search menu icon-carat-right cmu-wordmark

Security Design Refinement Through Mapping Tactics to Patterns

May 2016 Presentation
Jungwoo Ryoo (Pennsylvania State University), Rick Kazman (University of Hawaii)

This participatory session introduces participants to the concepts of software security, security tactics, and security patterns that underlie software architecture design.


Software Engineering Institute



Tactics are a set of generic design primitives that underlie software architecture design. Security tactics are a principled starting point in designing a secure software architecture. Because they are primitives, security tactics are inherently abstract. It is up to individual software architects, on their own, to refine these tactics to more specific design decisions. For this reason, they need guidance to facilitate and regularize this refinement process.

One form of this guidance is to provide explicit mappings between tactics and security patterns, which are refinements of security tactics: less abstract and closer to code. Identifying concrete relationships between tactics and patterns will save architects (who are not, in general, security experts) the trouble of drawing such links themselves. Such predefined mappings may also prevent architects from making incorrect refinements from tactics to patterns, and from there into code.

This participatory session will begin by introducing and familiarizing participants with the concepts of software security, security tactics, and security patterns. Then we will proceed to a group activity. The purposes of this hands-on exercise include

  • empowering participants to customize their own security tactics hierarchy and security pattern collection
  • teaching participants the mechanics of the tactics-refinement process so that they can conduct their own refinement process in the future