A tutorial is a specialized session on a particular topic, which may including or not practical training, lectured by an instructor who is an expert in that topic. The duration of tutorials can be 3 hours (half-day) with a break or 6 hours (full-day) with three breaks, including one for lunch.

Prof. Eduardo B. Fernandez Email Web Page

Download presentation

Brief Bio of Prof. Eduardo B. Fernandez

Eduardo B. Fernandez (Eduardo Fernandez-Buglioni) is a professor in the Department of Computer Science and Engineering at Florida Atlantic University in Boca Raton, Florida. He has published numerous papers on authorization models, object-oriented analysis and design, and fault-tolerant systems. He has written three books on these subjects. He has lectured all over the world at both academic and industrial meetings. He has created and taught several graduate and undergraduate courses and industrial tutorials. His current interests include patterns for object-oriented design and web services security. He holds a MS degree in Electrical Engineering from Purdue University and a Ph.D. in Computer Science from UCLA. He is a Senior Member of the IEEE, and a Member of ACM. He is an active consultant for industry, including assignments with IBM, Allied Signal, Motorola, Harris, Lucent, and others. He is also a frequent proposal reviewer for NSF.

Abstract:

Analysis and design patterns are well established as a convenient and reusable way to build high-quality object-oriented software. Patterns combine experience and good practices to develop basic models that can be used for new designs. Security patterns join the extensive knowledge accumulated about security with the structure provided by patterns to provide guidelines for secure system design and evaluation. We show a variety of security patterns and their use in the construction of secure systems. These patterns include Authentication, Authorization, Role-based Access Control, Firewalls, Protected Execution Environment, and others. We combine some of these patterns to build Single-Sign-On architectures, web services authorization, authorized applications, and others. We apply these patterns through a secure system development method that use different mechanisms based on a hierarchical architecture whose layers define the scope of each security mechanism. First, the possible attacks and the rights of the users are defined from extended Use Cases using a Role-Based Access Control (RBAC) model. These rights are then reflected in the conceptual class model. We then define additional security constraints that apply to distribution and concurrency aspects, as well as navigational user interfaces. In the implementation levels we select patterns, components, and languages to realize the needed functions. We use a catalog of security patterns that help defining the security mechanisms at each architectural level and at each development stage. The patterns are shown using UML models and examples are taken from out forthcoming book “Security Patterns”. Attendees will be able to understand security patterns and how can they be used to build secure systems.

In his presentation, Prof. Fernandez will address:

- Introduction
- Internet security issues---recent attacks, vulnerabilities, threats
- Object-oriented design and patterns--- need for good software engineering, analysis and design patterns
- Security models and their patterns---policies, access matrix, multilevel models, RBAC
- Relating attacks to use cases.
- Defining authorizations from use cases---nonfunctional aspects of use cases, RBAC and security policies
- Authorized conceptual model
- Secure system architectures---effect of distribution and user interfaces
- Web application servers and components---mapping RBAC to components, J2EE and .NET
- Patterns for web services, firewalls, and IDS.
- Coordination across levels---mapping of authorizations across architectural levels
- Conclusions---the future

Tutorial 2

Enterprise Ontology

Dr. Jan Dietz Email Web Page