SlideShare ist ein Scribd-Unternehmen logo

Security Design Concepts

Mohammed Fazuluddin
Mohammed Fazuluddin

This document provides an overview of key concepts for application security design. It discusses the importance of incorporating security throughout the application development lifecycle. It outlines several security design aspects that should be considered, including authentication, authorization using roles, session management, and implementing a secure access layer. It also emphasizes the importance of security testing, code reviews, and conducting risk assessments and assurance testing prior to deployment. Finally, it discusses how to establish security guidelines and build a centralized security infrastructure with interoperable components to provide identity, authentication, authorization and other security services across applications in a standardized way.

Technologie
1 von 40
SECURITY DESIGN CONCEPTS @Mohammed Fazuluddin
TOPICS • Overview • Security Design Aspects • Application Security Design Concepts • Application Security Guidelines • Security Architecture/Design Analysis • Security Risk Assessment And Assurance • Security Infrastructure With Interoperable Components
OVERVIEW Basic Security Design
OVERVIEW
OVERVIEW • Application security has always been a risk and it is always ignored by assuming that the firewalls will protect everything. • Many application attacks are happening even we have layered perimeter security, corporations need to realize the threat and raise its priority. • While designing the application the architect team need to work on security features with application teams to incorporate this life cycle within the various development styles that are being used. • To avoid the security risks , tools/products need to be acquired to perform risk assessment and assurance of the systems and applications that are being deployed. • New applications need to use the security infrastructure from the start and the older applications need to start migrating towards it.
OVERVIEW • In architectural designs need to be planned for the analysis of the vulnerabilities and a common, centralized security infrastructure. • While designing the application architecture we need to understand the functional, performance, cost and process requirements from a security perspective. • The infrastructure may provide the security components in a certain language and the application might be using a different language. • Standards for systems and applications need to be established and the guidelines, processes and checklists need to be developed for supporting the application security lifecycle.
OVERVIEW
Principles of Software Security: • Secure the weakest link. • Practice defense in depth. • Fail securely- If your software has to fail, make sure it does it securely. • Follow the principle of least privilege. • Compartmentalize- Minimize the amount of damage that can be done by breaking the system into units. • Keep it simple- Complex design is never easy to understand. • Promote privacy- Try not to do anything that compromises the privacy of the user. • Remember that hiding secrets is hard. • Be reluctant to trust- Instead of making assumptions that need to hold true, you should be reluctant to extend trust. • Use your community resources- Public scrutiny promotes trust. OVERVIEW
Software Security Best Practices: • Institute awareness programs. • Perform application assessments. • Capture security requirements. • Implement secure development practices. • Build vulnerability remediation procedures. • Define and monitor metrics. • Publish operational security guidelines. OVERVIEW
SECURITY DESIGN ASPECTS
SECURITY DESIGN ASPECTS Authentication: • Authentication is used to determine the legitimacy of a user who wants to access the application. • Different levels of authentication can be used to protect the application based on the risk associated with the application. • Sensitivity of the data, application functionality, application architecture (the more distributed it is, the more the risk), user base could be factors determining the risk. • Every user may not need access to the all the application resources including business logic and/or data. • The resources need to be grouped based on the functional roles different users have, this way of assigning privileges to a user is called the roles based access control (RBAC) method.
SECURITY DESIGN ASPECTS
SECURITY DESIGN ASPECTS Authentication: • Once a user is authenticated and is authorized to perform a business function (transaction), there may be data/control transfer between different processes on different systems. • If the data is corrupted or compromised, there will be integrity and confidentiality issues. In addition to protecting data in transit, protection of static data is required to provide integrity and confidentiality. • If the configuration files containing the connection and initialization attributes of an application were compromised, integrity and confidentiality of the application resources could be severely compromised. • The cost of implementing a solution varies widely with the different authentication technology that is used. In some cases, where there is a need for strong authentication, a combination of these factors should be used.
SECURITY DESIGN ASPECTS Confidentiality: • Confidentiality keeps the data secret from all but those who are authorized to see it. Various cryptographic methods can be used to provide confidentiality component. • ‘Cryptography is the art or science encompassing the principles and methods of transforming an intelligible message into one that is unintelligible and then retransforming that message back to its original form’. • Encryption transforms plain text to cipher text using a secret key and decryption transforms cipher text back to plain text using the secret key. • The cryptography method using the same secret key to encrypt and decrypt the messages is called symmetric and the one using different keys is called asymmetric. • Application data can be kept confidential using cryptography, if the secret key can be secured.
SECURITY DESIGN ASPECTS Auditing: • Auditing is another security feature that needs to be implemented in the application. • Since no application can ever be completely invulnerable to threats, auditing must be in- place to provide data needed for incident response. • The auditing feature should provide a trail of which user did what and when at any given point of the application lifetime. • The final component, Non-repudiation provides proof of existence of message. • The goal of a nonrepudiation component is to collect, maintain, make available irrefutable evidence.
SECURITY DESIGN ASPECTS Integrity: • Integrity is ‘the property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner’. • Incorporating integrity into an application will inform the recipient of data modification by unauthorized users during storage or transmittal. • Various hash methods such as SHA-1 or MD5 can provide the integrity component. • Confidentiality is ‘the property that information is not made available or disclosed to unauthorized individuals, entities, or processes [i.e., to any unauthorized system entity]’.
SECURITY DESIGN ASPECTS
APPLICATION SECURITY DESIGN CONCEPTS
APPLICATION SECURITY DESIGN CONCPTS • In application design the security parameters needs to be involved with the application team to assist them in implementing proper security technology and/or processes. • The below mentioned security controls needs to be considered as part of security design… • Single Access Point • Session • Roles • Secure Access Layer • Audit • Administration layer
APPLICATION SECURITY DESIGN CONCEPTS
APPLICATION SECURITY DESIGN CONCEPTS Single Access Point: • User entry into an application should be though a single point. • This feature also saves the user from having to remember multiple passwords which can provide enhanced security by eliminating a need to write down passwords in unsecured places (for example, sticky notes under a keyboard or on a monitor) • Identification and authentication components need to be performed at this point. • Access points to multiple applications can be consolidated to a single point, often called a portal. Also, technologies such as single sign-on are gaining popularity. • Single sign-on enables a single access point into multiple applications by authenticating once. • Backdoors should be avoided and application entry should be restricted to a single point for all types of users, including administrators.
APPLICATION SECURITY DESIGN CONCEPTS
APPLICATION SECURITY DESIGN CONCEPTS Session: • Users should not have to authenticate multiple times while they are traversing an application, their current interaction with the application needs to be maintained by the application. • This session must be unique and separately maintained for every user. • If a user is away from the application for sometime, the session should help the application from determining the user and their current state with the application. • Authentication details like last active time can help the application determine whether it needs to authenticate the user again per the authentication policy.
APPLICATION SECURITY DESIGN CONCEPTS
APPLICATION SECURITY DESIGN CONCEPTS Roles: • Users have different needs in an application. Users should be given different privileges (read, change, add, delete) to various application resources within an application. • Users are grouped into a certain role and privileges to required application resources will be given to that role. Once that is done, all the users who perform that role are assigned that role instead of each privilege individually. • Instead of changing a privilege for every user, the administrator will just have to change it for that role. • Check points have to be established at every resource level where a privilege to a user needs to be defined. These check points should query the access control data to make a decision for the user to access the resource.
APPLICATION SECURITY DESIGN CONCEPTS
APPLICATION SECURITY DESIGN CONCEPTS Secure Access Layer: • Applications use various mechanisms to communicate with the user or other applications. • Depending on the classification of the data that is exchanged or control that is transferred during the communication, the access mechanisms and access layer need to be secured. • Confidentiality and integrity components need to be used to secure the communication, as well as static data. For example, SSL can be enabled on a web server using certificates to provide authentication of the application to the user, confidentiality between the application and the end user and integrity of the information transferred.
APPLICATION SECURITY DESIGN CONCEPTS
APPLICATION SECURITY DESIGN CONCEPTS Audit: • Components need to be placed in an application for tracking the actions being performed on the application resources. • The placement of these components should help tracing any application event. • Proper backup and recovery procedures need to be implemented for the audit output using retention guidelines. Also, the audit output should be properly formatted to help searches or statistic generation. • The output should definitely contain the successful and unsuccessful attempts by a user accessing a resource at the single access point and all the checkpoints. • Adding a timestamp, message code and message description will add value to the output.
APPLICATION SECURITY DESIGN CONCEPTS
APPLICATION SECURITY DESIGN CONCEPTS Administration layer: • Easy to use administration functionality needs to be provided to the application administrators to maintain user identification attributes, authentication and authorization information. • The administration functionality needs to be accessible to the administrators though the single entry point and proper authorization. • Some features that would help application administrators are: • Support for RBAC(creating roles and assigning them to users) • User administration(enable/disable users) • Application scan facility to generate new access points when changes are made to existing applications
Logic analysis: • Logic analysis evaluates the equations, algorithms, and control logic of the software design. Data analysis: • Data analysis evaluates the description and intended usage of each data item used in design of the software component. The use of interrupts and their effect on data should receive special attention to ensure interrupt handling routines do not alter critical data used by other routines. Interface analysis: • Interface analysis verifies the proper design of a software component's interfaces with other components of the system, including computer hardware, software, and end-users. Constraint analysis: • Constraint analysis evaluates the design of a software component against restrictions imposed by requirements and real-world limitations. The design must be responsive to all known or anticipated restrictions on the software component. These restrictions may include timing, sizing, and throughput constraints, input and output data limitations, equation and algorithm limitations, and other design limitations. SECURITY ARCHITECTURE/DESIGN ANALYSIS
Secure code reviews, inspections, and walkthroughs: • Secure Code reviews are conducted during and at the end of the development phase to determine whether established security requirements, security design concepts, and security-related specifications have been satisfied. Informal reviews: • Informal secure code reviews can be conducted on an as-needed basis. To conduct an informal review, the developer simply selects one or more reviewer(s) and provides and/or presents the material to be reviewed. The material may be as informal as pseudo-code or hand-written documentation. Formal reviews: • Formal secure code reviews are conducted at the end of the development phase for each software component. The client of the software appoints the formal review group, who may make or affect a "go/no-go" decision to proceed to the next step of the software development life cycle. Security testing: • Software security testing, which includes penetration testing, confirms the results of design and code analysis, investigates software behavior, and verifies that the software complies with security requirements. Special security testing, conducted in accordance with a security test plan and procedures, establishes the compliance of the software with the security requirements. SECURITY ARCHITECTURE/DESIGN ANALYSIS
APPLICATION SECURITY GUIDELINES • Application security development guideline needs to be created, specifying various technologies and a coding style to eliminate vulnerabilities and help mitigate risk. • A common vulnerability of application is buffer overflow. • Authorization needs to be handled carefully, just defining roles and assigning those to users will not completely secure authorization. • Situations where multiple roles are assigned to the same user with different types of privilege on the same resource need to be considered. • Error/exception handling mechanisms used should not display too many development details. • System configuration needs to be analyzed, never use the default configuration. • Some coding scheme needs to be used which could be cross-referenced to an error description database.
SECURITY RISK ASSESSMENT AND ASSURANCE • Applications need to be assessed at the business level to ascertain the risk based on information compromise, unauthorized access and availability for determining the security level that needs to be assigned to them. • After an application has been developed and functionally tested and before deploying it to production environment, we need to meticulously perform a security risk assessment and assurance test. • This test will help ensure the total system is in compliance based on the security level assigned to it. These tests need to be mandated on all applications, newly developed or changing an existing application or a purchased product. • Application risk checklists need to be developed to assure that proper security controls have been placed at the appropriate locations within the application. • The checklist must be updated at a regular interval to accommodate newer technologies and threats.
SECURITY RISK ASSESSMENT AND ASSURANCE • The checklist should contain all aspects of logical access for various security levels including: • User identification (registration process). • Authentication (level, password strength, sign-on attempts, account lockout policies, helpdesk processes on unlocking, session tracking) – authorization. • Sensitive data handling(encryption, hashing). • Auditing features. • Security administration. • Tools, products or processes need to be employed to standardize the methodology of security assessments. • Application contingency plans should be reviewed to make sure all the backup and recovery plans are up to date so that there is no disruption of service (availability).
Software security assurance program should ensure that: • A security evaluation has been performed for the software. • Security requirements have been established for the software. • Security requirements have been established for the software development and/or operations and maintenance (O&M) processes. • Each software review, or audit, includes an evaluation of the security requirements. • A configuration management and corrective action process is in place to provide security for the existing software and to ensure that any proposed changes do not inadvertently create security violations or vulnerabilities. • Physical security for the software is adequate. SECURITY RISK ASSESSMENT AND ASSURANCE
SECURITY INFRASTRUCTURE WITH INTEROPERABLE COMPONENTS
SECURITY INFRASTRUCTURE WITH INTEROPERABLE COMPONENTS • The infrastructure needs to be interoperable with any application and be maintained by a team that can keep pace with the latest standards. • Accomplishing the above and offering security as a centralized component can be a tedious and painful task. Eventually, the Enterprise will realize the fruits - cost savings and controlled environment. • This centralized infrastructure should: • Provide Identity, authentication, authorization, confidentiality, integrity non-repudiation and audit components. • Adhere to industry standards. • Easily manageable and scalable. • Provide the framework which needs to adapt to newer technologies with less effort (security is a race where the good guys always need to be in front of the bad guys). • To provide the above infrastructure, the security team needs to analyze the existing applications and define the requirements.
THANKS • If you feel it is helpful and worthy to share with other people, please share the same

Empfohlen

Coupling , Cohesion and there Types
Coupling , Cohesion and there TypesCoupling , Cohesion and there Types
Coupling , Cohesion and there Types
Munaam Munawar
 
Cohesion and coupling
Cohesion and couplingCohesion and coupling
Cohesion and coupling
Aprajita (Abbey) Singh
 
Introduction to Relational Databases
Introduction to Relational DatabasesIntroduction to Relational Databases
Introduction to Relational Databases
Research Support Team, IT Services, University of Oxford
 
UML
UMLUML
UML
iQra Rafaqat
 
Software design
Software designSoftware design
Software design
Syed Muhammad Hammad-ud-Din
 
Design patterns ppt
Design patterns pptDesign patterns ppt
Design patterns ppt
Aman Jain
 
Design Pattern in Software Engineering
Design Pattern in Software EngineeringDesign Pattern in Software Engineering
Design Pattern in Software Engineering
Manish Kumar
 
Uml diagrams
Uml diagramsUml diagrams
Uml diagrams
barney92
 

Empfohlen

Coupling , Cohesion and there Types
Coupling , Cohesion and there TypesCoupling , Cohesion and there Types
Coupling , Cohesion and there Types
Munaam Munawar
 
Cohesion and coupling
Cohesion and couplingCohesion and coupling
Cohesion and coupling
Aprajita (Abbey) Singh
 
Introduction to Relational Databases
Introduction to Relational DatabasesIntroduction to Relational Databases
Introduction to Relational Databases
Research Support Team, IT Services, University of Oxford
 
UML
UMLUML
UML
iQra Rafaqat
 
Software design
Software designSoftware design
Software design
Syed Muhammad Hammad-ud-Din
 
Design patterns ppt
Design patterns pptDesign patterns ppt
Design patterns ppt
Aman Jain
 
Design Pattern in Software Engineering
Design Pattern in Software EngineeringDesign Pattern in Software Engineering
Design Pattern in Software Engineering
Manish Kumar
 
Uml diagrams
Uml diagramsUml diagrams
Uml diagrams
barney92
 
Introduction to design patterns
Introduction to design patternsIntroduction to design patterns
Introduction to design patterns
Amit Kabra
 
Software Architecture and Design
Software Architecture and DesignSoftware Architecture and Design
Software Architecture and Design
Ra'Fat Al-Msie'deen
 
Android - Android Intent Types
Android - Android Intent TypesAndroid - Android Intent Types
Android - Android Intent Types
Vibrant Technologies & Computers
 
Design Patterns - General Introduction
Design Patterns - General IntroductionDesign Patterns - General Introduction
Design Patterns - General Introduction
Asma CHERIF
 
Cloud deployment models
Cloud deployment modelsCloud deployment models
Cloud deployment models
Ashok Kumar
 
Introduction to Design Pattern
Introduction to Design PatternIntroduction to Design Pattern
Introduction to Design Pattern
Sanae BEKKAR
 
Uml class-diagram
Uml class-diagramUml class-diagram
Uml class-diagram
ASHOK KUMAR PALAKI
 
Chapter 15 software product metrics
Chapter 15 software product metricsChapter 15 software product metrics
Chapter 15 software product metrics
SHREEHARI WADAWADAGI
 
Gof design patterns
Gof design patternsGof design patterns
Gof design patterns
Srikanth R Vaka
 
User Interface Analysis and Design
User Interface Analysis and Design User Interface Analysis and Design
User Interface Analysis and Design
Saqib Raza
 
Unit 2(advanced class modeling & state diagram)
Unit 2(advanced class modeling & state diagram)Unit 2(advanced class modeling & state diagram)
Unit 2(advanced class modeling & state diagram)
Manoj Reddy
 
Webservices
WebservicesWebservices
Webservices
Gerard Sylvester
 
Object Oriented Design
Object Oriented DesignObject Oriented Design
Object Oriented Design
Sudarsun Santhiappan
 
Software architecture design ppt
Software architecture design pptSoftware architecture design ppt
Software architecture design ppt
farazimlak
 
SOA Service Oriented Architecture
SOA Service Oriented ArchitectureSOA Service Oriented Architecture
SOA Service Oriented Architecture
Vinay Rajadhyaksha
 
CS6010 Social Network Analysis Unit II
CS6010 Social Network Analysis Unit IICS6010 Social Network Analysis Unit II
CS6010 Social Network Analysis Unit II
pkaviya
 
Ian Sommerville, Software Engineering, 9th Edition Ch1
Ian Sommerville, Software Engineering, 9th Edition Ch1Ian Sommerville, Software Engineering, 9th Edition Ch1
Ian Sommerville, Software Engineering, 9th Edition Ch1
Mohammed Romi
 
Tools and techniques for data science
Tools and techniques for data scienceTools and techniques for data science
Tools and techniques for data science
Ajay Ohri
 
Creational pattern
Creational patternCreational pattern
Creational pattern
Himanshu
 
Design Patterns
Design PatternsDesign Patterns
Design Patterns
soms_1
 
Selecting best NoSQL
Selecting best NoSQL Selecting best NoSQL
Selecting best NoSQL
Mohammed Fazuluddin
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework's
Mohammed Fazuluddin
 

Weitere ähnliche Inhalte

Was ist angesagt?

Design Patterns
Design PatternsDesign Patterns
Design Patterns
soms_1
 

Was ist angesagt? (20)

Introduction to design patterns
Introduction to design patternsIntroduction to design patterns
Introduction to design patterns
 
Software Architecture and Design
Software Architecture and DesignSoftware Architecture and Design
Software Architecture and Design
 
Android - Android Intent Types
Android - Android Intent TypesAndroid - Android Intent Types
Android - Android Intent Types
 
Design Patterns - General Introduction
Design Patterns - General IntroductionDesign Patterns - General Introduction
Design Patterns - General Introduction
 
Cloud deployment models
Cloud deployment modelsCloud deployment models
Cloud deployment models
 
Introduction to Design Pattern
Introduction to Design PatternIntroduction to Design Pattern
Introduction to Design Pattern
 
Uml class-diagram
Uml class-diagramUml class-diagram
Uml class-diagram
 
Chapter 15 software product metrics
Chapter 15 software product metricsChapter 15 software product metrics
Chapter 15 software product metrics
 
Gof design patterns
Gof design patternsGof design patterns
Gof design patterns
 
User Interface Analysis and Design
User Interface Analysis and Design User Interface Analysis and Design
User Interface Analysis and Design
 
Unit 2(advanced class modeling & state diagram)
Unit 2(advanced class modeling & state diagram)Unit 2(advanced class modeling & state diagram)
Unit 2(advanced class modeling & state diagram)
 
Webservices
WebservicesWebservices
Webservices
 
Object Oriented Design
Object Oriented DesignObject Oriented Design
Object Oriented Design
 
Software architecture design ppt
Software architecture design pptSoftware architecture design ppt
Software architecture design ppt
 
SOA Service Oriented Architecture
SOA Service Oriented ArchitectureSOA Service Oriented Architecture
SOA Service Oriented Architecture
 
CS6010 Social Network Analysis Unit II
CS6010 Social Network Analysis Unit IICS6010 Social Network Analysis Unit II
CS6010 Social Network Analysis Unit II
 
Ian Sommerville, Software Engineering, 9th Edition Ch1
Ian Sommerville, Software Engineering, 9th Edition Ch1Ian Sommerville, Software Engineering, 9th Edition Ch1
Ian Sommerville, Software Engineering, 9th Edition Ch1
 
Tools and techniques for data science
Tools and techniques for data scienceTools and techniques for data science
Tools and techniques for data science
 
Creational pattern
Creational patternCreational pattern
Creational pattern
 
Design Patterns
Design PatternsDesign Patterns
Design Patterns
 

Andere mochten auch

BFS-2016-06-journal
BFS-2016-06-journalBFS-2016-06-journal
BFS-2016-06-journal
James Wilson
 
The power of “we got it wrong”
The power of “we got it wrong”The power of “we got it wrong”
The power of “we got it wrong”
WorkInConfidence
 

Andere mochten auch (15)

Selecting best NoSQL
Selecting best NoSQL Selecting best NoSQL
Selecting best NoSQL
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework's
 
NOSQL vs SQL
NOSQL vs SQLNOSQL vs SQL
NOSQL vs SQL
 
Software Design Concepts
Software Design ConceptsSoftware Design Concepts
Software Design Concepts
 
Selecting the right cache framework
Selecting the right cache frameworkSelecting the right cache framework
Selecting the right cache framework
 
Cloud computing and data security
Cloud computing and data securityCloud computing and data security
Cloud computing and data security
 
BFS-2016-06-journal
BFS-2016-06-journalBFS-2016-06-journal
BFS-2016-06-journal
 
30-Minute Social Media Marketing by Susan Gunelius
30-Minute Social Media Marketing by Susan Gunelius30-Minute Social Media Marketing by Susan Gunelius
30-Minute Social Media Marketing by Susan Gunelius
 
The power of “we got it wrong”
The power of “we got it wrong”The power of “we got it wrong”
The power of “we got it wrong”
 
Parę spostrzeżeń dot. sklepów w Nowej Zelandii
Parę spostrzeżeń dot. sklepów w Nowej ZelandiiParę spostrzeżeń dot. sklepów w Nowej Zelandii
Parę spostrzeżeń dot. sklepów w Nowej Zelandii
 
Asian mythology-workbook
Asian mythology-workbookAsian mythology-workbook
Asian mythology-workbook
 
Aptech maliviya nagar is the best IT training institute in Delhi
Aptech maliviya nagar is the best IT training institute in DelhiAptech maliviya nagar is the best IT training institute in Delhi
Aptech maliviya nagar is the best IT training institute in Delhi
 
HOLYTHURSDAYSALVMbcsnet
HOLYTHURSDAYSALVMbcsnetHOLYTHURSDAYSALVMbcsnet
HOLYTHURSDAYSALVMbcsnet
 
Press Release1
Press Release1Press Release1
Press Release1
 
No seatbealts = 8x chances of getting killed
No seatbealts = 8x chances of getting killedNo seatbealts = 8x chances of getting killed
No seatbealts = 8x chances of getting killed
 

Ähnlich wie Security Design Concepts

Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
LOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGLOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODING
Sri Latha
 
Avoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slidesAvoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slides
AlgoSec
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 

Ähnlich wie Security Design Concepts (20)

Security Design Principles.ppt
Security Design Principles.ppt Security Design Principles.ppt
Security Design Principles.ppt
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
 
Un enfoque práctico para implementar confianza cero en el trabajo híbrido
Un enfoque práctico para implementar confianza cero en el trabajo híbridoUn enfoque práctico para implementar confianza cero en el trabajo híbrido
Un enfoque práctico para implementar confianza cero en el trabajo híbrido
 
Principles for Secure Design and Software Security
Principles for Secure Design and Software Security Principles for Secure Design and Software Security
Principles for Secure Design and Software Security
 
System Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxSystem Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptx
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the Enterprise
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptx
 
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentorImplementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentor
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture
 
Quality attributes in software architecture
Quality attributes in software architectureQuality attributes in software architecture
Quality attributes in software architecture
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
LOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGLOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODING
 
Avoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slidesAvoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slides
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
Computer Security.pptx
Computer Security.pptxComputer Security.pptx
Computer Security.pptx
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
 
Unit4
Unit4Unit4
Unit4
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 

Mehr von Mohammed Fazuluddin

Mehr von Mohammed Fazuluddin (19)

DOMAIN DRIVER DESIGN
DOMAIN DRIVER DESIGNDOMAIN DRIVER DESIGN
DOMAIN DRIVER DESIGN
 
New Relic Basics
New Relic BasicsNew Relic Basics
New Relic Basics
 
Terraform Basics
Terraform BasicsTerraform Basics
Terraform Basics
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
Software architectural patterns - A Quick Understanding Guide
Software architectural patterns - A Quick Understanding GuideSoftware architectural patterns - A Quick Understanding Guide
Software architectural patterns - A Quick Understanding Guide
 
Mule ESB - An Enterprise Service Bus
Mule ESB - An Enterprise Service BusMule ESB - An Enterprise Service Bus
Mule ESB - An Enterprise Service Bus
 
Docker - A Quick Introduction Guide
Docker - A Quick Introduction GuideDocker - A Quick Introduction Guide
Docker - A Quick Introduction Guide
 
Cassandra - A Basic Introduction Guide
Cassandra - A Basic Introduction GuideCassandra - A Basic Introduction Guide
Cassandra - A Basic Introduction Guide
 
React JS - A quick introduction tutorial
React JS - A quick introduction tutorialReact JS - A quick introduction tutorial
React JS - A quick introduction tutorial
 
Rest API Design Rules
Rest API Design RulesRest API Design Rules
Rest API Design Rules
 
Scrum process framework
Scrum process frameworkScrum process framework
Scrum process framework
 
DevOps and Tools
DevOps and ToolsDevOps and Tools
DevOps and Tools
 
UI architecture & designing
UI architecture & designingUI architecture & designing
UI architecture & designing
 
Data streaming fundamentals
Data streaming fundamentalsData streaming fundamentals
Data streaming fundamentals
 
Microservice's in detailed
Microservice's in detailedMicroservice's in detailed
Microservice's in detailed
 
Java performance tuning
Java performance tuningJava performance tuning
Java performance tuning
 
Java workflow engines
Java workflow enginesJava workflow engines
Java workflow engines
 
Choosing The Right ESB
Choosing The Right ESBChoosing The Right ESB
Choosing The Right ESB
 
Kafka presentation
Kafka presentationKafka presentation
Kafka presentation
 

Kürzlich hochgeladen

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Kürzlich hochgeladen (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Security Design Concepts

  • 2. TOPICS • Overview • Security Design Aspects • Application Security Design Concepts • Application Security Guidelines • Security Architecture/Design Analysis • Security Risk Assessment And Assurance • Security Infrastructure With Interoperable Components
  • 5. OVERVIEW • Application security has always been a risk and it is always ignored by assuming that the firewalls will protect everything. • Many application attacks are happening even we have layered perimeter security, corporations need to realize the threat and raise its priority. • While designing the application the architect team need to work on security features with application teams to incorporate this life cycle within the various development styles that are being used. • To avoid the security risks , tools/products need to be acquired to perform risk assessment and assurance of the systems and applications that are being deployed. • New applications need to use the security infrastructure from the start and the older applications need to start migrating towards it.
  • 6. OVERVIEW • In architectural designs need to be planned for the analysis of the vulnerabilities and a common, centralized security infrastructure. • While designing the application architecture we need to understand the functional, performance, cost and process requirements from a security perspective. • The infrastructure may provide the security components in a certain language and the application might be using a different language. • Standards for systems and applications need to be established and the guidelines, processes and checklists need to be developed for supporting the application security lifecycle.
  • 8. Principles of Software Security: • Secure the weakest link. • Practice defense in depth. • Fail securely- If your software has to fail, make sure it does it securely. • Follow the principle of least privilege. • Compartmentalize- Minimize the amount of damage that can be done by breaking the system into units. • Keep it simple- Complex design is never easy to understand. • Promote privacy- Try not to do anything that compromises the privacy of the user. • Remember that hiding secrets is hard. • Be reluctant to trust- Instead of making assumptions that need to hold true, you should be reluctant to extend trust. • Use your community resources- Public scrutiny promotes trust. OVERVIEW
  • 9. Software Security Best Practices: • Institute awareness programs. • Perform application assessments. • Capture security requirements. • Implement secure development practices. • Build vulnerability remediation procedures. • Define and monitor metrics. • Publish operational security guidelines. OVERVIEW
  • 11. SECURITY DESIGN ASPECTS Authentication: • Authentication is used to determine the legitimacy of a user who wants to access the application. • Different levels of authentication can be used to protect the application based on the risk associated with the application. • Sensitivity of the data, application functionality, application architecture (the more distributed it is, the more the risk), user base could be factors determining the risk. • Every user may not need access to the all the application resources including business logic and/or data. • The resources need to be grouped based on the functional roles different users have, this way of assigning privileges to a user is called the roles based access control (RBAC) method.
  • 13. SECURITY DESIGN ASPECTS Authentication: • Once a user is authenticated and is authorized to perform a business function (transaction), there may be data/control transfer between different processes on different systems. • If the data is corrupted or compromised, there will be integrity and confidentiality issues. In addition to protecting data in transit, protection of static data is required to provide integrity and confidentiality. • If the configuration files containing the connection and initialization attributes of an application were compromised, integrity and confidentiality of the application resources could be severely compromised. • The cost of implementing a solution varies widely with the different authentication technology that is used. In some cases, where there is a need for strong authentication, a combination of these factors should be used.
  • 14. SECURITY DESIGN ASPECTS Confidentiality: • Confidentiality keeps the data secret from all but those who are authorized to see it. Various cryptographic methods can be used to provide confidentiality component. • ‘Cryptography is the art or science encompassing the principles and methods of transforming an intelligible message into one that is unintelligible and then retransforming that message back to its original form’. • Encryption transforms plain text to cipher text using a secret key and decryption transforms cipher text back to plain text using the secret key. • The cryptography method using the same secret key to encrypt and decrypt the messages is called symmetric and the one using different keys is called asymmetric. • Application data can be kept confidential using cryptography, if the secret key can be secured.
  • 15. SECURITY DESIGN ASPECTS Auditing: • Auditing is another security feature that needs to be implemented in the application. • Since no application can ever be completely invulnerable to threats, auditing must be in- place to provide data needed for incident response. • The auditing feature should provide a trail of which user did what and when at any given point of the application lifetime. • The final component, Non-repudiation provides proof of existence of message. • The goal of a nonrepudiation component is to collect, maintain, make available irrefutable evidence.
  • 16. SECURITY DESIGN ASPECTS Integrity: • Integrity is ‘the property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner’. • Incorporating integrity into an application will inform the recipient of data modification by unauthorized users during storage or transmittal. • Various hash methods such as SHA-1 or MD5 can provide the integrity component. • Confidentiality is ‘the property that information is not made available or disclosed to unauthorized individuals, entities, or processes [i.e., to any unauthorized system entity]’.
  • 19. APPLICATION SECURITY DESIGN CONCPTS • In application design the security parameters needs to be involved with the application team to assist them in implementing proper security technology and/or processes. • The below mentioned security controls needs to be considered as part of security design… • Single Access Point • Session • Roles • Secure Access Layer • Audit • Administration layer
  • 21. APPLICATION SECURITY DESIGN CONCEPTS Single Access Point: • User entry into an application should be though a single point. • This feature also saves the user from having to remember multiple passwords which can provide enhanced security by eliminating a need to write down passwords in unsecured places (for example, sticky notes under a keyboard or on a monitor) • Identification and authentication components need to be performed at this point. • Access points to multiple applications can be consolidated to a single point, often called a portal. Also, technologies such as single sign-on are gaining popularity. • Single sign-on enables a single access point into multiple applications by authenticating once. • Backdoors should be avoided and application entry should be restricted to a single point for all types of users, including administrators.
  • 23. APPLICATION SECURITY DESIGN CONCEPTS Session: • Users should not have to authenticate multiple times while they are traversing an application, their current interaction with the application needs to be maintained by the application. • This session must be unique and separately maintained for every user. • If a user is away from the application for sometime, the session should help the application from determining the user and their current state with the application. • Authentication details like last active time can help the application determine whether it needs to authenticate the user again per the authentication policy.
  • 25. APPLICATION SECURITY DESIGN CONCEPTS Roles: • Users have different needs in an application. Users should be given different privileges (read, change, add, delete) to various application resources within an application. • Users are grouped into a certain role and privileges to required application resources will be given to that role. Once that is done, all the users who perform that role are assigned that role instead of each privilege individually. • Instead of changing a privilege for every user, the administrator will just have to change it for that role. • Check points have to be established at every resource level where a privilege to a user needs to be defined. These check points should query the access control data to make a decision for the user to access the resource.
  • 27. APPLICATION SECURITY DESIGN CONCEPTS Secure Access Layer: • Applications use various mechanisms to communicate with the user or other applications. • Depending on the classification of the data that is exchanged or control that is transferred during the communication, the access mechanisms and access layer need to be secured. • Confidentiality and integrity components need to be used to secure the communication, as well as static data. For example, SSL can be enabled on a web server using certificates to provide authentication of the application to the user, confidentiality between the application and the end user and integrity of the information transferred.
  • 29. APPLICATION SECURITY DESIGN CONCEPTS Audit: • Components need to be placed in an application for tracking the actions being performed on the application resources. • The placement of these components should help tracing any application event. • Proper backup and recovery procedures need to be implemented for the audit output using retention guidelines. Also, the audit output should be properly formatted to help searches or statistic generation. • The output should definitely contain the successful and unsuccessful attempts by a user accessing a resource at the single access point and all the checkpoints. • Adding a timestamp, message code and message description will add value to the output.
  • 31. APPLICATION SECURITY DESIGN CONCEPTS Administration layer: • Easy to use administration functionality needs to be provided to the application administrators to maintain user identification attributes, authentication and authorization information. • The administration functionality needs to be accessible to the administrators though the single entry point and proper authorization. • Some features that would help application administrators are: • Support for RBAC(creating roles and assigning them to users) • User administration(enable/disable users) • Application scan facility to generate new access points when changes are made to existing applications
  • 32. Logic analysis: • Logic analysis evaluates the equations, algorithms, and control logic of the software design. Data analysis: • Data analysis evaluates the description and intended usage of each data item used in design of the software component. The use of interrupts and their effect on data should receive special attention to ensure interrupt handling routines do not alter critical data used by other routines. Interface analysis: • Interface analysis verifies the proper design of a software component's interfaces with other components of the system, including computer hardware, software, and end-users. Constraint analysis: • Constraint analysis evaluates the design of a software component against restrictions imposed by requirements and real-world limitations. The design must be responsive to all known or anticipated restrictions on the software component. These restrictions may include timing, sizing, and throughput constraints, input and output data limitations, equation and algorithm limitations, and other design limitations. SECURITY ARCHITECTURE/DESIGN ANALYSIS
  • 33. Secure code reviews, inspections, and walkthroughs: • Secure Code reviews are conducted during and at the end of the development phase to determine whether established security requirements, security design concepts, and security-related specifications have been satisfied. Informal reviews: • Informal secure code reviews can be conducted on an as-needed basis. To conduct an informal review, the developer simply selects one or more reviewer(s) and provides and/or presents the material to be reviewed. The material may be as informal as pseudo-code or hand-written documentation. Formal reviews: • Formal secure code reviews are conducted at the end of the development phase for each software component. The client of the software appoints the formal review group, who may make or affect a "go/no-go" decision to proceed to the next step of the software development life cycle. Security testing: • Software security testing, which includes penetration testing, confirms the results of design and code analysis, investigates software behavior, and verifies that the software complies with security requirements. Special security testing, conducted in accordance with a security test plan and procedures, establishes the compliance of the software with the security requirements. SECURITY ARCHITECTURE/DESIGN ANALYSIS
  • 34. APPLICATION SECURITY GUIDELINES • Application security development guideline needs to be created, specifying various technologies and a coding style to eliminate vulnerabilities and help mitigate risk. • A common vulnerability of application is buffer overflow. • Authorization needs to be handled carefully, just defining roles and assigning those to users will not completely secure authorization. • Situations where multiple roles are assigned to the same user with different types of privilege on the same resource need to be considered. • Error/exception handling mechanisms used should not display too many development details. • System configuration needs to be analyzed, never use the default configuration. • Some coding scheme needs to be used which could be cross-referenced to an error description database.
  • 35. SECURITY RISK ASSESSMENT AND ASSURANCE • Applications need to be assessed at the business level to ascertain the risk based on information compromise, unauthorized access and availability for determining the security level that needs to be assigned to them. • After an application has been developed and functionally tested and before deploying it to production environment, we need to meticulously perform a security risk assessment and assurance test. • This test will help ensure the total system is in compliance based on the security level assigned to it. These tests need to be mandated on all applications, newly developed or changing an existing application or a purchased product. • Application risk checklists need to be developed to assure that proper security controls have been placed at the appropriate locations within the application. • The checklist must be updated at a regular interval to accommodate newer technologies and threats.
  • 36. SECURITY RISK ASSESSMENT AND ASSURANCE • The checklist should contain all aspects of logical access for various security levels including: • User identification (registration process). • Authentication (level, password strength, sign-on attempts, account lockout policies, helpdesk processes on unlocking, session tracking) – authorization. • Sensitive data handling(encryption, hashing). • Auditing features. • Security administration. • Tools, products or processes need to be employed to standardize the methodology of security assessments. • Application contingency plans should be reviewed to make sure all the backup and recovery plans are up to date so that there is no disruption of service (availability).
  • 37. Software security assurance program should ensure that: • A security evaluation has been performed for the software. • Security requirements have been established for the software. • Security requirements have been established for the software development and/or operations and maintenance (O&M) processes. • Each software review, or audit, includes an evaluation of the security requirements. • A configuration management and corrective action process is in place to provide security for the existing software and to ensure that any proposed changes do not inadvertently create security violations or vulnerabilities. • Physical security for the software is adequate. SECURITY RISK ASSESSMENT AND ASSURANCE
  • 39. SECURITY INFRASTRUCTURE WITH INTEROPERABLE COMPONENTS • The infrastructure needs to be interoperable with any application and be maintained by a team that can keep pace with the latest standards. • Accomplishing the above and offering security as a centralized component can be a tedious and painful task. Eventually, the Enterprise will realize the fruits - cost savings and controlled environment. • This centralized infrastructure should: • Provide Identity, authentication, authorization, confidentiality, integrity non-repudiation and audit components. • Adhere to industry standards. • Easily manageable and scalable. • Provide the framework which needs to adapt to newer technologies with less effort (security is a race where the good guys always need to be in front of the bad guys). • To provide the above infrastructure, the security team needs to analyze the existing applications and define the requirements.
  • 40. THANKS • If you feel it is helpful and worthy to share with other people, please share the same