Security EngineeringObjectivesTopics coveredSecurity engineeringSystem layersApplication/infrastructure securitySecurity conceptsExamples of security conceptsSecurity threatsSecurity controlsSecurity risk managementPreliminary risk assessmentAsset analysisThreat and control analysisSecurity requirementsLife cycle risk assessmentExamples of design decisionsTechnology vulnerabilitiesDesign for securityArchitectural designProtectionLayered protectionA distributed equity systemDesign guidelinesDesign guidelines 1Design guidelines 2Design for deploymentSystem deploymentDeployment supportSystem survivabilityService availabilitySurvivability strategiesSystem survivability methodKey activitiesTrading system survivabilitySurvivability analysisKey pointsSlide 38©Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 30 Slide 1Security Engineering©Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 30 Slide 2ObjectivesTo introduce issues that must be considered in the specification and design of secure softwareTo discuss security risk management and the derivation of security requirements from a risk analysisTo describe good design practice for secure systems development.To explain the notion of system survivability and to introduce a method of survivability analysis.©Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 30 Slide 3Topics coveredSecurity conceptsSecurity risk managementDesign for securitySystem survivability©Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 30 Slide 4Tools, techniques and methods to support the development and maintenance of systems that can resist malicious attacks that are intended to damage a computer-based system or its data.A sub-field of the broader field of computer security.Security engineering©Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 30 Slide 5System layersOperating SystemGeneric, shared applications (Browsers, e--mail, etc)Database managementMiddlewareReusable components and librariesApplication©Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 30 Slide 6Application/infrastructure securityApplication security is a software engineering problem where the system is designed to resist attacks.Infrastructure security is a systems management problem where the infrastructure is configured to resist attacks.The focus of this chapter is application security.©Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 30 Slide 7Security conceptsTerm Definition Asset A system resource that has a value and has to be protected. Exposure The possible loss or harm that could result from a successful attack. This can be loss or damage to data or can be a loss of time and effort if recovery is n ecessary after a se curity breach. Vulnerability A weakness in a comput er-based system that may be exploited to cause loss or harm. Attack An exploitation of a s ystemÕs vulnerability. Generally, this is from outside the system and is a deliberate attempt to cause some damage. Threats Circumstances that have potential to cause loss or harm. You can think of these as a system vulnerability that is subjected to an attack. Control A protective measure that reduces a s ystemÕs vulnerability. Encryption would be an example of a control that reduced a vulnerability of a weak access control system.©Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 30 Slide 8Examples of security conceptsTerm Definition Asset The records of each patient that is receiving or has received treatment. Exposure Potential financial loss from future patients who do not seek treatment because they do not trust the clinic to maintain their data. Financial loss from legal action by the sports star. Loss of reputation. Vu lnerability A weak password system which makes it easy for u sers to set guessable passwords. User ids that are the same as names. Attack An impersonation of an authorised user. Threat An unauthorised user will gain access to th e system by guessing the credentials (login name and password) of a n authorised user. Control A password checking system that disallows passwords that are set by users which are proper names or word s that are normally included in a dictionary.©Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 30 Slide 9Security threatsThreats to the confidentiality of a system or its dataThreats to the integrity of a system or its dataThreats to the availability of a system or its data©Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 30 Slide 10Security controlsControls that are intended to ensure that attacks are unsuccessful. This is analagous to fault avoidance.Controls that are intended to detect and repel attacks. This is analagous to fault detection and tolerance.Controls that are intended to support recovery from problems. This is analagous to fault recovery.©Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 30 Slide 11Security risk managementRisk management is concerned with assessing the possible losses that might ensue from attacks on the system and balancing these losses against the costs of security procedures that may reduce these losses.Risk management should be driven by an organisational security policy.Risk management involves•Preliminary risk assessment•Life cycle risk assessment©Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 30 Slide 12Preliminary risk assessmentAssetidentifi cationAsset valueassessmentThreatidentifi cationProbabilityassessmentExposureassessmentSecurity req.definitionControlidentificationFeasibilityassessment©Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 30 Slide 13Asset analysisAsset Value Exposure The information system High. Required to suppor t all clinical consultations. Potentially safety critical. High. Financial loss as clinics may have to be cancelled. Costs of restoring system. Possible patient harm if treatment cannot be prescribed. The patient database High. Required to suppor t all clinical consultations. Potentially safety critical. High. Financial loss as clinics may have to be cancelled. Costs of restoring system. Possible patient harm if treatment cannot be prescribed. An individual patient record Normally low although may