Security Issues CS 560. Security in the software development process The security goal:  To make sure that agents (people or external systems) who interact.

Slides:



Advertisements
Similar presentations
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Advertisements

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
1 CS 501 Spring 2005 CS 501: Software Engineering Lecture 21 Reliability 3.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Crime and Security in the Networked Economy Part 4.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
CS 501: Software Engineering Fall 2000 Lecture 14 System Architecture I Data Intensive Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
CS CS 5150 Software Engineering Lecture 24 Reliability 4.
1 CS 501 Spring 2007 CS 501: Software Engineering Lecture 20 Reliability 2.
1 CS 501 Spring 2006 CS 501: Software Engineering Lecture 20 Reliability 2.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
CS CS 5150 Software Engineering Lecture 19 Reliability 1.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
SSH Secure Login Connections over the Internet
Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.
OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.
Chapter 13 Network Security. Contents Definition of information security Role of network security Vulnerabilities, threats and controls Network security.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Chapter 10: Authentication Guide to Computer Network Security.
CS CS 5150 Software Engineering Lecture 18 Program Design 3.
BUSINESS B1 Information Security.
CS CS 5150 Software Engineering Lecture 18 Security.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.
CS 360 Lecture 9.  The security goal:  To make sure that agents (people or external systems) who interact with a computer system, its data and resources,
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
© Oxford University Press 2011 DISTRIBUTED COMPUTING Sunita Mahajan Sunita Mahajan, Principal, Institute of Computer Science, MET League of Colleges, Mumbai.
EIDE Design Considerations 1 EIDE Design Considerations Brian Wright Portland General Electric.
1 Class 15 System Security. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized data access,
SESSION 14 INFORMATION SYSTEMS SECURITY AND CONTROL.
McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved INFORMATION SECURITY SECTION 4.2.
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Internet Security and Firewall Design Chapter 32.
Chap1: Is there a Security Problem in Computing?.
Database security Diego Abella. Database security Global connection increase database security problems. Database security is the system, processes, and.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
CPT 123 Internet Skills Class Notes Internet Security Session B.
CS 5150 Software Engineering Lecture 17 Program Design 4/ Security & Privacy.
Policies and Security for Internet Access
Fall 2006CS 395: Computer Security1 Key Management.
1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.
Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
LESSON 12 Business Internet. Electronic business, or e-business, is the application of information and communication technologies (ICT) in support of.
Securing Information Systems
Security Issues in Information Technology
Chapter 40 Internet Security.
INFORMATION SYSTEMS SECURITY AND CONTROL.
PAYMENT GATEWAY Presented by SHUJA ASHRAF SHAH ENROLL: 4471
Secure Sockets Layer (SSL)
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
Securing Information Systems
Security in Networking
Security Issues CS 560 Lecture 9.
SSH: SECURE LOGIN CONNECTIONS OVER THE INTERNET
INFORMATION SYSTEMS SECURITY and CONTROL
Security.
Presentation transcript:

Security Issues CS 560

Security in the software development process The security goal:  To make sure that agents (people or external systems) who interact with a computer system, its data and resources, are those who the owner of the system would wish to have such interactions. Security considerations need to be part of the software development process. 2

Security in the software development process Develop security requirements:  Security requirements developed along with other requirements  Functional, user, legal, etc.  Risk analysis  Identify all threats  Develop security policies  Used as guidelines for requirements 3

Security in the software development process(Documentation) Develop:  Threat models  Security models  Security architectures  Secure communication models 4

Security in the software development process Implementation of security features  From the requirements  Using good design and coding practices 5

Security in the software development process Testing of the code developed in the previous stage Creation and validation of security tests Security vulnerability tracking Code reviews 6

Security in the software development process Monitoring security requirements Upgrade/update security procedures when needed 7

Security in the software development process Causes for system security maintenance:  Customer feedback  Security incident details and vulnerability reports Types of maintenance:  Introduction of new security functionality  Upgrade existing security based on technology trends 8

Security needs and dangers Needs:  Secrecy: control of who gets to read information  Integrity: control of how information changes or resources are used.  Availability: providing prompt access to information and resources  Accountability: knowing who has had access to resources Dangers:  Damage to information: Integrity  Disruption of service:Availability  Theft of money:Integrity  Theft of information:Secrecy  Loss of privacy:Secrecy 9

The economics of security How secure should your system be?  Building secure systems adds cost and time to software development “practical security balances the cost of protection and the risk of loss. When a risk is less than the cost of recovering, it’s better to accept it as a cost of doing business..than to pay for better security.” Butler W. Lampson,

The economics of security Example: Credit card system  Option A:  The card is plastic with all data (name, number, expiration data, etc.) readable by anyone who has access to the card. A copy of the signature is written on the card.  This is a cheap system to implement, but does little to discourage fraud.  Banks in the USA use this system.  Option B (Chip and PIN):  The card has an embedded security chip. To use the card, the security chip must be read by a special reader and the user must type in a secret 4-digit number.  This provides greater protection against fraud, but is more expensive and slightly less convenient for both merchant and user.  Banks in Europe use this system. 11

Security and people People are inherently insecure  Careless (leaving computer logged on, sharing passwords)  Dishonest (stealing, lying)  How is this working out for Volkswagen?  Malicious (denial of service attacks) Many security problems come from inside the organization  In a large organization, there will be some disgruntled and dishonest employees  Security relies on trusted individuals. What if they are dishonest? 12

Design for Security: people Make it easy for responsible people to use your system  Make security procedures simple Make it hard for dishonest or careless people to use your system  Password management, malicious users Train people/users/employees in responsible behavior Test the security of your system thoroughly and often, particularly after changes Do not hide security violations 13

Agents and components The software development challenge  Develop secure and reliable components  Protect the system so that security problems in parts of it do not spread to the entire system A large system will have many agents and components  Each is potentially unreliable and insecure  Components acquired from third parties may have unknown security problems The commercial off-the-shelf (COTS) problem  Developers of COTS software have considerable incentives to supply software that has many options and features  In developing such software rapidly, they have fewer incentives to be thorough about security 14

Security techniques: Barriers Place barriers that separate different parts of a complex system:  Isolate components  EX: some computers are not connected to a network  Firewalls  Require authentication to access certain systems or parts of the system 15

Barriers: Firewall A firewall is a component at the junction of two network segments that:  Inspects every packet that attempts to cross the boundary  Rejects any packet that does not satisfy certain criteria  An incoming request to open a TCP connection  An unknown packet type Firewalls provide increased security at a loss of flexibility, inconvenience for users, and extra system administration. 16

Security Techniques: Authentication and authorization Authentication: establishes the identity of an agent:  What does the agent know? (password, url)  What does the agent possess? (smart card)  What does the agent have physical access to? (network, computer)  What are the physical properties of the agent? (fingerprint) Authorization: establishes what an authenticated agent may do  Access control lists  Manager  administrator  Group memberships  Sudoers group  WebDev group 17

Security Techniques: Encryption Allows data to be stored and transmitted securely, even when the bits are viewed by unauthorized agents, and the encryption algorithms are known  Public/Private key encryption 18

Security Techniques: Public/Private key encryption Also known as asymmetric cryptography  User (Alice) generates a key value which they make public  Alice then use the public key (plus additional info) to generate a private key  Only Alice knows the private key  Others can use Alice’s public key to encrypt a message for Alice  Alice can use the private key to decrypt the message Example: RSA (used extensively)  Select two very large prime numbers, P and Q.  Compute the product M = P * Q, and make M publically available. (Public Key)  RSA recommends M that’s at least 768 bits long  Next compute T = (P-1) * (Q-1)  The user maintains the value of T, P, and Q as a secret. (Private Key) 19

Programming secure software Programs that interface with the outside world (websites, mail servers, etc.) need to be written in a manner that resists intrusion.  Insecure interactions between components  Risky resource management  Porous defences Project management and test procedures must ensure that programs avoid these errors. For the top 25 programming errors, see:  20

Programming secure software The following list is from the SANS security institute, Essential Skills for Secure Programmers Using Java/JavaEE  Input handling  Authentication & session management  Access control (authorization)  Java types & JVM management  Application faults & logging  Encryption services  Concurrency and threading  Connection patterns 21

Supplemental reading Butler W. Lampson, “Computer Security in the Real World”. IEEE Computer, June  PDF posted on the course website 22

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.