SEC835 Database and Web application security Information Security Architecture.
-
Upload
adrian-gavin-owens -
Category
Documents
-
view
222 -
download
2
Transcript of SEC835 Database and Web application security Information Security Architecture.
Terms and definitions
Threat – a potential for violation of security. Threats always exist
Threat agent, or attacker, or an adversary, – an entity that attacks the system
Attack – a deliberate action undertaken in order to compromise the system security
Countermeasure, or security controls, - anything (action, device, technique) undertaken to address security threats
Risk – a probability of the attack occurrence
Vulnerability – a weakness of the system that may be exploited by an
attacker
What to protect
For the company information assets to protectConfidentiality – access to the information is allowed to authorized persons only
Integrity – data has not been changed maliciously in either storing, transferring or processing
Availability – data is available in accordance to business requirements, and to authorized persons
Domains of controls
National Institute of Standards and Technology (NIST) recommends the following classification of controls
Management
Operational
Technical
Category of controls
PreventivePrevent the attack
DetectiveIn case of attack occurrences help to discover security holes
Management controls
InfoSec policies
System Security Plan
Security Risks Management
Secure System Development Life Cycle
Legal compliance policy
Auditing policy
Operational controls
Planning for contingencyDisaster recovery plan
Incident response plan
Security Education, Training and Awareness Program (SETA)
Personnel Security
Physical security
Technical controls
Security servicesIdentification, Authentication, Authorization, and Accountability, aka Access Control
Audit Trails
Cryptography
Secure error handling
Data validation
Secure Software
Fundamental for nowadays computer system securityEnsure absence of security holes in the codeApply to both security services and to business applications
Achieving secure software
Requires a clear definition of “secure”
Requires defined process with clear objectives and outputs
Requires integration with existing practices
Assurance
Axiom: It is impossible to demonstrate with absolute certainty that a moderately complex application doesn't have any vulnerabilities.
Second Best: We can provide assurance that an application was designed, implemented, tested in rigorous ways (and by skilled people)
Decrease the likelihood of vulnerabilities and other defects
Training in secure programming provides assurance
Software engineering processes designed for assurance
Traditional Application Security
A network-centric approach = “penetrate and patch”
based primarily on finding and fixing known security problems after they have been exploited in fielded systems
It is reactive
It is too late
New concept of software security
The process of building secure softwareDesigning software to be secure
Verifying that software is secure
Educating software developers, architects, and users about how to build security in from the start
Secure practitioners proactively attempt to build software that can withstand attack
The processes of secure development
Secure System Development Lifecycle (SecSDLC)
Security Requirements
• Information Security Assets inventory
• Threat modeling
• Risk analysis and evaluation
• Security requirements development
Secure Design and Specification
• Secure design patterns identification
• Secure software architecture built
• Convert design solution into implementation specification
• Verify security solution
• Evaluate security solution – residual risk statement
cont./
The processes of secure development
Secure System Development Lifecycle cont Implementation
• Coding security standards and guidelines
Testing• Security test cases• Source code review – static analysis
Move to production• Residual risks statement
Maintenance• Risk assessment and audit • Ongoing support and changes
cont./
The processes of secure development
Project Management
Secure development must be integrated into Software Development Lifecycle, and into formal project management methodology and processes
That is where concepts obtain their implementers
Integrated into Project Management
Identify deliverables
Identify roles and responsibilities
Incorporate into project schedule
Monitor the deliverables on a regular basis
Multi-Tiered Security
Not a single security mechanism is sufficientDesign security architecture as a multi-tiered defenceTechnical controlsOperational controlsManagement controls, aka governance
Security Policy
Governance is presented as an enterprise information security policiesExamples:
Physical security policyInfrastructure security policyAccess control policyBusiness continuity policy
Security Policy (cont)
Human factorsSecurity Awareness, Training, and Education (SETA)Employment policyAcceptable use policy
SETA
Goal – educate employees in order to prevent security incidents and to be capable to legally enforce employees’ liability
Continuing learning
Security training
Employment policy
Identify security aspects related to an employee:
Hiring
Changing state in the company
Termination
Acceptable use policy
Define acceptable use of the company assets, e.g.:
Internet
Mobile phone,
Computer
Other equipment