 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.

Slides:



Advertisements
Similar presentations
Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.
Advertisements

Chapter 14 – Security Engineering
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 2.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
VM: Chapter 5 Guiding Principles for Software Security.
Security and Integrity
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Module 8: Implementing Administrative Templates and Audit Policy.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
1 Kyung Hee University Prof. Choong Seon HONG Network Control.
Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 1.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Designing Active Directory for Security
Security Architecture
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
Module 14: Configuring Server Security Compliance
 Chapter 6 Architecture 1. What is Architecture?  Overall Structure of system  First Stage in Design process 2.
Figures – Chapter 14. Figure 14.1 System layers where security may be compromised.
Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Module 13 Implementing Business Continuity. Module Overview Protecting and Recovering Content Working with Backup and Restore for Disaster Recovery Implementing.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Microsoft Management Seminar Series SMS 2003 Change Management.
1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
Oracle 11g: SQL Chapter 7 User Creation and Management.
Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.
Chapter 14: Controlling and Monitoring Access. Comparing Access Control Models Comparing permissions, rights, and privileges Understanding authorization.
Log Shipping, Mirroring, Replication and Clustering Which should I use? That depends on a few questions we must ask the user. We will go over these questions.
Copyright © New Signature Who we are: Focused on consistently delivering great customer experiences. What we do: We help you transform your business.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
11 DEPLOYING AN UPDATE MANAGEMENT INFRASTRUCTURE Chapter 6.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Defense In Depth: Minimizing the Risk of SQL Injection
Database and Cloud Security
Securing Network Servers
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Critical Security Controls
Design for Security Pepper.
Chapter 7: Identifying Advanced Attacks
Configuring Windows Firewall with Advanced Security
Software Qualities II.
Chapter 13 – Security Engineering
Security Engineering.
Security Issues CS 560 Lecture 9.
Configuring Internet-related services
– Chapter 3 – Device Security (B)
Chapter 13 – Security Engineering
Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1

Threat Types  Interception  May be hard to detect  Interruption  Denial of service  Modification  Fabrication Chapter 12 Dependability and Security Specification 2

Levels of Attack  Levels  Application  Infrastructure  OS  Database  Web server  Network  GUI  Attack on infrastructure may be more likely  Better known vulnerabilities Chapter 12 Dependability and Security Specification 3

Design Guidelines  #1 Base security decisions on an explicit security policy  Stated, overall goal (what, not how)  Examples  Only physicians registered with system can view data  Only creator of a record can modify it  All transactions must be logged Chapter 12 Dependability and Security Specification 4

Design Guidelines  #2 Avoid single point of failure  Single Point of Failure: One aspect of a system that if it were to fail, the entire system would be fail.  Examples / solutions  Database (if only one server) – mirrored site  Web server (if only one server) – redundant server  Data records loss – keep log so that data can be recreated  Layered protection (“defense in depth”0  Like multiple protections of a house  Passwords: login, password, IP, biometrics,… Chapter 12 Dependability and Security Specification 5

Design Guidelines  #3 Fail securely – If there is a failure, resulting condition should not be less secure  Example:  Failure to find a file in a web directory - you need to block browsing of web directories  Reboot OS in “safe mode” – you still need to require logon to access data, functionality Chapter 12 Dependability and Security Specification 6

Design Guidelines  #4 Balance security and usability  Example:  Excessively difficult password systems will force users to document them (on sticky notes, text files…) Chapter 12 Dependability and Security Specification 7

Design Guidelines  #5 Log user actions  Example:  Track logon attempts, including passwords, IP address – if analyzed can lead to attacker  Track who attempts to change data (but is denied) Chapter 12 Dependability and Security Specification 8

Design Guidelines  #6 Use redundancy and diversity to reduce risk  Example:  Redundancy – second copy of web site, database,  Diversity – different version of software Chapter 12 Dependability and Security Specification 9

Design Guidelines  #7 Validate all inputs  SQL Injection – response to a form field that, when inserted into an SQL command can cause undesired actions in the database  Command:  Select * from Users where id=‘xxxx’  Field:  1’ ; DROP TABLE users; select ‘a  Solution: escape string Chapter 12 Dependability and Security Specification 10

Design Guidelines  #8 Compartmentalize assets  Example:  Voter targeting stem:  All clients could have accessed same database, tables.  This was separated into separate database per customer Chapter 12 Dependability and Security Specification 11

Design Guidelines  #9 Design for deployment – plan for clear configuration  Example:  Software inside of a wireless router (Airport Express)  Default security mode  Default DHCP ranges  Default network names Chapter 12 Dependability and Security Specification 12

Design Guidelines  #10 Design for recoverability  Steps  Features to view all configuration  Minimize default privileges  Require intentional setting  Localize configuration settings  (Not everywhere in system)  Provide easy ways to fix vulnerabilities  Software update mechanisms  Auto check for updates Chapter 12 Dependability and Security Specification 13

Design Guidelines  #11 – Limit menus, options to only what user has permissions for Chapter 12 Dependability and Security Specification 14

Survivability  Ability to continue to deliver service even if under attack Chapter 12 Dependability and Security Specification 15

Survivability Strategies  Resistance  Recognition  Recovery Chapter 12 Dependability and Security Specification 16

Activity  Discuss what you would do to address the guidelines discussed tonight  Systems  Facebook  Healthcare management system  School grade records system Chapter 12 Dependability and Security Specification 17

Chapter 12 Dependability and Security Specification 18

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.