Generally speaking I like the idea of patterns in SW for many reasons. Two of the biggest reasons are that they save development time and reduce errors (not repeating other peoples' mistakes). For these same reasons security patterns seem to me to be a good idea.
One small advantage to roll-your-own security software is the fact that you did it your way and it's probably not exactly like 95% of the other systems out there. If someone discovers an exploit through your security it pretty much just affects you. Or more importantly, if someone discovers an exploit for someone else's system it probably won't affect yours. However, if everyone is following the same sort of security patterns and an exploit is discovered for one of those patterns doesn't that mean that a lot of systems will be affected?
Of course, if a well known pattern is exploited it will probably be patched rather quickly where a roll-your-own system might never get patched (if the comprimise is even noticed).
It would seem to me that if I roll my own, even though I come up with new code, I'm likely to fall into the same patterns as someone else coming up with code to solve the same problem. So, effectively, my choice becomes whether I'm implementing a pattern (likely bad) that I don't recognize, or implementing patterns that have been examined with an eye for security. Given that patterns are usually not created, but are generally documented after being recognized from best practices, I figure I want to copy the best.
Thanks for the responses. They make sense. I wasn't trying to discredit security patterns. They seem like a GREAT idea to me. I'm not a security expert so any chance to leverage off of the thinking others have already done (as you mentioned, Tina) sounds good to me. It just struck me that using patterns might make exploits more dangerous. The pros definitely outweight the cons here though.
Most of the security exploits are with the implementation, not the pattern itself. The patterns specifies the problem and how to solve it, not the code to implement that solution. This conversation crosses into the open source security debate and different people have different opinions on that issue.
My cellmate was this tiny ad:
Free, earth friendly heat - from the CodeRanch trailboss