Professional Documents
Culture Documents
Security Engineering
Security engineering is concerned with how to develop and maintain systems that can resist malicious attacks intended to damage a computer-based system or its data. Security may be compromised in: 1. Application security is a software engineering problem where software engineers should ensure that the system is designed to resist attacks. 2. Infrastructure security is a systems management problem where system managers should ensure that the infrastructure is configured to resist attacks. System managers have to set up the infrastructure to make the most effective use of whatever infrastructure security features are available. Thl:y also have to repair infrastructure security vulnerabilities that have come to light as the software is used. Range of Activities in Security Management 1. User and permission management includes adding and removing users from the system, ensuring that appropriate user authentication mechanisms are in place and setting up the permissions in the system so that users only have access to the resources that they need. 2. System software deployment and maintenance includes installing system software and middleware and configuring these properly so that security vulnerabilities are avoided. It also involves updating this software regularly with new versions or patches that repair security problems that have been discovered. 3. Attack monitoring, detection and recovery includes activities which monitor the system for unauthorised access, detect and put in place strategies for resisting attacks and backup activities so that normal operation can be resumed after an external attack. Security threats fall into three principal categories: 1. Threats to the confidentiality of the system and its data. 2. Threats to the integrity of the system and its data. 3. Threats to the availability of the system and its data.
The controls that you might put in place to enhance system security also fall into three classes: 1. Controls that are intended to ensure that attacks are unsuccessful. 2. Controls that are intended to detect and repel attacks. 3. Controls that support recovery from problems. Security risk management involves assessing the losses that might ensue from attacks on a system and deriving security requirements that are aimed at eliminating or reducing these losses. Staged Process of Risk Assessment 1. Preliminary risk assessment. The aim of this assessment process is, firstly, to assess whether or not the benefits of developing the system justify the associated risks and then to derive specific security requirements for the system to be implemented. 2. Life cycle risk assessment. This risk assessment takes place during the system development life cycle and is informed by the technical system design and implementation decisions. It informs the process of security requirements engineering. Known and potential vulnerabilities are identified and this knowledge is used to inform decision-making about the system functionality and how it is to be implemented, tested and deployed.
Exposure Assessment
Threat Identification
Probability Assessment
Control Identification
Feasibility Assessment
1. Asset identification where the system assets that may require protection are identified. 2. Asset value assessment where you estimate the value of the identified assets. 3. Exposure assessment where you assess the potential losses associated with each asset. 4. Threat identification where you identify the threats to system assets. 5. Probability assessment where you estimate the probability of each threat. 6. Control identification where you propose the controls that might be put in place to protect an asset. 7. Feasibility assessment where you assess the technical feasibility and the costs of the proposed controls. 8. Security requirements definition where the exposure, threats and control assessments are used to derive a set of system security requirements.
In designing a system architecture that maintains security, you need to consider two fundamental issues: 1. Protection--how should the system be organised so that critical assets can be protected against external attack? 2. Distribution--how should system assets be distributed so that the effects of a successful attack are minimized? Design guidelines for secure system engineering 1. Base security decisions on an explicit security policy 2. Avoid a single point of failure 3. Fail securely 4. Balance security and usability 5. Be aware of the possibility of social engineering 6. Use redundancy and diversity to reduce risk 7. Validate all inputs 8. Compartmentalize your assets 9. Design for deployment 10. Design for recoverabiJity
Deployment of a system involves configuring the software to operate in an operational environment, installing the system on the computers in that environment and then configuring the installed system for these computers. Four ways in which you can incorporate deployment support in a system: 1. Include support for viewing and analysing configurations 2. Mimmise default privileges 3. Localise configuration settings 4. Provide easy ways to fix security vulnerabilities
System survivability reflects the ability of a system to continue to deliver essential business or missioncritical services to legitimate users whilst it is under attack or after part of the system has been damaged. Strategies to achieve system survivability 1. Resistance 2. Recognition 3. Recovery Four-stage process of systems analysis 1. System understanding 2. Critical service identification 3. Attack simulation Scenarios 4. Survivability analysis Components
Service engineering is the process of developing services for reuse in service-oriented applications. It has much in common with component engineering. Three logical stages in the service engineering process
Service Candidate Identification Service Candidate Identification Service Candidate Identification
Service Requirements
Service interfaces are defined in an XML-based language called WSDL. A WSDL specification includes a definition of the interface types and operations, the binding protocol used by the service and the service location There are three stages to service interface design: 1. Logical interface design where you identify the operations associated with the service, the inputs and outputs of these operations and the exceptions associated with these operations. 2. Message design where you design the structure of the messages that are sent and received by the service. 3. WSDL development where you translate your logical and message design to an abstract interface description written in WSDL. Legacy System Services 1. A maintenance service 2. A facilities service 3. A logging service
Test Service
Workflow Design
Service List
Service Specifications
Workflow Design
Executable Workflow
Deployable Service
Workflow design involves analysing existing or planned business processes to understand the different stages of these processes then representing the process being designed in a workflow design notation. Testing is important in all system development processes to help demonstrate that a system meets its functional and non-functional requirements and to detect defects that have been introduced during the development process. Techniques of software testing based on sourcecode analysis cannot be used in service oriented systems that rely on externally provided services.
10
5. Organizational concerns which are related to organizational goals and priorities such as producing a system within budget, making use of existing software assets or maintaining the reputation of an organization. Tangling occurs when a module in a system includes code that implements different system requirements. The related phenomenon of scattering occurs when the implementation of a single concern is scattered across several components in a program. Aspect is a program abstraction that defines a cross-cutting concern. It includes the definition of a pointcut and the advice associated with that concern. Join Point is an event in an executing program where the advice associated with an aspect may be executed. Pointcut is a statement, included in an aspect, that defines the join points where the associated aspect advice should be executed. Types of extension that are derived from the different types of concern 1. Secondary functional extensions. These add additional functional capabilities to the functionality provided in the core system. For example, the production of reports on the drugs prescribed in the previous month would be a secondary functional extension to a patient informaltion system. 2. Policy extensions. These add functional capabilities to support some organiZational policy. Extensions which add security features are examples of policy extensions. 3. QoS extensions. These add functional capabilities to help attain the quality of service requirements that have been specified for the system. For example, an extensmn might provide support for a cache to reduce the number of database accesses or automated backups for recovery in the event of a system failure. 4. Infrastructure extensions. These extensions add functional capabilities to support the Implementation of a system on some specific implementation platform.
11
Viewpoint-oriented approach to requirements engineering, where each viewpoint represents the requirements of related groups of stakeholders, is one way to separate core and secondary concerns. Aspect-oriented design is the process of designing a system that makes use of aspects to implement the cross-cctting conoerns and extensions that are identified during the requirements engineering process. Generic Aspect Oriented Design Process
Composition Design
Name Design
Software Requirements
Design Models
1. Core system design. At this stage, you should design an architecture to support the central, core functionality of the system. The architecture must also take into account quality of service requirements such as performance and dependability requirements. However, specific functional support that is required should be implemented as extensions. 2. Aspect identification and design. Starting with the extensions identified in the system requirements, you should analyse these to see if they are aspects in themselves or if they should be broken down into several aspects. Once aspects have been identified, these can then be separately designed, taking into account the design of the core system features. 3. Composition design. At this stage, you analyse the core system and aspect designs to discover where the aspects should be composed with the core system. 4. Conflict analysis and resolution. A problem with aspects is that they may interfere with each other when they are composed with the core system 5. Name design. This is an important design activity that defines standards for naming entities in the program.
12