csci5233 computer security & integrity 1 overview of security & java (based on gs: ch. 1)
TRANSCRIPT
csci5233 Computer Security & Integrity
1
Overview of Security & Java
(based on GS: Ch. 1)
csci5233 Computer Security & Integrity
2
Security Goals for Application Development
1. Protect sensitive data2. Control access to resources3. Log activity
c.f., Five security goals: authenticity, confidentiality, integrity,
availability, and non-repudiatibility
Q: Compare the three goals in this chapter with the five goals above.
csci5233 Computer Security & Integrity
3
Security Policy
An explicit statement of what actions are and are not allowed within an organization.
Acceptable use of corporate resources Remote access policy User privileges, …
It helps to define the limits of what your application needs to protect against.
It helps to identify the important resources. It is guided by the business needs, rules, and
related laws (example: HIPAA - Health Insurance
Portability and Accountability Act of 1996)
csci5233 Computer Security & Integrity
4
Analysis of Security Requirements
Security requirements of an application is affected by the organization’s security policy. It is usually a compromise.
Two areas need to be carefully examined:A. Risk Assessment
Cost of data loss or exposure “Worthiness” of data Value of the application Cost of unauthorized use of the application Where is the weakest link? …
B. Data Exposure
csci5233 Computer Security & Integrity
5
Analysis of Security Requirements
B. Data Exposure Identify the types of vulnerability: When, where, how
and by whom would the data be most likely be exposed? Which of the vulnerability are most in need of
strengthening (per the security policy)? Two major types of vulnerability:
1. People External Internal Roles
2. Vulnerability points Potential points of vulnerability in the system,
where data are access, transmitted, stored, etc.
csci5233 Computer Security & Integrity
6
Analysis of Security Requirements
An example of security requirements analysis Design of a Network Security Testing
Environment (a draft)http://sce
.cl.uh.edu/yang/research/NetworkSecurityTestingEnvironment.pdf
csci5233 Computer Security & Integrity
7
Analysis of Security Requirements
Usability of the system should be integrated into the security requirements.
Ideally, the enforcement of the security requirements should be “transparent” to the end users.
Achieving a successful balance between usability and security of a system is one of the hardest parts of creating a secure system.
csci5233 Computer Security & Integrity
8
Analysis of Security Requirements
Contingency plans How would the organization respond to
security breaches? How about violation of privacy? Violation of copyright?
csci5233 Computer Security & Integrity
9
Implementation of Security
Security technologies & tools The OS IP security VPN (virtual private networks) Firewalls ID (intrusion detection) tools & systems Java security features and tools
o Java language features (Ch. 2)o Byte code verifiero Class loadero Java cryptography (JCA, JCE: Ch. 3)