SEC835

Database and Web application security

Information Security Architecture

Terms and definitions

Threat – a potential for violation of security. Threats always exist

Threat agent, or attacker, or an adversary, – an entity that attacks the system

Attack – a deliberate action undertaken in order to compromise the system security

Countermeasure, or security controls, - anything (action, device, technique) undertaken to address security threats

Risk – a probability of the attack occurrence

Vulnerability – a weakness of the system that may be exploited by an

attacker

Information Security assets

DataBusiness data

Security data

TechnologySoftware

Hardware

Network

What to protect

For the company information assets to protectConfidentiality – access to the information is allowed to authorized persons only

Integrity – data has not been changed maliciously in either storing, transferring or processing

Availability – data is available in accordance to business requirements, and to authorized persons

Key Security Concepts

Domains of controls

National Institute of Standards and Technology (NIST) recommends the following classification of controls

Management

Operational

Technical

Category of controls

PreventivePrevent the attack

DetectiveIn case of attack occurrences help to discover security holes

Management controls

InfoSec policies

System Security Plan

Security Risks Management

Secure System Development Life Cycle

Legal compliance policy

Auditing policy

Operational controls

Planning for contingencyDisaster recovery plan

Incident response plan

Security Education, Training and Awareness Program (SETA)

Personnel Security

Physical security

Technical controls

Security servicesIdentification, Authentication, Authorization, and Accountability, aka Access Control

Audit Trails

Cryptography

Secure error handling

Data validation

Technical controls

Network security (out of our scope)Firewalls

Intrusion Detection Systems

Secure Software

Fundamental for nowadays computer system securityEnsure absence of security holes in the codeApply to both security services and to business applications

Achieving secure software

Requires a clear definition of “secure”

Requires defined process with clear objectives and outputs

Requires integration with existing practices

Assurance

Axiom: It is impossible to demonstrate with absolute certainty that a moderately complex application doesn't have any vulnerabilities.

Second Best: We can provide assurance that an application was designed, implemented, tested in rigorous ways (and by skilled people)

Decrease the likelihood of vulnerabilities and other defects

Training in secure programming provides assurance

Software engineering processes designed for assurance

Traditional Application Security

A network-centric approach = “penetrate and patch”

based primarily on finding and fixing known security problems after they have been exploited in fielded systems

It is reactive

It is too late

New concept of software security

The process of building secure softwareDesigning software to be secure

Verifying that software is secure

Educating software developers, architects, and users about how to build security in from the start

Secure practitioners proactively attempt to build software that can withstand attack

The processes of secure development

cont./

The processes of secure development

Secure System Development Lifecycle (SecSDLC)

Security Requirements

• Information Security Assets inventory

• Threat modeling

• Risk analysis and evaluation

• Security requirements development

Secure Design and Specification

• Secure design patterns identification

• Secure software architecture built

• Convert design solution into implementation specification

• Verify security solution

• Evaluate security solution – residual risk statement

cont./

The processes of secure development

Secure System Development Lifecycle cont Implementation

• Coding security standards and guidelines

Testing• Security test cases• Source code review – static analysis

Move to production• Residual risks statement

Maintenance• Risk assessment and audit • Ongoing support and changes

cont./

The processes of secure development

Project Management

Secure development must be integrated into Software Development Lifecycle, and into formal project management methodology and processes

That is where concepts obtain their implementers

Integrated into Project Management

Identify deliverables

Identify roles and responsibilities

Incorporate into project schedule

Monitor the deliverables on a regular basis

Multi-Tiered Security

Not a single security mechanism is sufficientDesign security architecture as a multi-tiered defenceTechnical controlsOperational controlsManagement controls, aka governance

Security Policy

Governance is presented as an enterprise information security policiesExamples:

Physical security policyInfrastructure security policyAccess control policyBusiness continuity policy

Security Policy (cont)

Human factorsSecurity Awareness, Training, and Education (SETA)Employment policyAcceptable use policy

SETA

Goal – educate employees in order to prevent security incidents and to be capable to legally enforce employees’ liability

Continuing learning

Security training

Employment policy

Identify security aspects related to an employee:

Hiring

Changing state in the company

Termination

Acceptable use policy

Define acceptable use of the company assets, e.g.:

Email

Internet

Mobile phone,

Computer

Other equipment

Week 1 Lab – 1%

Review the document “National Bank Acceptable Use Policy”

Answer the questions printed on an enclosed sheet.