S-vector for Web Application Security Assessment Review of Term Project Requirements and PDR Results CS996 ISM Spring 2005 Dr. William Hery

Term Project Goals Primary Goal: to understand the integration of security into systems engineering  Its about the process: a systematic approach to developing and understanding security requirements and how those requirements lead to getting the right security into the system  Its not about using intuition to get the security design and then going back to find the requirements that lead you to that design (that’s the way politicians work :-) )  On small projects (like your term project) that might work, but on large scale projects it is a recipe for disaster  The logical sequence of getting to the security design is what you should understand from this. Secondary Goal: to bring see how to use some of the other security management processes in the project design

Term Project Pick a system (discuss choice with me)  Want simple functionality, security issues, whole system (e. g., client and server side) Submit a 1-2 page proposal to management (Dr. Hery) Assess risks, threats, vulnerabilities Develop a security policy Do a high level system security design Present a “preliminary design review” (PDR) to management (include risk analysis, policies, system architecture) Iterate on risk assessment, policy, design (what you should be up to now…) Present a final “critical design review” (CDR) to management and the class (optional, but strongly recommended to get my feedback)  DATE: Wed, April 5 (reading day), all afternoon Write a final report to management on above  Due 5 PM date of final. NO EXCEPTIONS

Example Project Pick a useful system, not an underlying technology Start with a “mission need statement” Describe the CONOPS Make explicit (and probably realistic) assumptions about infrastructure Major project steps:  Thorough risk analysis  Develop security policies  Perform the system security engineering. Use the risk analysis and policy to determine the security functions needed, and then to develop an architecture that has all the security functions and hardware, software components to enforce the security policies Major project deliverables:  Proposal  Preliminary design review (PDR)  Critical design review to class (CDR)  Final report on the design

PDR for the Term Project High level requirements  Functional Requirements (what the system should do)  Risk analysis to identify assets that need to be protected  Any legal requirements  Any corporate or organizational security policies not included above  High Level Security Policies System Architecture

PDR (Continued) Develop a high level security architecture based on the requirements  What security technologies and processes will be used (firewalls, crypto, IDS, etc.)  Where are they to be used Develop a “Security Compliance Matrix”  List all security requirements, and show what parts of the security technology and processes are used to meet the requirements Do a security requirements traceback  Show how each security technology or process is based on a requirement Present any security “trade studies”

Security System Engineering Process (PDR in blue) Mission Need CONOPS System Arch. Primary Sec Rqmts Legal Rqmnts Assets at Risk Corp/Org Policy Security Arch Threat Analysis Vulner. Analysis System Design Security Design Derived Sec Rqmts Other Rqmts Prelim. Risk Analysis Functional Rqmts Risk Analysis Assess

CDR and Final Report Outline (in order!) System Overview:  Mission Needs statement  System Functional Overview  System CONOPS Primary Requirements Analysis  Risk Analysis  Assets and values  Threats  Discuss asset/threat combinations  Applicable broad corporate/organizational policies  List of policy areas  At least one applicable policy written out in detail  Applicable legal issues  Requirements based on above Preliminary Architecture  Preliminary System Architecture  Preliminary Security Architecture  Justify what you do in terms of requirements

CDR and Final Report Outline (continued) Security Trade Studies (at least 2 for either the preliminary security architecture or the design)  List options for how to do something related to security  List factors that impact decision (e. g., costs, development time, support, security…this is not a complete list) Preliminary Assessment (simplified)  Requirements allocation matrix  Show what elements of the system is used to meet each requirement  Requirements traceback  For any security specific element (e. g., firewall, crypto…) or feature show what requirement forces you to provide that. System Design  Adds detail to architecture

CDR and Final Report Outline (continued) Update Risk Analysis  Identify vulnerabilities  Just show vulnerable areas, not lists of specific exploits  Update risk analysis to reflect the vulnerabilities  Revise assessment of asset/threat combinations  Identify risk approach for each (mitigate, accept, transfer--may be a combo for many) Update security requirements to reflect new risk assessment Security Design  Add detail to architecture based on updated requirements Update Simplified Security Assessment  Requirements Analysis  Compliance Matrix Other Security Management Issues  At most one slide/one page on each  Outline an appropriate business continuity plan  Discuss any TRANSEC/EMSEC issues and how to address them. Justify.  Discuss what kinds of physical security to provide. Justify.