The document summarizes security patterns for software development. It begins with introducing the speaker and their background in information security. It then defines security patterns as design patterns that can achieve security goals like confidentiality, integrity, and availability. The document outlines different approaches to incorporating security like using UML/OCL models, vulnerability analysis, and model-driven security. It discusses the value of patterns and why they are useful for security. The main body provides examples of security patterns, including encrypting messages, microservice access control, federation and assertions, strong authentication, and pinning.

1. Security Patterns
for Software Development
Narudom Roongsiriwong, CISSP
OWASP Meeting, July 30, 2020

2. WhoAmI
● Lazy Blogger
– Japan, Security, FOSS, Politics, Christian
– http://narudomr.blogspot.com
● Information Security since 1995
● Web Application Development since 1998
● SVP, Head of IT Security, Kiatnakin Bank PLC (KKP)
● Committee Member, Thailand Banking Sector CERT (TB-CERT)
● APAC Research Advisory Council Member at Cloud Security Alliance Asia Pacific
● Consultant, OWASP Thailand Chapter
● Committee Member, National Digital ID Project, Technical Team
● Chief Information Security Officer (CISO) of the Year 2017, NetworkWorld Asia
● Contact: narudom@owasp.org

3. What Is Security Patterns
Design patterns those can be applied to achieve goals
in the area of security
Classical design patterns have different instantiations
to fulfill some information security goal: such as
confidentiality, integrity and availability.
Additionally, one can create a new design pattern to
specifically achieve some security goal such as non-
repudiation

4. Approach to Software Development
UML/OCL
Models,
Security
Patterns
Model
Checking and
Composability
of Systems
Vulnerability
Analysis, Code
Examination,
Best Practices
Theoretical
Analysis of
Security
Model-
Driven
Security
Code Based
Security
Verification
Certification
Certification

5. Value of Patterns
● Reusable solutions, but maybe not directly, usually require
tailoring
● Encapsulate experience and knowledge of designers (best
practices)
● Free of errors after a while
● Need to be cataloged to be useful
● Used as guidelines for design
● Good to evaluate systems and standards
● Useful for teaching

6. Why Security Patterns
● Gaps in knowledge
● Gaps in coverage
● Risks that are complicated and subtle
● Broad range of issues
● Different kinds of expert knowledge

7. Basic Knowledge of Cryptography
● The following security patterns heavily based on
cryptography.
● Two cryptography categories
– Encryption
– Hashing

8. Types of Cryptography
Secret Writing
Confidentiality
Control
Masking
Overt
Covert
Encryption
Hashing
Steganography
Digital
Watermarking

9. Symmetric Asymmetric
Speed Very fast and efficient in encrypting
large volumes of data
Computationally intensive and much slower
Key Exchange &
Management
Both the sender and the receiver must
have a mechanism in place to share the
key without compromising its secrecy.
Exchange public key freely but management
including identification requires a public key
infrastructure (PKI) in some format such as
X.509 or blockchain
Scalability Not very scalable, the number of keys
required depends on the number of
users or parties involved in secure
transaction.
Only two keys needed per user: one that is
private and
held by the sender and the other that is
public
Nonrepudiation Does not provide proof
of origin
The sender cannot deny sending the
message when the message has been
encrypted using the private key of the
sender
Encryption

10. Two Usage of Asymmetric Encryption
Confidentiality assurance in asymmetric key cryptography
Encrypt
Decrypt
Plaintext PlaintextCipher Text
Bob’s Public Bob’s Private
Decrypt
Encrypt
BobAlice Alice’s Private Alice’s Public
Proof of origin assurance in asymmetric key cryptography
Encrypt
Decrypt
Plaintext PlaintextCipher Text
Bob’s Public Bob’s Private
Decrypt
Encrypt
BobAlice
Alice’s Private Alice’s Public
Accountability

11. ● Condenses arbitrary
message to fixed size
– h = H(M)
● Usually assume hash
function is public
● Hash used to detect
changes to message
● Well-know hash functions:
SHA-1, SHA-2 (SHA-256,
SHA-512), SHA-3
Hashing

12. Examples of Security Patterns

13. Pattern#1: Sending Encrypted Message or File
Data
Encrypt key
using receiver’s
public key
RSA
Encrypted Message
Encrypt Decrypt
Encrypt data
using random
key
q4fzNeBCRSYqv
Encrypted Key
Generate
Random
Key
Data
TIakvAQkCu2u
Random Key
Encrypted Message
Data
q4fzNeBCRSYqv
Encrypted Key
Decrypt data
using key
Decrypt using
receiver’s
private key
RSA
TIakvAQkCu2u
Data
● Use OpenPGP Standard
● Combine strength of
symmetric (fast) and
asymmetric (recipient only)
cryptography
● For multiple recipients, each
of their public keys is used to
encrypt a copy of the same
secret (symmetric key)
● Support libraries
https://www.openpgp.org/soft
ware/developer/

14. Pattern#2: Microservice Architecture Access Control
● Problems
– Access control logic needs to be handled in each microservice
– A microservice only handles a single business logic thus the
global access control logic should not be placed in the
microservice implementation
– HTTP is a stateless protocol
– Access control schemes need to be considered to ensure the
security of the application

15. Pattern#2: Microservice Architecture Access Control
Microservices
API
Gateway
Service
Service
Service
Service
Identity
Provider
Log
TLS

16. Pattern#2: Microservice Architecture Access Control
:Client :API Gateway :Identity Provid... :Service
authenticate
return access token
authenticate
return access token
call { access token }
service response
validate token
return authentication
service response
call service
Viewer does not support full SVG 1.1

17. Pattern#3: Federation and Assertion
● Federation: a process that
allows for the conveyance
of authentication attributes
and subscriber attributes
across networked systems
● NIST SP800-63c
● Two types of assertion
presentation
– Back channel presentation
(recommended)
– Front channel presentation
IdP = Identity Provider, RP = Relying Party

18. Pattern#3: Federation and Assertion
Back Channel Assertion
● The subscriber is given an
assertion reference to
present to the RP, generally
through the front channel.
● The assertion reference
itself contains no
information about the
subscriber and SHALL be
resistant to tampering and
fabrication by an attacker.

19. Pattern#3: Federation and Assertion
NDID – Out of Band Assertion
● NDID – National Digital Identity
● The subscriber tells the RP
which IdP for assertion.
● The RP will send the request
message the IdP for assertion.
● The IdP will ask the subscriber
authentication/approval with
the request message
● If the subscriber confirms, the
assertion will be sent to the RP

20. Pattern#4: Strong Authentication
FIDO Protocol is one of this pattern implementation
But we can implement our own way

21. Pattern#4: Strong Authentication – Registration

22. Pattern#4: Strong Authentication – Authentication

23. Pattern#4: Strong Authentication – Transaction

24. Pattern#4: Strong Authentication – Deregistration

25. Pattern#5: Pinning
● What's the problem
– Applications expect end-to-end security on their secure channels,
but some secure channels are not meeting the expectation
● What Is Pinning
– The process of associating a host with their expected X.509
certificate or public key by associated or 'pinned' them to the host
● How Do You Pin
– To harden the channel, the program would take advantage of the
OnConnect callback offered by a library, framework or platform. In
the callback, the program would verify the remote host's identity
by validating its certificate or public key

26. Pattern#5: Pinning – What Should Be Pinned
Public
Certificate Public Key Hash of Certificate
Information
(full or partial)
Reference: https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning