CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software...
-
Upload
laureen-johnson -
Category
Documents
-
view
218 -
download
0
Transcript of CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software...
CS 325: Software Engineering
April 14, 2015
Software Security• Security Requirements• Software Security in the Life Cycle
CS 325April 14, 2015Page 2
Security RequirementsAs software becomes more complex and data becomes more sensitive, software systems must meet an increasing number of security requirements.
Identification RequirementsThe system must identify the users or systems with which it is about to interact via passwords, encryption key protocols, etc.
Authentication RequirementsThe system must confirm the identity of the user or system that is trying to
interact with it via biometrics, reverse encryption, etc.Authorization Requirements
The system must determine the extent to which the user or system is authorized to access its information and functionality via access control lists, privilege hierarchies, etc.
CS 325April 14, 2015Page 3
Security RequirementsImmunity RequirementsThe system must protect itself from malicious attacks, such as viruses, worms, and Trojan horses.
Integrity RequirementsThe system must prevent intentional corruption via unauthorized creation,
modification, or deletion of data or files.
Intrusion Detection RequirementsThe system must be able to detect and record any unauthorized attempts to access its files or data.Nonrepudiation
RequirementsThe system must be capable of
preventing anyone who accessed its files or data from denying it later.
CS 325April 14, 2015Page 4
Security Requirements
Privacy RequirementsThe system must protect the privacy rights of its users and of anyone affected by its data and files.
Survivability RequirementsThe system must be able to withstand
the intentional loss or destruction of its constituent files and data.
Resilience RequirementsThe system must be able to recover adequately from any successful attack.
CS 325April 14, 2015Page 5
Software Security in the Life CycleSecurity mechanisms can be put into place at several locations within the software life cycle.
Requirements and
Use Cases Design Test Plans CodeTest
ResultsField
Feedback
Abuse Cases – Similar to use cases, they
describe the
system’s behavior
when it’s
under attack
Security Reqs.
– Specific security needs,
like passwords and encrypt
ion
Risk Analysi
s – Clarify req.
docs. & identify possibl
e attacks
External
Review – Have parties outside
the design team
review the
design for
security issues
Risk-Based Security Tests – Use attack pattern
s & threar models to test system security
Static Analysis Tools –
Scan the source
code for common
vulnerabilities
Penetration Testing – Search
for architectural flaws
in the fielded
environment that wouldn’t appear in
the developm
ent lab
Security Breaks – Have the customer
report post-
delivery security
problems so
preventive
measures can be put in
place in future
releases