Abstract
With our lives getting more dependent on the internet, cyber-attacks are growing at an alarming rate. Attackers exploit security vulnerabilities, which are the weaknesses in the software systems, to serve their ill intentions. A plethora of research has explored mitigating the software security vulnerabilities during the implementation and testing phase of the software development life cycle. However, there are relatively very few attempts to address security vulnerabilities at the design stage of software development. A secure design pattern is a well-proven reusable design solution to a recurring security problem in specific contexts. Using secure design patterns properly can help tackle software vulnerabilities during the design stage. However, technical complexity and the lack of selection guidance of secure design patterns make it more difficult for the developers to use them than the conventional design patterns. To address this issue, this research presents a methodology to select solution secure design pattern(s) for a given security vulnerability. The selection methodology begins with formalizing the vulnerabilities using an anti-pattern model. Later, potential secure design pattern candidates that can solve the given anti-pattern issue are selected by collecting and analyzing the secure design patterns. Finally, to qualify these potential candidates as final solutions, they are verified by applying them to the design of any vulnerable application and performing security testing. As a result, this research contributes to connecting the dots between security vulnerabilities, vulnerability anti-patterns, and secure design patterns by creating mapping among them. Our evaluation suggests that the presented methodology can be adopted to select solution secure design patterns for most of the software security vulnerabilities that exist today.