Engineering e-Business Applications for Security DISCUSSANT GERALD TRITES, FCA, CA*IT/CISA.

Slides:

Advertisements

Similar presentations

Lisanne Sison Director ERM Bickmore

Advertisements

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.

Enhancing Data Quality of Distributive Trade Statistics Workshop for African countries on the Implementation of International Recommendations for Distributive.

Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 1998 by Carnegie Mellon.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and.

OPM Cybersecurity Competencies by Occupation (Technical Competencies) Information Technology Management Series Electronics Engineering.

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Mohammad Alshayeb 19 May Agenda Update on Computer Science Program Assessment/Accreditation Work Update on Software Engineering Program Assessment/Accreditation.

Stephen S. Yau CSE , Fall Security Strategies.

Risk Assessment Frameworks

Modus21 Driving Enterprise Transformation Dan Neason, Vice President, Modus21.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Website Hardening HUIT IT Security | Sep

The big Data security Analytics Era Is Here Reporter ： Ximeng Liu Supervisor: Rongxing Lu School of EEE, NTU

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

Internal Auditing and Outsourcing

® IBM Software Group © 2006 IBM Corporation PRJ480 Mastering the Management of Iterative Development v2 Module 3: Phase Management - Inception.

A Balancing Act Between Risk Appetite and Risk Tolerance Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell.

SEC835 Database and Web application security Information Security Architecture.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Capability Maturity Model. Reflection Have you ever been a part of, or observed, a “difficult” software development effort? How did the difficulty surface?

Evolving IT Framework Standards (Compliance and IT)

What is Next-Generation Disaster Recovery and Service Availability? Why do We Need it? Dan Smith Senior Manager, Solution Consulting and Engineering, GTSI.

Jackie Phahlamohlaka Mapule Modise Nthumeni Nengovhela

N-Wave Shareholders Meeting May 23, 2012 N-Wave Security Update Lisa

Assurance Case Approach TECNALIA Inspiring Business Novara November, 2013 TRIAL WS.

Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project.

“Navigating IT Solutions. Delivering Results.” Bay State, Inc. ◊ 4201 Northview Drive, Suite 408, Bowie, MD ◊ t: ◊

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Adaptation knowledge needs and response under the UNFCCC process Adaptation Knowledge Day V Session 1: Knowledge Gaps Bonn, Germany 09 June 2014 Rojina.

Dr. Benjamin Khoo New York Institute of Technology School of Management.

Methods and Models Choice of methods for Development of IT related products and systems SVINGSVING Conference held in Gothenburg, Sweden, October 2000.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.

ERP Implementation Fundamentals Richard Byrom Oracle Consultant, Speaker and Author

Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.

IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.

E NGINEERING STUDIES IN T ELECOMMUNICATIONS S ECURITY School of Communication Engineering.

© 2008 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Cyber Security and the National.

Integration integration of all the information flowing through a company – financial and accounting, human resource information, supply chain information,

Acceptance of Social Media Marketing in the Sanitary Market Marcus Diedrich 6. November 2015.

Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.

High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 20-1 Chapter Twenty Assurance, Related Services and Internal.

Information Security tools for records managers Frank Rankin.

Protection of Transportation Infrastructure from Cyber Attacks EXECUTIVE BRIEFING.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Computer Science / Risk Management and Risk Assessment Nathan Singleton.

Department of Computer Science Introduction to Information Security Chapter 7 Activity Security Assessment Semester 1.

ISO17799 / BS ISO / BS Introduction Information security has always been a major challenge to most organizations. Computer infections.

Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)

CRITICAL INFRASTRUCTURE RISK ASSESSMENT SUPPORT CIRAS PROJECT OVERVIEW 2nd Stakeholders’ Workshop Aschaffenburg, November, 26th, 2015 Jaime Martín, Project.

Dr. Yeffry Handoko Putra, M.T

A Canadian government agency responsible for administering social services programs implements IBM Cúram to streamline processes, reduce errors and fraud,

Information Security Policy

EAST AFRICAN DATA HANDLERS DATA SECURITY/MOBILITY

Developing the Overall Audit Plan and Audit Program

CS4311 Spring 2011 Process Improvement Dr

Assurance, Related Services and Internal Auditing

UNDG Coordination Toolkit

The Enterprise Relevant Scope of DM

A Canadian government agency responsible for administering social services and disability support programs implements IBM Cúram to create a more fair,

Security Essentials for Small Businesses

Chapter 27 Security Engineering

Data Governance & Management Skills and Experience

Host and Application Security

Presentation transcript:

Engineering e-Business Applications for Security DISCUSSANT GERALD TRITES, FCA, CA*IT/CISA

“enterprises have prioritized and focused their IT security strategies and budgets on protection of the network perimeter and physical access control to the application system environment.” This premise is stated at the beginning of the paper, but no support is offered for it. Basic Premise of Paper

The argument goes on that threats have become more sophisticated and difficult to protect against and that this somewhat restricted approach to applications security is no longer sufficient in the current environment.

Essentially, the paper is calling for a re- evaluation of the risk profile of modern applications, and a stronger security architecture to compensate for the resultant higher risk profile.

Much of the paper is based on unsupported assertions around this argument, about the current state of IT architecture and infrastructure, the issues they pose and the solutions that are appropriate.

In most cases, any research brought into the discussion is referenced in a general way, but not specifically cited, therefore it would be difficult for a serious researcher to follow through.

For Example: Page 4 – a Gartner Survey – What survey? What companies? A percentage of what? Page 8 – what is the “ample evidence” from the Carnegie Mellon Institute? Page 9 – What Gartner Report? Page 9 – “From observed Hacker statistics” – What statistics? Who observed? What did they observe?

The paper is not designed as an academic paper, and it would be fruitless to discuss it in that context. Even a white paper, however, should be written in such a way that it offers concrete support for its assertions, conclusions and recommendations.

The services included in the Integrated Applications Services Model (IASM) are: 1, Application Security Risk Review, 2. Application Security Controls Review 3. Application Security Testing (Hacking) 4. Application Security Process Review 5. Application Secure Process Development 6. Application Security Architecture (a design and conceptualizing method) 7. Secure Application Solution Design 8. Application Security Code Reviews 9. Learning Services 10. Intelligence Services

The Recommendations for Application Security Strategies presented in the paper are as follows: Gaining a quantified understanding of the security risks associated with an enterprise e-Business application Establishing a balanced set of security requirements in accordance with identified risks Transforming security requirements into security controls and process guidance to be integrated into activities of development disciplines and methodologies employed on a development project and into the definition of system configuration, operation and maintenance goals Establishing confidence or assurance in the correctness and effectiveness of security mechanisms using assessments, reviews, testing and certification Determining impacts due to residual risk associated with security vulnerabilities in a system or its operation which are determined acceptable” - pg 14 of paper

Despite its limitations, the white paper makes a good point that the security for applications likely needs to be beefed up in the face of threats of an increasingly sophisticated nature. The services outlined in this white paper would probably be useful and timely to many businesses.

There has been an emphasis on the underlying infrastructure in security work in recent years, because hacker activity has often been directed to o/s and network vulnerabilities and many user errors have originated because of the same problems. Also businesses have been expanding their e-business activities and have been experiencing difficulty determining what are the essential components of their secure e-business infrastructure. This is why the Boritz study on Secure e-Business Infrastructure was commissioned by the CICA’s Information Technology Advisory Committee. These services by IBM may help to shift the emphasis and result in a more integrated approach to security planning and administration. In the context of the expansion of e-business infrastructure, businesses have been making use of tools like XML and Web Services, which are of an integrative nature, and often involve an house development activity. Accordingly, it is timely from this viewpoint as well to revisit the issue of including security controls in the development process.

These services by IBM may help to shift the emphasis and result in a more integrated approach to security planning and administration.

The White paper is a good awareness document.

THANK YOU!!