Secure Software Development

security software development

/در /توسط

Secure Software Development

< استفاده از مطالب سایت فراکنش با ذکر منبع مجاز است.>

Security Policy

• What is a security policy?

—Defines what it means for a system to be secure

• Formally: Policy partitions system states into:

—Authorized (secure) sates: These are states the system can enter

—Unauthorized (nonsecure) sates: If the system enters any of these states, it’s a security violation  (a breach of security )

• Secure system

—Starts in an authorized state

—Never enters unauthorized states

Example

• S1 and S2 are authorized states

• S3 and S4 are unauthorized states

• Is this Finite State Machine Secure?

example

Security Models/ Policy Models

Abstract description of a policy or class of policies

Types of Security Policies

—• Military (governmental) security policy

Policy primarily protecting confidentiality

—• Commercial security policy

Policy primarily protecting integrity

—• Confidentiality policy

Policy protecting only confidentiality

—• Integrity policy

Policy protecting only integrity

Confidentiality Property

• X set of entities, I information

• I has confidentiality property with respect to X if no x Î X can obtain information from I

• I can be disclosed to others

• Example:

—X set of students

—I final exam answer key

—I is confidential with respect to X if students cannot obtain final exam answer key

Integrity Property

• X set of entities, I information

• I has integrity property with respect to X if all x Î X trust information in I

• Types of integrity:

—trust I, its transportation and protection (data integrity)

—I information about origin of something or an identity (origin integrity, authentication)

—I resource: means resource functions as it should (assurance)

Availability Property

X set of entities, I resource

• I has availability property with respect to X if all x Î X can access I

• Types of availability:

—traditional: x gets access or not

—quality of service: promised a level of access (for example, a specific level of bandwidth) and not meet it, even though some access is achieved

Question

• Policy disallows cheating

—Includes copying homework, with or without permission

• CS class has students do homework on computer

• Alice forgets to read-protect her homework file

• Bob copies it

• Who cheated?

—Alice, Bob, or both?

ادامه مطلب و دانلود مقاله

References

Matt Bishop, Computer Security: Art and Science, Chapters 4 & 5, 2002-2004.

Chris Clifton, CS 526: Information Security course, Purdue university, 2010.

William Stallings and Lawrie Brown, Computer Security: Principles and Practice, 3/e, Chapter 13, 2011.

Security Models and Architecture, CISSP Exam Preparation, Bernie Eydt, EDS