Presentation is loading. Please wait.

Presentation is loading. Please wait.

 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.

Published byLee Jones Modified over 8 years ago

Similar presentations

Presentation on theme: " Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1."— Presentation transcript:

1  Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1

2 Threat Types  Interception  May be hard to detect  Interruption  Denial of service  Modification  Fabrication Chapter 12 Dependability and Security Specification 2

3 Levels of Attack  Levels  Application  Infrastructure  OS  Database  Web server  Network  GUI  Attack on infrastructure may be more likely  Better known vulnerabilities Chapter 12 Dependability and Security Specification 3

4 Design Guidelines  #1 Base security decisions on an explicit security policy  Stated, overall goal (what, not how)  Examples  Only physicians registered with system can view data  Only creator of a record can modify it  All transactions must be logged Chapter 12 Dependability and Security Specification 4

5 Design Guidelines  #2 Avoid single point of failure  Single Point of Failure: One aspect of a system that if it were to fail, the entire system would be fail.  Examples / solutions  Database (if only one server) – mirrored site  Web server (if only one server) – redundant server  Data records loss – keep log so that data can be recreated  Layered protection (“defense in depth”0  Like multiple protections of a house  Passwords: login, password, IP, biometrics,… Chapter 12 Dependability and Security Specification 5

6 Design Guidelines  #3 Fail securely – If there is a failure, resulting condition should not be less secure  Example:  Failure to find a file in a web directory - you need to block browsing of web directories  Reboot OS in “safe mode” – you still need to require logon to access data, functionality Chapter 12 Dependability and Security Specification 6

7 Design Guidelines  #4 Balance security and usability  Example:  Excessively difficult password systems will force users to document them (on sticky notes, text files…) Chapter 12 Dependability and Security Specification 7

8 Design Guidelines  #5 Log user actions  Example:  Track logon attempts, including passwords, IP address – if analyzed can lead to attacker  Track who attempts to change data (but is denied) Chapter 12 Dependability and Security Specification 8

9 Design Guidelines  #6 Use redundancy and diversity to reduce risk  Example:  Redundancy – second copy of web site, database,  Diversity – different version of software Chapter 12 Dependability and Security Specification 9

10 Design Guidelines  #7 Validate all inputs  SQL Injection – response to a form field that, when inserted into an SQL command can cause undesired actions in the database  Command:  Select * from Users where id=‘xxxx’  Field:  1’ ; DROP TABLE users; select ‘a  Solution: escape string Chapter 12 Dependability and Security Specification 10

11 Design Guidelines  #8 Compartmentalize assets  Example:  Voter targeting stem:  All clients could have accessed same database, tables.  This was separated into separate database per customer Chapter 12 Dependability and Security Specification 11

12 Design Guidelines  #9 Design for deployment – plan for clear configuration  Example:  Software inside of a wireless router (Airport Express)  Default security mode  Default DHCP ranges  Default network names Chapter 12 Dependability and Security Specification 12

13 Design Guidelines  #10 Design for recoverability  Steps  Features to view all configuration  Minimize default privileges  Require intentional setting  Localize configuration settings  (Not everywhere in system)  Provide easy ways to fix vulnerabilities  Software update mechanisms  Auto check for updates Chapter 12 Dependability and Security Specification 13

14 Design Guidelines  #11 – Limit menus, options to only what user has permissions for Chapter 12 Dependability and Security Specification 14

15 Survivability  Ability to continue to deliver service even if under attack Chapter 12 Dependability and Security Specification 15

16 Survivability Strategies  Resistance  Recognition  Recovery Chapter 12 Dependability and Security Specification 16

17 Activity  Discuss what you would do to address the guidelines discussed tonight  Systems  Facebook  Healthcare management system  School grade records system Chapter 12 Dependability and Security Specification 17

18 Chapter 12 Dependability and Security Specification 18

Download ppt " Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1."

Similar presentations

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.
Chapter 14 – Security Engineering

Chapter 14 – Security Engineering
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 2.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 2.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
VM: Chapter 5 Guiding Principles for Software Security.

VM: Chapter 5 Guiding Principles for Software Security.
Security and Integrity

Security and Integrity
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,

Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏

(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Similar presentations

Ads by Google