SEC835 Database and Web application security Information Security Architecture

Terms and definitions Threat – a potential for violation of security. Threats always exist Threat agent, or attacker, or an adversary, – an entity that attacks the system Attack – a deliberate action undertaken in order to compromise the system security Countermeasure, or security controls, - anything (action, device, technique) undertaken to address security threats Risk – a probability of the attack occurrence Vulnerability – a weakness of the system that may be exploited by an attacker

Information Security assets Data Business data Security data Technology Software Hardware Network

What to protect For the company information assets to protect Confidentiality – access to the information is allowed to authorized persons only Integrity – data has not been changed maliciously in either storing, transferring or processing Availability – data is available in accordance to business requirements, and to authorized persons

Key Security Concepts

Domains of controls National Institute of Standards and Technology (NIST) recommends the following classification of controls Management Operational Technical

Category of controls Preventive Prevent the attack Detective In case of attack occurrences help to discover security holes

Management controls InfoSec policies System Security Plan Security Risks Management Secure System Development Life Cycle Legal compliance policy Auditing policy

Operational controls Planning for contingency Disaster recovery plan Incident response plan Security Education, Training and Awareness Program (SETA) Personnel Security Physical security

Technical controls Security services Identification, Authentication, Authorization, and Accountability, aka Access Control Audit Trails Cryptography Secure error handling Data validation

Technical controls Network security (out of our scope) Firewalls Intrusion Detection Systems

Secure Software Fundamental for nowadays computer system security Ensure absence of security holes in the code Apply to both security services and to business applications

Achieving secure software Requires a clear definition of “secure” Requires defined process with clear objectives and outputs Requires integration with existing practices

Assurance Axiom: It is impossible to demonstrate with absolute certainty that a moderately complex application doesn't have any vulnerabilities. Second Best: We can provide assurance that an application was designed, implemented, tested in rigorous ways (and by skilled people) Decrease the likelihood of vulnerabilities and other defects Training in secure programming provides assurance Software engineering processes designed for assurance

Traditional Application Security A network-centric approach = “penetrate and patch” based primarily on finding and fixing known security problems after they have been exploited in fielded systems It is reactive It is too late

New concept of software security The process of building secure software Designing software to be secure Verifying that software is secure Educating software developers, architects, and users about how to build security in from the start Secure practitioners proactively attempt to build software that can withstand attack

The processes of secure development cont./

The processes of secure development Secure System Development Lifecycle (SecSDLC) Security Requirements Information Security Assets inventory Threat modeling Risk analysis and evaluation Security requirements development Secure Design and Specification Secure design patterns identification Secure software architecture built Convert design solution into implementation specification Verify security solution Evaluate security solution – residual risk statement cont./

The processes of secure development Secure System Development Lifecycle cont Implementation Coding security standards and guidelines Testing Security test cases Source code review – static analysis Move to production Residual risks statement Maintenance Risk assessment and audit Ongoing support and changes cont./

The processes of secure development Project Management Secure development must be integrated into Software Development Lifecycle, and into formal project management methodology and processes That is where concepts obtain their implementers Integrated into Project Management Identify deliverables Identify roles and responsibilities Incorporate into project schedule Monitor the deliverables on a regular basis

Multi-Tiered Security Not a single security mechanism is sufficient Design security architecture as a multi- tiered defence Technical controls Operational controls Management controls, aka governance

Security Policy Governance is presented as an enterprise information security policies Examples: Physical security policy Infrastructure security policy Access control policy Business continuity policy

Security Policy (cont) Human factors Security Awareness, Training, and Education (SETA) Employment policy Acceptable use policy

SETA Goal – educate employees in order to prevent security incidents and to be capable to legally enforce employees’ liability Continuing learning Security training

Employment policy Identify security aspects related to an employee: Hiring Changing state in the company Termination

Acceptable use policy Define acceptable use of the company assets, e.g.: Internet Mobile phone, Computer Other equipment

Week 1 Lab – 1% Review the document “National Bank Acceptable Use Policy” Answer the questions printed on an enclosed sheet.