the software development lifecycle (SDLC). The resulting communication gap also prevents developers and security experts from successfully sharing essential security knowledge. The cybersecurity community makes their expert knowledge available in forms including vulnerability databases such as CAPEC and CWE, and pattern catalogues such as Security Patterns, Attack Patterns, and Software Fault Patterns. However, these sources are not effective at providing software developers with an understanding of how malicious hackers can exploit vulnerabilities in the software systems they create. As developers are familiar with pattern-based approaches, this paper proposes the use of Vulnerability Anti-Patterns (VAP) to transfer usable vulnerability knowledge to developers, bridging the communication gap between security experts and software developers. The primary contribution of this paper is twofold: (1) it proposes a new pattern template – Vulnerability Anti-Pattern – that uses anti-patterns rather than patterns to capture and communicate knowledge of existing vulnerabilities, and (2) it proposes a catalogue of Vulnerability Anti-Patterns (VAP) based on the most commonly occurring vulnerabilities that software developers can use to learn how malicious hackers can exploit errors in software.",
author = "Tayyaba Nafees and Natalie Coull and Ian Ferguson and Adam Sampson",
year = "2018",
month = "11",
day = "29",
language = "English",
isbn = "9781941652060",
booktitle = "Proceedings of the 24th Conference on Pattern Languages of Programs",
publisher = "The Hillside Group",

}

Nafees, T, Coull, N, Ferguson, I & Sampson, A 2018, Vulnerability anti-patterns: a timeless way to capture poor software practices (Vulnerabilities). in Proceedings of the 24th Conference on Pattern Languages of Programs. The Hillside Group, 24th Conference on Pattern Languages of Programs, Vancouver, Canada, 22/10/17.

Vulnerability anti-patterns : a timeless way to capture poor software practices (Vulnerabilities). / Nafees, Tayyaba; Coull, Natalie; Ferguson, Ian; Sampson, Adam.

Proceedings of the 24th Conference on Pattern Languages of Programs. The Hillside Group, 2018.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Vulnerability anti-patterns

T2 - a timeless way to capture poor software practices (Vulnerabilities)

AU - Nafees, Tayyaba

AU - Coull, Natalie

AU - Ferguson, Ian

AU - Sampson, Adam

PY - 2018/11/29

Y1 - 2018/11/29

N2 - There is a distinct communication gap between the software engineering and cybersecurity communities when it comes to addressing reoccurring security problems, known as vulnerabilities. Many vulnerabilities are caused by software errors that are created by software developers. Insecure software development practices are common due to a variety of factors, which include inefficiencies within existing knowledge transfer mechanisms based on vulnerability databases (VDBs), software developers perceiving security as an afterthought, and lack of consideration of security as part of the software development lifecycle (SDLC). The resulting communication gap also prevents developers and security experts from successfully sharing essential security knowledge. The cybersecurity community makes their expert knowledge available in forms including vulnerability databases such as CAPEC and CWE, and pattern catalogues such as Security Patterns, Attack Patterns, and Software Fault Patterns. However, these sources are not effective at providing software developers with an understanding of how malicious hackers can exploit vulnerabilities in the software systems they create. As developers are familiar with pattern-based approaches, this paper proposes the use of Vulnerability Anti-Patterns (VAP) to transfer usable vulnerability knowledge to developers, bridging the communication gap between security experts and software developers. The primary contribution of this paper is twofold: (1) it proposes a new pattern template – Vulnerability Anti-Pattern – that uses anti-patterns rather than patterns to capture and communicate knowledge of existing vulnerabilities, and (2) it proposes a catalogue of Vulnerability Anti-Patterns (VAP) based on the most commonly occurring vulnerabilities that software developers can use to learn how malicious hackers can exploit errors in software.

AB - There is a distinct communication gap between the software engineering and cybersecurity communities when it comes to addressing reoccurring security problems, known as vulnerabilities. Many vulnerabilities are caused by software errors that are created by software developers. Insecure software development practices are common due to a variety of factors, which include inefficiencies within existing knowledge transfer mechanisms based on vulnerability databases (VDBs), software developers perceiving security as an afterthought, and lack of consideration of security as part of the software development lifecycle (SDLC). The resulting communication gap also prevents developers and security experts from successfully sharing essential security knowledge. The cybersecurity community makes their expert knowledge available in forms including vulnerability databases such as CAPEC and CWE, and pattern catalogues such as Security Patterns, Attack Patterns, and Software Fault Patterns. However, these sources are not effective at providing software developers with an understanding of how malicious hackers can exploit vulnerabilities in the software systems they create. As developers are familiar with pattern-based approaches, this paper proposes the use of Vulnerability Anti-Patterns (VAP) to transfer usable vulnerability knowledge to developers, bridging the communication gap between security experts and software developers. The primary contribution of this paper is twofold: (1) it proposes a new pattern template – Vulnerability Anti-Pattern – that uses anti-patterns rather than patterns to capture and communicate knowledge of existing vulnerabilities, and (2) it proposes a catalogue of Vulnerability Anti-Patterns (VAP) based on the most commonly occurring vulnerabilities that software developers can use to learn how malicious hackers can exploit errors in software.

M3 - Conference contribution

SN - 9781941652060

BT - Proceedings of the 24th Conference on Pattern Languages of Programs

PB - The Hillside Group

ER -

Nafees T, Coull N, Ferguson I, Sampson A. Vulnerability anti-patterns: a timeless way to capture poor software practices (Vulnerabilities). In Proceedings of the 24th Conference on Pattern Languages of Programs. The Hillside Group. 2018