Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University

Slides:

Advertisements

Similar presentations

Operating System Security

Advertisements

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #17-1 Chapter 17: Introduction to Assurance Overview Why assurance? Trust and.

Chapter 6 Security Kernels.

Effective Design of Trusted Information Systems Luděk Novák,

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Trusted Hardware: Can it be Trustworthy? Design Automation Conference 5 June 2007 Karl Levitt National Science Foundation Cynthia E. Irvine Naval Postgraduate.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

7M701 1 Software Engineering Object-oriented Design Sommerville, Ian (2001) Software Engineering, 6 th edition: Chapter 12 )

R R R CSE870: Advanced Software Engineering (Cheng): Intro to Software Engineering1 Advanced Software Engineering Dr. Cheng Overview of Software Engineering.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.

Chapter 1: Overview of Workflow Management Dr. Shiyong Lu Department of Computer Science Wayne State University.

April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.

Chapter 5 Database Application Security Models

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

Vulnerability Assessments

Session 3 – Information Security Policies

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

SEC835 Database and Web application security Information Security Architecture.

Chapter 13 Processing Controls. Operating System Integrity Operating system -- the set of programs implemented in software/hardware that permits sharing.

IS2150/TEL2910: Introduction of Computer Security1 Nov 15, 2005 Assurance.

ISA 562 Internet Security Theory & Practice

Security Architecture

1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.

SOFTWARE DESIGN (SWD) Instructor: Dr. Hany H. Ammar

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

Engineering Essential Characteristics Security Engineering Process Overview.

Chapter 7 Securing Commercial Operating Systems. Chapter Overview Retrofitting Security into a Commercial OS History of Retrofitting Commercial OS's Commercial.

Chapter 18: Introduction to Assurance Dr. Wayne Summers Department of Computer Science Columbus State University

CMSC : Common Criteria for Computer/IT Systems

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

G53SEC 1 Reference Monitors Enforcement of Access Control.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

Trusted OS Design and Evaluation CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University.

1 Quality Attributes of Requirements Documents Lecture # 25.

Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand.

CSCE 548 Secure Software Development Security Operations.

CS526: Information Security Chris Clifton November 4, 2003 Assurance.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.

14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Protection.

Chapter 23: Vulnerability Analysis Dr. Wayne Summers Department of Computer Science Columbus State University

Chapter 1: Security Governance Through Principles and Policies

Module 7: Designing Security for Accounts and Services.

Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University

PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.

1 Security Architecture and Designs  Security Architecture Description and benefits  Definition of Trusted Computing Base (TCB)  System level and Enterprise.

Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University

Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University

CS457 Introduction to Information Security Systems

CompTIA Security+ Study Guide (SY0-401)

CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.

Chapter 1: Introduction

CS4311 Spring 2011 Process Improvement Dr

Security Engineering.

Official levels of Computer Security

Chapter 19: Building Systems with Assurance

IS4680 Security Auditing for Compliance

THE ORANGE BOOK Ravi Sandhu

Chapter 23: Vulnerability Analysis

How to Mitigate the Consequences What are the Countermeasures?

Chapter 19 Technical Metrics for Software

Chapter 29: Program Security

Presentation transcript:

Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University

2 Assurance in Requirements Definition and Analysis  Threat – potential occurrence that can have an undesirable effect on the system assets or resources (can lead to undesirable consequences) –Breaches of confidentiality, disruption of integrity, or denials of service  Vulnerability – weakness that makes it possible for a threat to occur  Control- countermeasure that mitigates a threat or eliminates a vulnerability

3 Assurance in Requirements Definition and Analysis  Security Mechanisms and Layered Architecture –Building Security In or Adding Security Layer Reference monitor – access control concept of an abstract machine that mediates all accesses to objects by subjects Reference validation mechanism(RVM) – implementation of the reference monitor concept (must be tamperproof, always be invoked, small enough to be tested for completeness) Security kernel – combination of h’ware and s’ware that implements a reference monitor Trusted computer base (TCB)- all protection mechanisms within a computer system that are responsible for enforcing a security policy.

4 Assurance in Requirements Definition and Analysis  Policy Definition and Requirements Specification –Specification- description of characteristics of a computer system or program (must be clear, unambiguous, and complete) Extract applicable requirements from existing security standards (e.g. Common Criteria) Create a new policy from results from threat analysis and existing policies Map system to an existing model  Justifying Requirements –Once a policy has been defined and specified, it must be shown to be complete and consistent.

5 Assurance During Systems and Software Design  Design Techniques that Support Assurance –Module – set of related functions and pertinent data structures (objects) –Minimize communications between modules (avoid the use of global variables) –Assignment of privilege should be tighly controlled and privileges revoked when no longer needed

6 Assurance During Systems and Software Design  Design Document Contents –Security functions – identifies the high-level security functions that are defined for the system (i.e. identification, authentication, access control, and auditing) –External Functional Specification - high-level description of external interfaces to a system, component, subcomponent, or module –Internal Design – describes the internal structures and functions of the components of a system –Review: guidelines, conflict resolution methods, completion procedures

7 Assurance in Implementation and Integration  Implementation Considerations that Support Assurance –Choice of language – strong typing, built-in buffer overflow protections, data hiding, modularity, domains & domain access protections, garbage collection, error handling  Assurance Through Implementation Management –Configuration Management Version control and tracking Change authorization Integration procedures Tools for product generation

8 Assurance in Implementation and Integration  Justifying That the Implementation Meets the Design –Security Testing Functional testing Structural testing Unit testing Systems testing Third-party testing (independent testing) Security testing  Assurance During Operation and Maintenance