مرور الگوهاي امنيت رايانهاي و پیشنهاد یک دیدگاه جدید
الموضوعات :سید هادی سجادی 1 , رضا کلانتری 2
1 - عضو هیات علمی
2 -
الکلمات المفتاحية: امنيت اطلاعات, الگوي امنيت, تهديد, آسيبپذيري, حمله, هستانشناسي,
ملخص المقالة :
در اين مقاله، نخست به شيوهاي بديع به موضوع چرايي استفاده از الگوهاي امنيت رايانهاي و مزاياي آن پرداخته شده است. سپس ضمن معرفي اجمالي فضاي مواجهات امنيت رايانهاي در قالب هستانشناسي، براي اولين بار سه ديدگاه در زمينة مرور الگوهاي اين حوزه، شناسائي و از يکديگر تميز داده شده است. اين سه ديدگاه شامل ديدگاه الگوهاي امن که ناظر بر طراحي امن الگوهاي متداول طراحي نرمافزار است؛ ديدگاه الگوهاي امنيت که صرفاً به الگوهاي امنسازي با کارکرد تماماً امنيتي اشاره دارد؛ و ديدگاه چارچوب و سيستم به الگوهاي امنيت است که اين دسته نيز کارکرد تماماً امنيتي داشته ولي نظام دستهبندي آن متفاوت از ديدگاه دوم است. دو ديدگاه اول و سوم بهطور خلاصه توضيح دادهشده و ديدگاه دوم نيز ازمنظر سازمان الگوها شامل پنج نوع سازماندهي، مورد تحقيق مفصل قرار گرفته است. در اين نوع معرفي الگوها، مخاطب از منظري جامع با انواع و حوزههاي عمل الگوهاي امنيت رايانهاي آشناشده و آگاهي موضوعي و زمينهاي لازم براي استفاده بهتر از اين الگوها را كسب مينمايد. در انتها، ايدة اين پژوهش در قالب معرفي نوعي جديد از سازماندهي به منظور تسهيل در استفاده و آدرسدهي مناسبتر الگوها ارائه شدهاست. در اين ايده بيان شدهاست که دستهبنديهاي موجود، عمدتاً ايستا و پيشانِگر بوده و از پويايي لازم و خصلت پسانِگري برخوردار نيستند و ايدة مبتني بر پوشش همة ذينفعان و هستانشناسي امنيت، ميتواند اين خاصيت را داشته باشد و بهعلاوه، الگوهاي چابك را نيز در خود جاي دهد. مبتني بر اين ايده و تحليلهاي مرتبط، فضاي فعاليتهاي پژوهشي آينده نيز براي مخاطب آشكار ميگردد.
[1] http://www.oxforddictionarries.com,[Online]. Sunday, 12 February 2023
[2] Schumacher, Markus. "Security Patterns and Security Standards." In EuroPLoP, pp. 289-300. 2002.
[3] Xu, Xiwei, HMN Dilum Bandara, Qinghua Lu, Ingo Weber, Len Bass, and Liming Zhu. "A decision model for choosing patterns in blockchain-based applications." In 2021 IEEE 18th International Conference on Software Architecture (ICSA), pp. 47-57. IEEE, 2021.
[4] Marko, Nadja, Joaquim Maria Castella Triginer, Christoph Striecks, Tobias Braun, Reinhard Schwarz, Stefan Marksteiner, Alexandr Vasenev et al. "Guideline for Architectural Safety, Security and Privacy Implementations Using Design Patterns: SECREDAS Approach." In International Conference on Computer Safety, Reliability, and Security, pp. 39-51. Springer, Cham, 2021.
[5] Chifor, Bogdan-Cosmin, Ștefan-Ciprian Arseni, and Ion Bica. "IoT Cloud Security Design Patterns." In Big Data Platforms and Applications, pp. 113-164. Springer, Cham, 2021.
[6] Fenz, Stefan, Thomas Pruckner, and Arman Manutscheri. "Ontological mapping of information security best-practice guidelines." In International Conference on Business Information Systems, pp. 49-60. Springer, Berlin, Heidelberg, 2009.
[7] Yoshioka, Nobukazu, Hironori Washizaki, and Katsuhisa Maruyama. "A survey on security patterns." Progress in informatics 5, no. 5 (2008): 35-47.
[8] http://www.symantec.com/security_response/publications/threatreport.jsp, [Online]. Sunday, 12 February 2023
[9] https://www.us-cert.GOV, [Online]. Sunday, 12 February 2023
[10] https://docs.microsoft.com/en-us/previous-versions/windows/desktop/cc307406 (v=msdn.10], [Online]. Sunday, 12 February 2023
[11] https://www.owasp.org/index.php/Secure_SDLC_Cheat_Sheet, [Online]. Sunday, 12 February 2023
[12] Grance, Tim, Joan Hash, and Marc Stevens. Security considerations in the information system development life cycle. US Department of Commerce, Technology Administration, National Institute of Standards and Technology, 2004.
[13] National Bureau of Standards, and National Bureau of Standards. Federal Information Processing Standards Publication: Standard Security Label for Information Transfer. US Department of Commerce, National Institute of Standards and Technology, 1994.
[14] Chad Dougherty, Kirk Sayre, Robert C. Seacord, David Svoboda, Kazuya Togashi (JPCERT/CC), Secure Design Patterns, TECHNICAL REPORT CMU/SEI-2009-TR-010 ESC-TR-2009-010, http://cert.org/,[Online], March 2009; Updated October 2009.
[15] Schumacher, Markus. Security engineering with patterns: origins, theoretical models, and new applications. Vol. 2754. Introduction section, Pagee 6, Springer Science & Business Media, 2003.
[16] Barabanov, Alexander, and Denis Makrushin. "Security audit logging in microservice-based systems: survey of architecture patterns." arXiv preprint arXiv:2102.09435 (2021).
[17] Blakley, Bob, and Craig Heath. "Security design patterns technical guide–Version 1." Open Group (OG] (2004).
[18] Schumacher, Markus, Eduardo Fernandez-Buglioni, Duane Hybertson, Frank Buschmann, and Peter Sommerlad. Security Patterns: Integrating security and systems engineering. John Wiley & Sons, 2013.
[19] Steel, Christopher, Ramesh Nagappan, and Ray Lai. "The alchemy of security design methodology, patterns, and reality checks." Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management, Prentice Hall 1088 (2005).
[20] Hafiz, Munawar, Paul Adamczyk, and Ralph E. Johnson. "Organizing security patterns." IEEE software 24, no. 4 (2007): 52-60.
[21] Wiesauer, Andreas, and Johannes Sametinger. "A security design pattern taxonomy based on attack patterns." In International Joint Conference on e-Business and Telecommunications, pp. 387-394. 2009.
[22] "https://capec.mitre.org," [Online]. Sunday, 12 February 2023
[23] Bunke, Michaela, Rainer Koschke, and Karsten Sohr, "Application-Domain Classification for Security Patterns," In Proceedings of the International Conferences on Pervasive Patterns and Applications, IARIA Conferences. XPS , 2011.
[24] Dove, Rick, and Laura Shirey. "On discovery and display of agile security patterns." In Conf Syst Eng Res, Stevens Institute of Technology, Hoboken, NJ. 2010.
[25] "www.ISC2.org," [Online]. Sunday, 12 February 2023
[26] Laplante, Philip A. What every engineer should know about software engineering. CRC Press, 2007.
[27] Huang, Chien-Cheng, Kwo-Jean Farn, and Frank Yeong-Sung Lin, " A Study on Information Security Management with Personal Data Protection," In 2011 IEEE 17th International Conference on Parallel and Distributed Systems (pp. 624-630]. IEEE, (2011, December).
[28] Pub,FIPS(FIPS Publication 200). "Minimum security requirements for federal information and information systems." (2005].
[29] A. I. Standard, " In InformationTechnology-security Techniques-Code of Practice for Information Security Controls", (AS ISO/IEC 27002: 2015), 2015.