Transcript Case Study: A Forensic Lesson for Web Security (MSS, part one)

Overview of Security & Java
(based on GS: Ch. 1)
csci5233 Computer Security &
Integrity
1
Security Goals for Application Development
1.
2.
3.

Protect sensitive data
Control access to resources
Log activity
c.f., Five security goals:
authenticity, confidentiality, integrity, availability,
and non-repudiatibility

Q: Compare the three goals in this chapter
with the five goals above.
csci5233 Computer Security &
Integrity
2
Security Policy

An explicit statement of what actions are and are
not allowed within an organization.






Acceptable use of corporate resources
Remote access policy
User privileges, …
It helps to define the limits of what your
application needs to protect against.
It helps to identify the important resources.
It is guided by the business needs, rules, and
related laws (example: HIPAA - Health Insurance
Portability and Accountability Act of 1996)
csci5233 Computer Security &
Integrity
3
Analysis of Security Requirements

Security requirements of an application is
affected by the organization’s security policy. It
is usually a compromise.
 Two areas need to be carefully examined:
A. Risk Assessment






B.
Cost of data loss or exposure
“Worthiness” of data
Value of the application
Cost of unauthorized use of the application
Where is the weakest link?
…
Data Exposure
csci5233 Computer Security &
Integrity
4
Analysis of Security Requirements
B.



Data Exposure
Identify the types of vulnerability: When, where, how
and by whom would the data be most likely be exposed?
Which of the vulnerability are most in need of
strengthening (per the security policy)?
Two major types of vulnerability:
1. People
 External
 Internal
 Roles
2. Vulnerability points
 Potential points of vulnerability in the system,
where data are access, transmitted, stored, etc.
csci5233 Computer Security &
Integrity
5
Analysis of Security Requirements


An example of security requirements analysis
Design of a Network Security Testing
Environment (a draft)
http://sce.cl.uh.edu/yang/research/NetworkSecurityTestingEnviro
nment.pdf
csci5233 Computer Security &
Integrity
6
Analysis of Security Requirements



Usability of the system should be integrated into
the security requirements.
Ideally, the enforcement of the security
requirements should be “transparent” to the end
users.
Achieving a successful balance between
usability and security of a system is one of the
hardest parts of creating a secure system.
csci5233 Computer Security &
Integrity
7
Analysis of Security Requirements

Contingency plans
 How would the organization respond to
security breaches?
 How about violation of privacy?
 Violation of copyright?
csci5233 Computer Security &
Integrity
8
Implementation of Security

Security technologies & tools
 The OS
 IP security
 VPN (virtual private networks)
 Firewalls
 ID (intrusion detection) tools & systems
 Java security features and tools
o Java language features (Ch. 2)
o Byte code verifier
o Class loader
o Java cryptography (JCA, JCE: Ch. 3)
csci5233 Computer Security &
Integrity
9