US Flag Official website of the Department of Homeland Security
U.S. Department of Homeland Security Seal. Build Security In. Setting a higher standard for software assurance.

Attack Patterns Articles

Building software with an adequate level of security assurance for its mission becomes more and more challenging every day as the size, complexity, and tempo of software creation increases and the number and the skill level of attackers continues to grow. These factors each exacerbate the issue that, to build secure software, builders must ensure that they have protected every relevant potential vulnerability; yet, to attack software, attackers often have to find and exploit only a single exposed vulnerability. To identify and mitigate relevant vulnerabilities in software, the development community needs more than just good software engineering and analytical practices, a solid grasp of software security features, and a powerful set of tools. All of these things are necessary but not sufficient. To be effective, the community needs to think outside of the box and to have a firm grasp of the attacker’s perspective and the approaches used to exploit software [Hoglund 04, Koizol 04].

These articles discuss the concept of attack patterns as a mechanism to capture and communicate the attacker’s perspective. Attack patterns are descriptions of common methods for exploiting software. They derive from the concept of design patterns [Gamma 95] applied in a destructive rather than constructive context and are generated from in-depth analysis of specific real-world exploit examples. Through analysis of observed exploits, the following typical information is captured for each attack pattern:

  • Pattern name and classification
  • Attack prerequisites
  • Description
  • Targeted vulnerabilities or weaknesses
  • Method of attack
  • Attacker goal
  • Attacker skill level required
  • Resources required
  • Blocking solutions
  • Context description
  • References

This information can bring considerable value for software security considerations through all phases of the software development lifecycle (SDLC) and other security-related activities, including:

  • Requirements gathering
  • Architecture and design
  • Implementation and coding
  • Software testing and quality assurance
  • Systems operation
  • Policy and standard generation
Title Updated datesort ascending

Attack Pattern Generation

2013-05-14

Attack Pattern Glossary

2013-05-14

Attack Pattern References

2006-11-07

Attack Pattern Usage

2013-05-14

Further Information on Attack Patterns

2013-05-14

Introduction to Attack Patterns

2013-05-14
Back to Top