Introduction to software security

< استفاده از مطالب سایت فراکنش با ذکر منبع مجاز است.>

What is Security?

Security /sɪˈkjʊərɪti/


the state of being free from danger or threat.

synonyms:  certainty, safe future, assured future, safety, reliability, dependability, solidness, soundness

A successful organization should have multiple layers of security in place:

—Physical security: to protect the physical items, objects, or areas of an organization from unauthorized access and misuse.

—Personal security: to protect the (group of) authorized individual.

—Operations security: to protect the details of a particular operation or series of activities.

—Communications security: to protect an organization’s communications media, technology, and content.

—Network security: to protect networking components, connections, and contents.

—Information security

Basic Components

An Information System is secure if it supports CIA:


a good example is cryptography, which traditionally is used to protect secret messages. But cryptography is traditionally used to protect data, not resources. Resources are protected by limiting information, for example by using firewalls or address translation mechanisms.


a good example here is that of an interrupted database transaction, leaving the database in an inconsistent state (this foreshadows the Clark-Wilson model). Trustworthiness of both data and origin affects integrity, as noted in the book’s example. That integrity is tied to trustworthiness makes it much harder to quantify than confidentiality. Cryptography provides mechanisms for detecting violations of integrity, but not preventing them (e.g., a digital signature can be used to determine if data has changed).


this is usually defined in terms of “quality of service,” in which authorized users are expected to receive a specific level of service (stated in terms of a metric). Denial of service attacks are attempts to block availability.


The History of Information Security

Began immediately following development first mainframes

—Developed for code-breaking computations

—During World War II

—Multiple levels of security were implemented

Physical controls


—Mainly composed of simple document classification

—Defending against physical theft, espionage, and sabotage

The need for computer security, or the need to secure the physical location of hardware from outside threats, began almost immediately after the first mainframes were developed.

Groups developing code-breaking computations during World War II created the first modern computers .

Badges, keys, and facial recognition of authorized personnel controlled access to sensitive military locations.

In contrast, information security during these early years was elementary and mainly composed of simple document classification schemes.

There were no application classification projects for computers or operating systems at this time, because the primary threats to security were physical theft of equipment, espionage against the products of the systems, and sabotage.

The 1960s

Original communication by mailing tapes

Advanced Research Project Agency (ARPA)

—Examined feasibility of networked communications

Larry Roberts developed ARPANET


—Link computers

—Resource sharing

—Link 17 Computer Research Centers

—Cost 3.4M $

ARPANET is predecessor to the Internet

During the 1960s, the Department of Defence’s Advanced Research Procurement Agency (ARPA) began examining the feasibility of a redundant networked communications system designed to support the military’s need to exchange information.

Larry Roberts, known as the founder of the Internet, developed the project from its inception.

ادامه مطلب و دانلود فایل مقاله


Matt Bishop, Computer Security: Art and Science, the author homepage, 2004.

Michael E. Whitman, Principles of Information Security: Chapter 1: Introduction to Information Security, 4/e, 2011.

Chris Clifton, CS 526: Information Security course, Purdue university, 2010.