SlideShare ist ein Scribd-Unternehmen logo

What is Security, anyway? Software architecture for information security part 1 : Expressing requirements with iso27000 annotated

Chris F Carroll
Chris F Carroll

Software Architecture for Information Security Part 1 : Expressing requirements using the vocabulary of ISO 27000. Most of our attention in information security is given to threats. But our understanding of threats will be piecemeal & incomplete if we do not understand what threats threaten. We'll look at how to state and think about the core requirements, answering the question, “what is security anyway?” for the purpose of software systems.

Software
1 von 31
Downloaden Sie, um offline zu lesen
Software Architecture Chris F Carroll Software Architecture for Information Security Part 1: expressing requirements
Software Architecture Chris F Carroll ✤ Definitions & 
 Requirements I: Analysis ✤ Design ✤ Requirements II : Risk & Threats ✤ Implementation ✤ Verification ✤ Handover To deal with software security fully, we would go through the lifecycle. In this talk we’ll just look at the first bullet point.
Software Architecture Chris F Carroll Stating & Analysing 
 Information Security Requirements 
 using ISO 27000
Requirements Threatsvs. All requirements have edge cases but with security they expand into a whole second way of seeing the issue. Threats get all the news. But our understanding of threats remains piecemeal if we don’t understand the core requirements they are threatening. So we start here.
Software Architecture for Security Chris F Carroll How can we think about security? Let’s start at the beginning. To get security right, we want a framework for thinking about it: What are the questions we should ask and what concepts will help us to answer them?
How Can We Think About Security? Chris F Carroll ✤ WHAT are we trying to secure?
 ✤ WHO are we securing for or from?
 ✤ WHAT does security mean anyway? If we can answers these 3 questions then we have done most of the work of thinking about security. To help us answer them, we want some vocabulary or a framework.
Why use ISO 27000? ✓ ISO 27000 provides, if not a complete domain model for security, then at least a vocabulary. ✓ Our security policy and ISMS approach is based on the ISO 27000 series. At some point, our homegrown software has to dovetail with it. Chris F Carroll ISO 27000 series is a standards series for an information security management systems. It starts with a few pages of definitions. Which goes a long way to a framework for thinking about security. (actually you can get the same vocabulary from wikipedia or a software architecture textbook).
Group Policy Statement Information Security Policy v10.1, 2018 “We strive to protect the group’s critical information assets against all internal, external, deliberate or accidental threats throughout its lifecycle
 We protect against unauthorised access threatening the Confidentiality of our information and ensure that the Integrity and Availability of critical information is maintained.
 Our Information security policy is to ensure business continuity, minimising the risk of damage by preventing security incidents and reducing their potential impact. We are committed to continuous improvement, ongoing compliance with legislative and regulatory requirements and to ensuring our employees receive appropriate information security awareness training.” Leaving threats & risk aside for the moment, we could answer our 3 questions with just 5 key ideas: 
 Asset ; (Un)Authorised ; and Confidentiality, Integrity, Availability. Here’s an example attempt to think about security, in a security policy statement. The words in bold are drawn from ISO 27000.
How Can We Think About Security? Chris F Carroll ✤ WHAT are we trying to secure?
 ✤ WHO are we securing for or from?
 ✤ WHAT does security mean anyway? So now, let’s answer our 3 questions with this vocabulary
Chris F Carroll WHAT do we want to secure? Information Assets, typically: 1. Data Stores 2. Systems that let you do things
 WHO are we securing for/from? (Un)/Authorised users
 WHAT does security mean anyway? Confidentiality Integrity Availability Security : Just 3 Questions These are the 2 asset classes of most concern to a software team. So now, let’s answer our 3 questions with this vocabulary
Chris F Carroll WHAT do we want to secure? Information Assets, typically: 1. Data Stores 2. Systems that let you do things
 WHO are we securing for/from? (Un)/Authorised users
 WHAT does security mean anyway? Confidentiality Integrity Availability Security : Just 3 Questions We divide the world into two groups of people: The Authorised and 
 The Unauthorised.
Chris F Carroll WHAT do we want to secure? Information Assets, typically: 1. Data Stores 2. Systems that let you do things
 WHO are we securing for/from? (Un)/Authorised users
 WHAT does security mean anyway? Confidentiality Integrity Availability Security : Just 3 Questions And we get a grip on what security means with the “3 dimensions” defined by the standard, widely referred to as 
 The C.I.A.
ISO 27000 Vocabulary for Secured Assets Chris F Carroll Asset: For us as business to say what needs securing (Un)Authorised: We as business decide who is authorised Confidentiality : “not made available or disclosed to unauthorised individuals, entities, or processes” Integrity : “accuracy and completeness” Availability : “accessible and usable upon demand by an authorised entity”
Relating Other Vocabulary to the Standard Chris F Carroll How do other vocabularies map to/from “Assets + Authorised Users + C.I.A.?” Read-access threatens Confidentiality Write-access threatens Integrity Deny-Read protects Confidentiality by restricting Availability Deny-Write protects Integrity, restricting Availability Access Control addresses C.I.A. requirements
Chris F Carroll Access Control: “to ensure that access to assets is authorised & restricted based on business and security requirements” ISO 27000 Vocabulary for Secured Assets
Relating Other Vocabulary to the Standard Chris F Carroll Users,Groups, Roles Identity, Principal, Claims These (and more) are all used to define 
 Authorised User ISO standard dates from 1990s (BS7799) How do other vocabularies map to/from Assets + Authorised Users + C.I.A.?
Relating Other Vocabulary to the Standard Chris F Carroll Authenticating Identity is our usual way to convince ourselves we have an Authorised User How does a system know that a user is authorised? Authentication : “Provision of assurance that a claimed characteristic of an entity is correct”
Relating Other Vocabulary to the Standard Chris F Carroll Confidentiality presumably implies Access Control: Deny-Read Integrity presumably implies Access Control: Deny-Write Availability may imply Grant-Read Grant-Write Uptime, backups, connectivity, resilience to attack How does C.I.A map back to other vocabularies? Note the last bullet. Security includes both functional and non-functional requirements (NFRs).
Security : Just 3 Questions Chris F Carroll ✤ WHAT are we trying to secure? ➡ Assets: Data Stores & Systems ✤ WHO are we securing for & from? ➡ (Un)Authorised Users ✤ WHAT does security mean anyway? ➡ C.I.A.
 N.B. the need to prove & improve security may result in requirements for audit, accountability, monitoring, etc. Thinking about security: We answered our 3 questions using only a few key ideas, but this is enough to state and analyse requirements.
Software Architecture Chris F Carroll How can we use this?
Security Requirements Chris F Carroll HLD or Architecture Template Express security requirements using the 3 Questions 1. WHAT Assets must this system secure? List Assets Accessed or Exposed
 1.1 Data Stores 1.2 Other Systems 2. WHO Are we securing For/From? Identify Authorised Roles and Authentication Mechanisms 3. WHAT do we mean by Security? State C.I.A. Requirements Per Asset Per Authorised Identity PROPOSAL A typical software architecture document includes a placeholder for security requirements. We can use the 3 Questions to structure the statement of requirements
Security Requirements Chris F Carroll HLD Security Requirements 1.1. Data Stores Accessed or Exposed by this Project Data Store Category or Risk Level New Exposure? 1. Shiva DB Confidential
 GDPR Yes PROPOSAL System Accessed or Exposed? New Exposure? 1. Adobe Campaign Manager Accessed Yes 2. SMS & Email Accessed Yes 1.2. Other Systems Accessed or Exposed by this Project 1. Let’s start with, simply, a list of assets that our new project will, or may, expose or access.
Security Requirements Chris F Carroll HLD Security Requirements 1.1. Data Stores Accessed or Exposed by this Project Data Store Category or Risk Level New Exposure? 1. Shiva DB Confidential
 GDPR Yes PROPOSAL System Accessed or Exposed? New Exposure? 1. Adobe Campaign Manager Accessed Yes 2. SMS & Email Accessed Yes 1.2. Other Systems Accessed or Exposed by this Project We didn’t discuss RISK earlier. Some assets are more risky, or valuable, than others. For each asset, assess the risk of a breach of C.I.A. requirements.
Security Requirements Chris F Carroll PROPOSAL User/Role/Principal Authentication Mechanism Online Customer OAuth2 provider Auth0 CCA Permission X AD Login CCA Permission Y AD Login HLD Security Requirements 2. Authorised Users/Roles & Authentication Mechanisms 2. 
 Divide the world into authorised and unauthorised. We often use Roles or Groups to define this division, because managing for hundreds or thousands of individuals is just too burdensome and error prone
Security Requirements Chris F Carroll PROPOSAL User/Role/Principal Authentication Mechanism Online Customer OAuth2 provider Auth0 CCA Permission X AD Login CCA Permission Y AD Login HLD Security Requirements 2. Authorised Users/Roles & Authentication Mechanisms If there is a more than one identity or login mechanism, then it helps to list them
Security Requirements Chris F Carroll PROPOSAL Asset Authorised User Confidentiality (Read Access is restricted to…) Integrity
 (Operations
 restricted to…) Customer DB Authenticated Customer Read access to own data only Permissions detailed below… Adobe Campaign Manager Service Account NONE needed Permitted Operations below… Email & SMS Service Account NONE needed Permitted Operations below… HLD Security Requirements 3. List CIA Requirements Per Asset Per Authorised User 3. Finally the detail of permissions: 
 User A is authorised to perform operation X on data Y Coming back to the System Assets, we are concerned about the risk raised by connectivity. The more we can restrict the connections—the interfaces—the more simple and easy to do the security
Security Requirements Chris F Carroll HLD Template Express security requirements using the 3 Questions 1. WHAT Assets must this system secure? List Assets Accessed or Exposed
 1.1 Data Stores 1.2 Other Systems 2. WHO Are we securing For/From? Identify Authorised Roles and Authentication Mechanisms 3. WHAT do we mean by Security? State C.I.A. Requirements Per Asset Per Authorised Identity PROPOSAL
Security Requirements Analysis Chris F Carroll Asset Id Assets Where is it? Type of Asset Who's Asset? Required Confidentiality Level Required Availability & Integrity Level 1 LB code and scripts BitBucket, Dev Machines, Private NuGet Our labour LB Low Medium 2 AWS Dev AWS Dev Our labour LB Low Medium 3 AWS Live Infrastructure Design & Runtime AWS Live: ECS EC2 Operations LB Low Business Process Critical 4 All Customer's Business Data AWS Live: ECS EC2 DB Customers' Data Customers Business Critical Business Process Critical 5 All Customer's Customers Personal Data AWS Live: ECS EC2 DB Logs Personal Data Customers' Customers Business & Regulatory Critical Business Process Critical 6 Single Customer's Business Data AWS Live: ECS EC2 DB Customer's Data Customers Business Critical Business Process Critical 7 Single Customer's Customers Personal Data AWS Live: ECS EC2 DB Logs Personal Data Customer's Customers Business & Regulatory Critical Business Process Critical Asset List for a cloud-hosted multi-tenant service More complex example
Design for Security Requirements Chris F Carroll Confidentiality : per-customer confidentiality for an online system implies we must design row-level security and be able to verify it is implemented correctly Integrity : If all write access goes through a single tightly controlled interface, we can prove that no unexpected modifications are possible Auth (login, lockout, password reset): Buy or Build? Design Decisions, Tactics, Implementation Rules
 follow on from Security Requirements
Chris F Carroll WHAT do we want to secure? Information Assets, typically: 1. Data Stores 2. Systems that let you do things
 WHO are we securing for/from? (Un)/Authorised users
 WHAT does security mean anyway? Confidentiality Integrity Availability Security : Just 3 Questions
Software Architecture Chris F Carroll ✓ Definitions & 
 Requirements I : Analysis ✤ Design ✤ Requirements II : Threats & Risks ✤ Implementation ✤ Verification ✤ Handover

Empfohlen

Software Technical Design for Information Security: A short intro for Tech Le...
Software Technical Design for Information Security: A short intro for Tech Le...Software Technical Design for Information Security: A short intro for Tech Le...
Software Technical Design for Information Security: A short intro for Tech Le...Chris F Carroll
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3FRSecure
 
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...EC-Council
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attacknewbie2019
 
Fundamentals of Information Systems Security Chapter 9
Fundamentals of Information Systems Security Chapter 9Fundamentals of Information Systems Security Chapter 9
Fundamentals of Information Systems Security Chapter 9Dr. Ahmed Al Zaidy
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
Cyber Security Resilience & Risk Aggregation
Cyber Security Resilience & Risk AggregationCyber Security Resilience & Risk Aggregation
Cyber Security Resilience & Risk AggregationRamiro Cid
 

Empfohlen

Software Technical Design for Information Security: A short intro for Tech Le...
Software Technical Design for Information Security: A short intro for Tech Le...Software Technical Design for Information Security: A short intro for Tech Le...
Software Technical Design for Information Security: A short intro for Tech Le...Chris F Carroll
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3FRSecure
 
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...EC-Council
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attacknewbie2019
 
Fundamentals of Information Systems Security Chapter 9
Fundamentals of Information Systems Security Chapter 9Fundamentals of Information Systems Security Chapter 9
Fundamentals of Information Systems Security Chapter 9Dr. Ahmed Al Zaidy
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
Cyber Security Resilience & Risk Aggregation
Cyber Security Resilience & Risk AggregationCyber Security Resilience & Risk Aggregation
Cyber Security Resilience & Risk AggregationRamiro Cid
 
Thinking on risk analysis
Thinking on risk analysisThinking on risk analysis
Thinking on risk analysisRamiro Cid
 
Security Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesSecurity Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesDuo Security
 
Source Code Security the Symantec Way
Source Code Security the Symantec WaySource Code Security the Symantec Way
Source Code Security the Symantec WaySymantec
 
InfraGard Webinar March 2016 033016 A
InfraGard Webinar March 2016 033016 AInfraGard Webinar March 2016 033016 A
InfraGard Webinar March 2016 033016 AWard Pyles
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Dr. Ahmed Al Zaidy
 
How to Pass the CISSP Exam For the First Time
How to Pass the CISSP Exam For the First TimeHow to Pass the CISSP Exam For the First Time
How to Pass the CISSP Exam For the First TimeMercury Solutions Limited
 
Preserving the Privilege during Breach Response
Preserving the Privilege during Breach ResponsePreserving the Privilege during Breach Response
Preserving the Privilege during Breach ResponsePriyanka Aash
 
An apporach to AIM - A strategy proposal and recommendation - ver 0.1
An apporach to AIM - A strategy proposal and recommendation - ver 0.1An apporach to AIM - A strategy proposal and recommendation - ver 0.1
An apporach to AIM - A strategy proposal and recommendation - ver 0.1Michael Clarkson
 
Symantec Data Loss Prevention- From Adoption to Maturity
Symantec Data Loss Prevention- From Adoption to MaturitySymantec Data Loss Prevention- From Adoption to Maturity
Symantec Data Loss Prevention- From Adoption to MaturitySymantec
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesEC-Council
 
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDDATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDPriyanka Aash
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecuritySounil Yu
 
Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Duo Security
 
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...IBM Security
 
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerSecuring Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerDuo Security
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldSafeNet
 
Employee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnEmployee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnKloudLearn
 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilityNot Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilitySafeNet
 
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxTop_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxinfosec train
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSecurestorm
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfChinatu Uzuegbu
 

Weitere ähnliche Inhalte

Was ist angesagt?

Thinking on risk analysis
Thinking on risk analysisThinking on risk analysis
Thinking on risk analysisRamiro Cid
 
Security Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesSecurity Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesDuo Security
 
Source Code Security the Symantec Way
Source Code Security the Symantec WaySource Code Security the Symantec Way
Source Code Security the Symantec WaySymantec
 
InfraGard Webinar March 2016 033016 A
InfraGard Webinar March 2016 033016 AInfraGard Webinar March 2016 033016 A
InfraGard Webinar March 2016 033016 AWard Pyles
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Dr. Ahmed Al Zaidy
 
How to Pass the CISSP Exam For the First Time
How to Pass the CISSP Exam For the First TimeHow to Pass the CISSP Exam For the First Time
How to Pass the CISSP Exam For the First TimeMercury Solutions Limited
 
Preserving the Privilege during Breach Response
Preserving the Privilege during Breach ResponsePreserving the Privilege during Breach Response
Preserving the Privilege during Breach ResponsePriyanka Aash
 
An apporach to AIM - A strategy proposal and recommendation - ver 0.1
An apporach to AIM - A strategy proposal and recommendation - ver 0.1An apporach to AIM - A strategy proposal and recommendation - ver 0.1
An apporach to AIM - A strategy proposal and recommendation - ver 0.1Michael Clarkson
 
Symantec Data Loss Prevention- From Adoption to Maturity
Symantec Data Loss Prevention- From Adoption to MaturitySymantec Data Loss Prevention- From Adoption to Maturity
Symantec Data Loss Prevention- From Adoption to MaturitySymantec
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesEC-Council
 
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDDATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDPriyanka Aash
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecuritySounil Yu
 
Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Duo Security
 
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...IBM Security
 
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerSecuring Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerDuo Security
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldSafeNet
 
Employee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnEmployee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnKloudLearn
 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilityNot Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilitySafeNet
 

Was ist angesagt? (19)

Thinking on risk analysis
Thinking on risk analysisThinking on risk analysis
Thinking on risk analysis
 
Security Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesSecurity Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the Headlines
 
Source Code Security the Symantec Way
Source Code Security the Symantec WaySource Code Security the Symantec Way
Source Code Security the Symantec Way
 
InfraGard Webinar March 2016 033016 A
InfraGard Webinar March 2016 033016 AInfraGard Webinar March 2016 033016 A
InfraGard Webinar March 2016 033016 A
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11
 
How to Pass the CISSP Exam For the First Time
How to Pass the CISSP Exam For the First TimeHow to Pass the CISSP Exam For the First Time
How to Pass the CISSP Exam For the First Time
 
Preserving the Privilege during Breach Response
Preserving the Privilege during Breach ResponsePreserving the Privilege during Breach Response
Preserving the Privilege during Breach Response
 
An apporach to AIM - A strategy proposal and recommendation - ver 0.1
An apporach to AIM - A strategy proposal and recommendation - ver 0.1An apporach to AIM - A strategy proposal and recommendation - ver 0.1
An apporach to AIM - A strategy proposal and recommendation - ver 0.1
 
Symantec Data Loss Prevention- From Adoption to Maturity
Symantec Data Loss Prevention- From Adoption to MaturitySymantec Data Loss Prevention- From Adoption to Maturity
Symantec Data Loss Prevention- From Adoption to Maturity
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
 
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDDATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of Security
 
Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...
 
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
 
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerSecuring Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
 
Employee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnEmployee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - Kloudlearn
 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilityNot Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
 

Ähnlich wie What is Security, anyway? Software architecture for information security part 1 : Expressing requirements with iso27000 annotated

Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxTop_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxinfosec train
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSecurestorm
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfChinatu Uzuegbu
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...lior mazor
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Wendy Knox Everette
 
4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx
4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx
4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docxalinainglis
 
Information security[277]
Information security[277]Information security[277]
Information security[277]Timothy Warren
 
Vulnerability Analyst interview Questions.pdf
Vulnerability Analyst interview Questions.pdfVulnerability Analyst interview Questions.pdf
Vulnerability Analyst interview Questions.pdfinfosec train
 
BCM and IT Security
BCM and IT SecurityBCM and IT Security
BCM and IT Securityleninkster
 
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Edureka!
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditorsmdagrossa
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010joevest
 
Contrast & Compare & Contrast Information Security Roles
Contrast & Compare & Contrast Information Security Roles Contrast & Compare & Contrast Information Security Roles
Contrast & Compare & Contrast Information Security Roles LearningwithRayYT
 
Guide: Security and Compliance
Guide: Security and ComplianceGuide: Security and Compliance
Guide: Security and ComplianceQuestionPro
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionIvanti
 
Cybersecurity Interview Questions Part -2.pdf
Cybersecurity Interview Questions Part -2.pdfCybersecurity Interview Questions Part -2.pdf
Cybersecurity Interview Questions Part -2.pdfInfosec Train
 
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptxCompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptxInfosectrain3
 
Securing Citizen Facing Applications
Securing Citizen Facing ApplicationsSecuring Citizen Facing Applications
Securing Citizen Facing Applicationsedwinlorenzana
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 

Ähnlich wie What is Security, anyway? Software architecture for information security part 1 : Expressing requirements with iso27000 annotated (20)

Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxTop_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game plan
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdf
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
 
4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx
4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx
4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx
 
Information security[277]
Information security[277]Information security[277]
Information security[277]
 
Vulnerability Analyst interview Questions.pdf
Vulnerability Analyst interview Questions.pdfVulnerability Analyst interview Questions.pdf
Vulnerability Analyst interview Questions.pdf
 
BCM and IT Security
BCM and IT SecurityBCM and IT Security
BCM and IT Security
 
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010
 
Contrast & Compare & Contrast Information Security Roles
Contrast & Compare & Contrast Information Security Roles Contrast & Compare & Contrast Information Security Roles
Contrast & Compare & Contrast Information Security Roles
 
Guide: Security and Compliance
Guide: Security and ComplianceGuide: Security and Compliance
Guide: Security and Compliance
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
 
Cybersecurity Interview Questions Part -2.pdf
Cybersecurity Interview Questions Part -2.pdfCybersecurity Interview Questions Part -2.pdf
Cybersecurity Interview Questions Part -2.pdf
 
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptxCompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
 
Securing Citizen Facing Applications
Securing Citizen Facing ApplicationsSecuring Citizen Facing Applications
Securing Citizen Facing Applications
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 

Mehr von Chris F Carroll

Deep Learning in 90 seconds. With a side of Algorithm Bias
Deep Learning in 90 seconds. With a side of Algorithm BiasDeep Learning in 90 seconds. With a side of Algorithm Bias
Deep Learning in 90 seconds. With a side of Algorithm BiasChris F Carroll
 
Agile Software Architecture
Agile Software ArchitectureAgile Software Architecture
Agile Software ArchitectureChris F Carroll
 
Software Architecture: Why and What?
Software Architecture: Why and What?Software Architecture: Why and What?
Software Architecture: Why and What?Chris F Carroll
 
Clojure (and some lisp) in 10 mins for OO developers
Clojure (and some lisp) in 10 mins for OO developersClojure (and some lisp) in 10 mins for OO developers
Clojure (and some lisp) in 10 mins for OO developersChris F Carroll
 
Doing Architecture with Agile Teams IASA UK Summit 2013
Doing Architecture with Agile Teams IASA UK Summit 2013Doing Architecture with Agile Teams IASA UK Summit 2013
Doing Architecture with Agile Teams IASA UK Summit 2013Chris F Carroll
 
XP-Manchester 2013 Software Architecture for Agile Developers Intro
XP-Manchester 2013 Software Architecture for Agile Developers IntroXP-Manchester 2013 Software Architecture for Agile Developers Intro
XP-Manchester 2013 Software Architecture for Agile Developers IntroChris F Carroll
 

Mehr von Chris F Carroll (6)

Deep Learning in 90 seconds. With a side of Algorithm Bias
Deep Learning in 90 seconds. With a side of Algorithm BiasDeep Learning in 90 seconds. With a side of Algorithm Bias
Deep Learning in 90 seconds. With a side of Algorithm Bias
 
Agile Software Architecture
Agile Software ArchitectureAgile Software Architecture
Agile Software Architecture
 
Software Architecture: Why and What?
Software Architecture: Why and What?Software Architecture: Why and What?
Software Architecture: Why and What?
 
Clojure (and some lisp) in 10 mins for OO developers
Clojure (and some lisp) in 10 mins for OO developersClojure (and some lisp) in 10 mins for OO developers
Clojure (and some lisp) in 10 mins for OO developers
 
Doing Architecture with Agile Teams IASA UK Summit 2013
Doing Architecture with Agile Teams IASA UK Summit 2013Doing Architecture with Agile Teams IASA UK Summit 2013
Doing Architecture with Agile Teams IASA UK Summit 2013
 
XP-Manchester 2013 Software Architecture for Agile Developers Intro
XP-Manchester 2013 Software Architecture for Agile Developers IntroXP-Manchester 2013 Software Architecture for Agile Developers Intro
XP-Manchester 2013 Software Architecture for Agile Developers Intro
 

Kürzlich hochgeladen

%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...masabamasaba
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benonimasabamasaba
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburgmasabamasaba
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...masabamasaba
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in sowetomasabamasaba
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrainmasabamasaba
 

Kürzlich hochgeladen (20)

%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 

What is Security, anyway? Software architecture for information security part 1 : Expressing requirements with iso27000 annotated

  • 1. Software Architecture Chris F Carroll Software Architecture for Information Security Part 1: expressing requirements
  • 2. Software Architecture Chris F Carroll ✤ Definitions & 
 Requirements I: Analysis ✤ Design ✤ Requirements II : Risk & Threats ✤ Implementation ✤ Verification ✤ Handover To deal with software security fully, we would go through the lifecycle. In this talk we’ll just look at the first bullet point.
  • 3. Software Architecture Chris F Carroll Stating & Analysing 
 Information Security Requirements 
 using ISO 27000
  • 4. Requirements Threatsvs. All requirements have edge cases but with security they expand into a whole second way of seeing the issue. Threats get all the news. But our understanding of threats remains piecemeal if we don’t understand the core requirements they are threatening. So we start here.
  • 5. Software Architecture for Security Chris F Carroll How can we think about security? Let’s start at the beginning. To get security right, we want a framework for thinking about it: What are the questions we should ask and what concepts will help us to answer them?
  • 6. How Can We Think About Security? Chris F Carroll ✤ WHAT are we trying to secure?
 ✤ WHO are we securing for or from?
 ✤ WHAT does security mean anyway? If we can answers these 3 questions then we have done most of the work of thinking about security. To help us answer them, we want some vocabulary or a framework.
  • 7. Why use ISO 27000? ✓ ISO 27000 provides, if not a complete domain model for security, then at least a vocabulary. ✓ Our security policy and ISMS approach is based on the ISO 27000 series. At some point, our homegrown software has to dovetail with it. Chris F Carroll ISO 27000 series is a standards series for an information security management systems. It starts with a few pages of definitions. Which goes a long way to a framework for thinking about security. (actually you can get the same vocabulary from wikipedia or a software architecture textbook).
  • 8. Group Policy Statement Information Security Policy v10.1, 2018 “We strive to protect the group’s critical information assets against all internal, external, deliberate or accidental threats throughout its lifecycle
 We protect against unauthorised access threatening the Confidentiality of our information and ensure that the Integrity and Availability of critical information is maintained.
 Our Information security policy is to ensure business continuity, minimising the risk of damage by preventing security incidents and reducing their potential impact. We are committed to continuous improvement, ongoing compliance with legislative and regulatory requirements and to ensuring our employees receive appropriate information security awareness training.” Leaving threats & risk aside for the moment, we could answer our 3 questions with just 5 key ideas: 
 Asset ; (Un)Authorised ; and Confidentiality, Integrity, Availability. Here’s an example attempt to think about security, in a security policy statement. The words in bold are drawn from ISO 27000.
  • 9. How Can We Think About Security? Chris F Carroll ✤ WHAT are we trying to secure?
 ✤ WHO are we securing for or from?
 ✤ WHAT does security mean anyway? So now, let’s answer our 3 questions with this vocabulary
  • 10. Chris F Carroll WHAT do we want to secure? Information Assets, typically: 1. Data Stores 2. Systems that let you do things
 WHO are we securing for/from? (Un)/Authorised users
 WHAT does security mean anyway? Confidentiality Integrity Availability Security : Just 3 Questions These are the 2 asset classes of most concern to a software team. So now, let’s answer our 3 questions with this vocabulary
  • 11. Chris F Carroll WHAT do we want to secure? Information Assets, typically: 1. Data Stores 2. Systems that let you do things
 WHO are we securing for/from? (Un)/Authorised users
 WHAT does security mean anyway? Confidentiality Integrity Availability Security : Just 3 Questions We divide the world into two groups of people: The Authorised and 
 The Unauthorised.
  • 12. Chris F Carroll WHAT do we want to secure? Information Assets, typically: 1. Data Stores 2. Systems that let you do things
 WHO are we securing for/from? (Un)/Authorised users
 WHAT does security mean anyway? Confidentiality Integrity Availability Security : Just 3 Questions And we get a grip on what security means with the “3 dimensions” defined by the standard, widely referred to as 
 The C.I.A.
  • 13. ISO 27000 Vocabulary for Secured Assets Chris F Carroll Asset: For us as business to say what needs securing (Un)Authorised: We as business decide who is authorised Confidentiality : “not made available or disclosed to unauthorised individuals, entities, or processes” Integrity : “accuracy and completeness” Availability : “accessible and usable upon demand by an authorised entity”
  • 14. Relating Other Vocabulary to the Standard Chris F Carroll How do other vocabularies map to/from “Assets + Authorised Users + C.I.A.?” Read-access threatens Confidentiality Write-access threatens Integrity Deny-Read protects Confidentiality by restricting Availability Deny-Write protects Integrity, restricting Availability Access Control addresses C.I.A. requirements
  • 15. Chris F Carroll Access Control: “to ensure that access to assets is authorised & restricted based on business and security requirements” ISO 27000 Vocabulary for Secured Assets
  • 16. Relating Other Vocabulary to the Standard Chris F Carroll Users,Groups, Roles Identity, Principal, Claims These (and more) are all used to define 
 Authorised User ISO standard dates from 1990s (BS7799) How do other vocabularies map to/from Assets + Authorised Users + C.I.A.?
  • 17. Relating Other Vocabulary to the Standard Chris F Carroll Authenticating Identity is our usual way to convince ourselves we have an Authorised User How does a system know that a user is authorised? Authentication : “Provision of assurance that a claimed characteristic of an entity is correct”
  • 18. Relating Other Vocabulary to the Standard Chris F Carroll Confidentiality presumably implies Access Control: Deny-Read Integrity presumably implies Access Control: Deny-Write Availability may imply Grant-Read Grant-Write Uptime, backups, connectivity, resilience to attack How does C.I.A map back to other vocabularies? Note the last bullet. Security includes both functional and non-functional requirements (NFRs).
  • 19. Security : Just 3 Questions Chris F Carroll ✤ WHAT are we trying to secure? ➡ Assets: Data Stores & Systems ✤ WHO are we securing for & from? ➡ (Un)Authorised Users ✤ WHAT does security mean anyway? ➡ C.I.A.
 N.B. the need to prove & improve security may result in requirements for audit, accountability, monitoring, etc. Thinking about security: We answered our 3 questions using only a few key ideas, but this is enough to state and analyse requirements.
  • 20. Software Architecture Chris F Carroll How can we use this?
  • 21. Security Requirements Chris F Carroll HLD or Architecture Template Express security requirements using the 3 Questions 1. WHAT Assets must this system secure? List Assets Accessed or Exposed
 1.1 Data Stores 1.2 Other Systems 2. WHO Are we securing For/From? Identify Authorised Roles and Authentication Mechanisms 3. WHAT do we mean by Security? State C.I.A. Requirements Per Asset Per Authorised Identity PROPOSAL A typical software architecture document includes a placeholder for security requirements. We can use the 3 Questions to structure the statement of requirements
  • 22. Security Requirements Chris F Carroll HLD Security Requirements 1.1. Data Stores Accessed or Exposed by this Project Data Store Category or Risk Level New Exposure? 1. Shiva DB Confidential
 GDPR Yes PROPOSAL System Accessed or Exposed? New Exposure? 1. Adobe Campaign Manager Accessed Yes 2. SMS & Email Accessed Yes 1.2. Other Systems Accessed or Exposed by this Project 1. Let’s start with, simply, a list of assets that our new project will, or may, expose or access.
  • 23. Security Requirements Chris F Carroll HLD Security Requirements 1.1. Data Stores Accessed or Exposed by this Project Data Store Category or Risk Level New Exposure? 1. Shiva DB Confidential
 GDPR Yes PROPOSAL System Accessed or Exposed? New Exposure? 1. Adobe Campaign Manager Accessed Yes 2. SMS & Email Accessed Yes 1.2. Other Systems Accessed or Exposed by this Project We didn’t discuss RISK earlier. Some assets are more risky, or valuable, than others. For each asset, assess the risk of a breach of C.I.A. requirements.
  • 24. Security Requirements Chris F Carroll PROPOSAL User/Role/Principal Authentication Mechanism Online Customer OAuth2 provider Auth0 CCA Permission X AD Login CCA Permission Y AD Login HLD Security Requirements 2. Authorised Users/Roles & Authentication Mechanisms 2. 
 Divide the world into authorised and unauthorised. We often use Roles or Groups to define this division, because managing for hundreds or thousands of individuals is just too burdensome and error prone
  • 25. Security Requirements Chris F Carroll PROPOSAL User/Role/Principal Authentication Mechanism Online Customer OAuth2 provider Auth0 CCA Permission X AD Login CCA Permission Y AD Login HLD Security Requirements 2. Authorised Users/Roles & Authentication Mechanisms If there is a more than one identity or login mechanism, then it helps to list them
  • 26. Security Requirements Chris F Carroll PROPOSAL Asset Authorised User Confidentiality (Read Access is restricted to…) Integrity
 (Operations
 restricted to…) Customer DB Authenticated Customer Read access to own data only Permissions detailed below… Adobe Campaign Manager Service Account NONE needed Permitted Operations below… Email & SMS Service Account NONE needed Permitted Operations below… HLD Security Requirements 3. List CIA Requirements Per Asset Per Authorised User 3. Finally the detail of permissions: 
 User A is authorised to perform operation X on data Y Coming back to the System Assets, we are concerned about the risk raised by connectivity. The more we can restrict the connections—the interfaces—the more simple and easy to do the security
  • 27. Security Requirements Chris F Carroll HLD Template Express security requirements using the 3 Questions 1. WHAT Assets must this system secure? List Assets Accessed or Exposed
 1.1 Data Stores 1.2 Other Systems 2. WHO Are we securing For/From? Identify Authorised Roles and Authentication Mechanisms 3. WHAT do we mean by Security? State C.I.A. Requirements Per Asset Per Authorised Identity PROPOSAL
  • 28. Security Requirements Analysis Chris F Carroll Asset Id Assets Where is it? Type of Asset Who's Asset? Required Confidentiality Level Required Availability & Integrity Level 1 LB code and scripts BitBucket, Dev Machines, Private NuGet Our labour LB Low Medium 2 AWS Dev AWS Dev Our labour LB Low Medium 3 AWS Live Infrastructure Design & Runtime AWS Live: ECS EC2 Operations LB Low Business Process Critical 4 All Customer's Business Data AWS Live: ECS EC2 DB Customers' Data Customers Business Critical Business Process Critical 5 All Customer's Customers Personal Data AWS Live: ECS EC2 DB Logs Personal Data Customers' Customers Business & Regulatory Critical Business Process Critical 6 Single Customer's Business Data AWS Live: ECS EC2 DB Customer's Data Customers Business Critical Business Process Critical 7 Single Customer's Customers Personal Data AWS Live: ECS EC2 DB Logs Personal Data Customer's Customers Business & Regulatory Critical Business Process Critical Asset List for a cloud-hosted multi-tenant service More complex example
  • 29. Design for Security Requirements Chris F Carroll Confidentiality : per-customer confidentiality for an online system implies we must design row-level security and be able to verify it is implemented correctly Integrity : If all write access goes through a single tightly controlled interface, we can prove that no unexpected modifications are possible Auth (login, lockout, password reset): Buy or Build? Design Decisions, Tactics, Implementation Rules
 follow on from Security Requirements
  • 30. Chris F Carroll WHAT do we want to secure? Information Assets, typically: 1. Data Stores 2. Systems that let you do things
 WHO are we securing for/from? (Un)/Authorised users
 WHAT does security mean anyway? Confidentiality Integrity Availability Security : Just 3 Questions
  • 31. Software Architecture Chris F Carroll ✓ Definitions & 
 Requirements I : Analysis ✤ Design ✤ Requirements II : Threats & Risks ✤ Implementation ✤ Verification ✤ Handover