Extending a secure development methodology to distributed systems

Slides:

Advertisements

Similar presentations

DDBMS Security - Bakul Gada.

Advertisements

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.

Unifying the Conceptual levels of Network Security through use of Patterns. PhD Proposal Ajoy Kumar Secure Systems Research Group – Florida Atlantic University.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

Secure Middleware (?) Patrick Morrison 3/1/2006 Secure Systems Group.

Secure Systems Research Group - FAU Security patterns Eduardo B. Fernandez Dept. of Computer Science and Engineering Florida Atlantic University Boca Raton,

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

Systems Analysis and Design in a Changing World, 6th Edition 1 Chapter 6.

1 Restricted to Nortel Networks Internal Review Ebusiness Infrastructure Platform.

Incorporating database systems into a secure software development methodology Eduardo B. Fernandez, Jan Jurjens, Nobukazu Yoshioka, and Hironori Washizaki.

Norman SecureSurf Protect your users when surfing the Internet.

Mobility Without Vulnerability: Secure and Enable Your Mobile Users, Apps, and Devices David Clapp – Intuitive.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

INFO 355Week #61 Systems Analysis II Essentials of design INFO 355 Glenn Booker.

Mobile Databases: a Selection of Open Issues and Research Directions Authors: Rachid Guerraoui et al. Sources: SIGMOD Record, 33(2), pp.78-83, 2004 Adviser:

Patterns for Location and Context-based access control

1 A pattern language for security models Eduardo B. Fernandez and Rouyi Pan Presented by Liping Cai 03/15/2006.

SAML, XACML & the Terrorism Information Sharing Environment “Interoperable Trust Networks” XML Community of Practice February 16, 2005 Martin Smith Program.

Computer Science and Engineering 1 Service-Oriented Architecture Security 2.

Windows Vista, 2007 Office system, and Exchange 2007 Better Together.

Co-design Environment for Secure Embedded Systems Matt Eby, Janos L. Mathe, Jan Werner, Gabor Karsai, Sandeep Neema, Janos Sztipanovits, Yuan Xue Institute.

Secure Systems Research Group - FAU Using patterns to compare web services standards E. Fernandez and N. Delessy.

KMS Products By Justin Saunders. Overview This presentation will discuss the following: –A list of KMS products selected for review –The typical components.

February 8, 2005IHE Europe Educational Event 1 Integrating the Healthcare Enterprise Basic Security Robert Horn Agfa Healthcare.

D ATABASE A DMINISTRATION L ECTURE N O 3 Muhammad Abrar.

11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.

Chris Pannozzo September 20,2007 CSC 101 Asssignment 2 Web Resources.

 What is Modeling What is Modeling  Why do we Model Why do we Model  Models in OMT Models in OMT  Principles of Modeling Principles of Modeling 

Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.

Secure Systems Research Group - FAU A Trust Model for Web Services Ph.D Dissertation Progress Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez.

1 System Analysis and Design Using UML INSTRUCTOR: Jesmin Akhter Lecturer, IIT, JU.

Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective.

Proposal for RBAC Features for SDD James Falkner Sun Microsystems October 11, 2006.

Secure Systems Research Group - FAU 1 A Trust Model for Web Services Ph.D Dissertation Progess Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez.

Using security patterns to develop secure systems Eduardo B. Fernandez Florida Atlantic University.

Security Patterns for Web Services 02/03/05 Nelly A. Delessy.

Balancing Privacy, Security, and Access Presented by Chris Villarreal Minnesota Public Utilities Commission October 16, 2015.

Module 7: Implementing Security Using Group Policy.

11 Restricting key use with XACML* for access control * Zack’-a-mul.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE September Integrating Policy with Applications.

Gridshell Security Master Project Akylbek Zhumabayev Rochester Institute of Technology.

Creating SmartArt 1.Create a slide and select Insert > SmartArt. 2.Choose a SmartArt design and type your text. (Choose any format to start. You can change.

Secure middleware patterns E.B.Fernandez. Middleware security Architectures have been studied and several patterns exist Security aspects have not been.

Scalable and E ﬃ cient Reasoning for Enforcing Role-Based Access Control Tyrone Cadenhead Advisors: Murat Kantarcioglu, and.

IS3220 Information Technology Infrastructure Security

Presented by: Sonali Pagade Nibha Dhagat paper1.pdf.

Juniper Networks Mobile Security Solution Nosipho Masilela COSC 356.

IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.

Cosc 5/4765 NAC Network Access Control. What is NAC? The core concept: –Who you are should govern what you’re allowed to do on the network. Authentication.

Web Content Security Unlock the Power of the Web

Method – Notation 8 Hours.

Database Systems: Design, Implementation, and Management Tenth Edition

The Client-Server Model

Securing the Network Perimeter with ISA 2004

Configuring and Troubleshooting Routing and Remote Access

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Advanced Borderless Network Architecture Sales Exam practice-questions.html.

SAMMS Secure Authorized Monitored Messaging System

Ebusiness Infrastructure Platform

NAAS 2.0 Features and Enhancements

Security & .NET 12/1/2018.

Requirements for Client-facing Interface to Security controller draft-ietf-i2nsf-client-facing-interface-req-02 Rakesh Kumar Juniper networks.

Scalable and Eﬃcient Reasoning for Enforcing Role-Based Access Control

Scalable and Eﬃcient Reasoning for Enforcing Role-Based Access Control

Distribution of access

Access Control What’s New?

Presentation transcript:

Extending a secure development methodology to distributed systems Yamile Villafuerte Florida Atlantic University Advisor: Eduardo B. Fernandez

Agenda Methodology Overview Extending the methodology to distributed applications Financial Institution Example Conclusions

Methodology Overview Security principles must be applied at every development stage: Requirements: List of all possible attacks. Deduce policies to mitigate attacks. Analysis: Analysis patterns with predefined authorizations based on roles. Design: Interfaces can be used to enforce authorizations. Distribution provides another dimension where security restrictions can be applied.

Extending the Methodology Choices at the design stage for distributed applications: Requirements Analysis Design Implementation Centralized Distributed Web Services Remote Objects Fixed Network Wireless Network

Extending the Methodology How can we keep consistency of the security constraints across all development stages? How can we represent security constraints in the lower levels? What are the implications of wireless devices in our design models? Representation using UML deployment diagrams

Wireless Devices Challenges Limitations: Limited power Limited communications bandwidth Limited processing power Relatively unreliable network connection Mobile Tend to get destroyed accidentally or maliciously Have effect on security

Mapping I Fixed Networks Wireless Networks UML Application <?xml version=”1.0” ?> -<Customer = “Info”> <name>Juan</name> </Customer> Web Services SAML, XML Encryption, XML Signature, XKMS, WS-Security CORBA Security, Sec. Broker, Dist. Objects UML Application XML Application Distribution Security Constraints WS Security Dist. Objects Security C1 C2 WS1 WS2 O1 O2 XACML (u1,op1,c1) SAML WS-Policy Simplified Standards

Mapping II XACML will allow us to express the security constraints defined in the conceptual model in XML Simplified versions of security standards.

Authorization rule using XACML "Permit manager to open account." There is a lot of XML notation there, but essentially the rule permits a specific subject, to perform a specific action against a specific resource.

A Financial Institution Example Use Case Diagram

Analysis Model with RBAC Authorization

Design Model

Correspondence of Rights Rights defined for Customer (subject) Views and wireless devices received a subset of these rights. Example: Wireless device can not download a complete list of transactions (limited number of records), but can read balance.

Correspondence of Rights

Conclusions and future work We presented some ideas of how to map applications and security constraints defined in the analysis stage. More work needs to be done to elaborate simplified versions of the security standards for web services and to map distribution and hardware.