1. SEC835 Database and Web application security Information Security Architecture

2. Terms and definitions Threat – a potential for violation of security. Threats always exist Threat agent, or attacker, or an adversary, – an entity that attacks the system Attack – a deliberate action undertaken in order to compromise the system security Countermeasure, or security controls, - anything (action, device, technique) undertaken to address security threats Risk – a probability of the attack occurrence Vulnerability – a weakness of the system that may be exploited by an attacker

3. Information Security assets Data Business data Security data Technology Software Hardware Network

4. What to protect For the company information assets to protect Confidentiality – access to the information is allowed to authorized persons only Integrity – data has not been changed maliciously in either storing, transferring or processing Availability – data is available in accordance to business requirements, and to authorized persons

5. Key Security Concepts

6. Domains of controls National Institute of Standards and Technology (NIST) recommends the following classification of controls Management Operational Technical

7. Category of controls Preventive Prevent the attack Detective In case of attack occurrences help to discover security holes

8. Management controls InfoSec policies System Security Plan Security Risks Management Secure System Development Life Cycle Legal compliance policy Auditing policy

9. Operational controls Planning for contingency Disaster recovery plan Incident response plan Security Education, Training and Awareness Program (SETA) Personnel Security Physical security

10. Technical controls Security services Identification, Authentication, Authorization, and Accountability, aka Access Control Audit Trails Cryptography Secure error handling Data validation

11. Technical controls Network security (out of our scope) Firewalls Intrusion Detection Systems

12. Secure Software Fundamental for nowadays computer system security Ensure absence of security holes in the code Apply to both security services and to business applications

13. Achieving secure software Requires a clear definition of “secure” Requires defined process with clear objectives and outputs Requires integration with existing practices

14. Assurance Axiom: It is impossible to demonstrate with absolute certainty that a moderately complex application doesn't have any vulnerabilities. Second Best: We can provide assurance that an application was designed, implemented, tested in rigorous ways (and by skilled people) Decrease the likelihood of vulnerabilities and other defects Training in secure programming provides assurance Software engineering processes designed for assurance

15. Traditional Application Security A network-centric approach = “penetrate and patch” based primarily on finding and fixing known security problems after they have been exploited in fielded systems It is reactive It is too late

16. New concept of software security The process of building secure software Designing software to be secure Verifying that software is secure Educating software developers, architects, and users about how to build security in from the start Secure practitioners proactively attempt to build software that can withstand attack

17. The processes of secure development cont./

18. The processes of secure development Secure System Development Lifecycle (SecSDLC) Security Requirements Information Security Assets inventory Threat modeling Risk analysis and evaluation Security requirements development Secure Design and Specification Secure design patterns identification Secure software architecture built Convert design solution into implementation specification Verify security solution Evaluate security solution – residual risk statement cont./

19. The processes of secure development Secure System Development Lifecycle cont Implementation Coding security standards and guidelines Testing Security test cases Source code review – static analysis Move to production Residual risks statement Maintenance Risk assessment and audit Ongoing support and changes cont./

20. The processes of secure development Project Management Secure development must be integrated into Software Development Lifecycle, and into formal project management methodology and processes That is where concepts obtain their implementers Integrated into Project Management Identify deliverables Identify roles and responsibilities Incorporate into project schedule Monitor the deliverables on a regular basis

21. Multi-Tiered Security Not a single security mechanism is sufficient Design security architecture as a multi- tiered defence Technical controls Operational controls Management controls, aka governance

22. Security Policy Governance is presented as an enterprise information security policies Examples: Physical security policy Infrastructure security policy Access control policy Business continuity policy

23. Security Policy (cont) Human factors Security Awareness, Training, and Education (SETA) Employment policy Acceptable use policy

24. SETA Goal – educate employees in order to prevent security incidents and to be capable to legally enforce employees’ liability Continuing learning Security training

25. Employment policy Identify security aspects related to an employee: Hiring Changing state in the company Termination

26. Acceptable use policy Define acceptable use of the company assets, e.g.: Email Internet Mobile phone, Computer Other equipment

27. Week 1 Lab – 1% Review the document “National Bank Acceptable Use Policy” Answer the questions printed on an enclosed sheet.