CS 220 – Software Engineering© Binayak Bhattacharyya 20061 CS 220 - Software Engineering Instructor: Binayak Bhattacharyya [email protected]

CS 220 – Software Engineering © Binayak Bhattacharyya 2006 1

CS 220 - Software Engineering

Instructor: Binayak Bhattacharyya

[email protected]


Homework#5 is postedDue on: 05/11/2009


Homework#4 Solution

• New versions of software systems are created as they change:– For different machines/OS;– Offering different functionality;– Tailored for particular user requirements.

• Configuration management is concerned with managing evolving software systems:– System change is a team activity;– CM aims to control the costs and effort

involved in making changes to a system.

Configuration management

Configuration management

• Involves the development and application of procedures and standards to manage an evolving software product.

• CM may be seen as part of a more general quality management process.

• When released to CM, software systems are sometimes called baselines as they are a starting point for further development.

System families

Serverversion

Linuxversion

PC versionInitialsystem

Desktopversion

Windows XPversion

HPversion

Sunversion

CM standards

• CM should always be based on a set of standards which are applied within an organisation.

• Standards should define how items are identified, how changes are controlled and how new versions are managed.

• Standards may be based on external CM standards (e.g. IEEE standard for CM).

• Some existing standards are based on a waterfall process model - new CM standards are needed for evolutionary development.

Concurrent development and testing

• A time (say 2pm) for delivery of system components is agreed.

• A new version of a system is built from these components by compiling and linking them.

• This new version is delivered for testing using pre-defined tests.

• Faults that are discovered during testing are documented and returned to the system developers.

Frequent system building

• It is easier to find problems that stem from component interactions early in the process.

• This encourages thorough unit testing - developers are under pressure not to ‘break the build’.

• A stringent change management process is required to keep track of problems that have been discovered and repaired.

• All products of the software process may have to be managed:– Specifications;– Designs;– Programs;– Test data;– User manuals.

• Thousands of separate documents may be generated for a large, complex software system.

Configuration management planning

• Defines the types of documents to be managed and a document naming scheme.

• Defines who takes responsibility for the CM procedures and creation of baselines.

• Defines policies for change control and version management.

• Defines the CM records which must be maintained.

The CM plan

The CM plan

• Describes the tools which should be used to assist the CM process and any limitations on their use.

• Defines the process of tool use.• Defines the CM database used to

record configuration information.• May include information such as the

CM of external software, process auditing, etc.

• Large projects typically produce thousands of documents which must be uniquely identified.

• Some of these documents must be maintained for the lifetime of the software.

• Document naming scheme should be defined so that related documents have related names.

• A hierarchical scheme with multi-level names is probably the most flexible approach.– PCL-TOOLS/EDIT/FORMS/DISPLAY/AST-INTERFACE/CODE

Configuration item identification

Configuration hierarchy

PCL-TOOLS

EDIT

STRUCTURES

BIND

FORM

COMPILE MAKE-GEN

HELP

DISPLAY QUERY

AST-INTERFACEFORM-SPECS FORM-IO

CODEOBJECTS TESTS

• All CM information should be maintained in a configuration database.

• This should allow queries about configurations to be answered:– Who has a particular system version?– What platform is required for a particular version?– What versions are affected by a change to component

X?– How many reported faults in version T?

• The CM database should preferably be linked to the software being managed.

The configuration database

CM database implementation

• May be part of an integrated environment to support software development. – The CM database and the managed

documents are all maintained on the same system

• CASE tools may be integrated with this so that there is a close relationship between the CASE tools and the CM tools.

• More commonly, the CM database is maintained separately as this is cheaper and more flexible.

• Software systems are subject to continual change requests:– From users;– From developers;– From market forces.

• Change management is concerned with keeping track of these changes and ensuring that they are implemented in the most cost-effective way.

Change management

Request change by completing a change request form Analyze change request if change is valid then Assess how change might be implemented Assess change cost Submit request to change control board if change is accepted then repeat make changes to software submit changed software for quality approval until software quality is adequate create new system version else reject change request else reject change request

The change management process

• The definition of a change request form is part of the CM planning process.

• This form records the change proposed, requestor of change, the reason why change was suggested and the urgency of change(from requestor of the change).

• It also records change evaluation, impact analysis, change cost and recommendations (System maintenance staff).

Change request form

Change request form

Change Request Form

Project: Proteus/PCL-Tools Number: 23/02Change requester: I. Sommerville Date: 1/12/02Requested change: When a component is selected from the structure, displaythe name of the file where it is stored.

Change analyser: G. Dean Analysis date: 10/12/02Components affected: Display-Icon.Select, Display-Icon.Display

Associated components: FileTable

Change assessment: Relatively simple to implement as a file name table isavailable. Requires the design and implementation of a display field. No changesto associated components are required.

Change priority: Low

Change implementation:Estimated effort: 0.5 days

Date to CCB: 15/12/02 CCB decision date: 1/2/03CCB decision: Accept change. Change to be implemented in Release 2.1.Change implementor: Date of change:Date submitted to QA: QA decision:Date submitted to CM:Comments

• A major problem in change management is tracking change status.

• Change tracking tools keep track the status of each change request and automatically ensure that change requests are sent to the right people at the right time.

• Integrated with E-mail systems allowing electronic change request distribution.

Change tracking tools

• Changes should be reviewed by an external group who decide whether or not they are cost-effective from a strategic and organizational viewpoint rather than a technical viewpoint.

• Should be independent of project responsible for system. The group is sometimes called a change control board.

• The CCB may include representatives from client and contractor staff.

Change control board

• This is a record of changes applied to a document or code component.

• It should record, in outline, the change made, the rationale for the change, who made the change and when it was implemented.

• It may be included as a comment in code. If a standard prologue style is used for the derivation history, tools can process this automatically.

Derivation history

Component header information

• Invent an identification scheme for system

versions.• Plan when a new system version is to be

produced.• Ensure that version management

procedures and tools are properly applied.• Plan and distribute new system releases.

Version and release management

• Version An instance of a system which is functionally distinct in some way from other system instances.

• Variant An instance of a system which is functionally identical but non-functionally distinct from other instances of a system.

• Release An instance of a system which is distributed to users outside of the development team.

Versions/variants/releases

Version identification

• Procedures for version identification should define an unambiguous way of identifying component versions.

• There are three basic techniques for component identification– Version numbering;– Attribute-based identification;– Change-oriented identification.

• Simple naming scheme uses a linear derivation – V1, V1.1, V1.2, V2.1, V2.2 etc.

• The actual derivation structure is a tree or a network rather than a sequence.

• Names are not meaningful. • A hierarchical naming scheme leads to

fewer errors in version identification.

Version numbering

Version derivation structure

V1.0 V1.1 V1.2 V2.0 V2.1 V2.2

V1.1b V1.1.1

V1.1a

• Attributes can be associated with a version with the combination of attributes identifying that version– Examples of attributes are Date, Creator,

Programming Language, Customer, Status etc.

• This is more flexible than an explicit naming scheme for version retrieval; However, it can cause problems with uniqueness - the set of attributes have to be chosen so that all versions can be uniquely identified.

• In practice, a version also needs an associated name for easy reference.

Attribute-based identification

Attribute-based queries

• An important advantage of attribute-based identification is that it can support queries so that you can find ‘the most recent version in Java’ etc.

• The query selects a version depending on attribute values– AC3D (language =Java, platform = XP,

date = Jan 2003).

Change-oriented identification

• Integrates versions and the changes made to create these versions.

• Used for systems rather than components.• Each proposed change has a change set that

describes changes made to implement that change.

• Change sets are applied in sequence so that, in principle, a version of the system that incorporates an arbitrary set of changes may be created.

• Releases must incorporate changes forced on the system by errors discovered by users and by hardware changes.

• They must also incorporate new system functionality.

• Release planning is concerned with when to issue a system version as a release.

Release management

System releases

• Not just a set of executable programs.• May also include:

– Configuration files defining how the release is configured for a particular installation;

– Data files needed for system operation;– An installation program or shell script to install the

system on target hardware;– Electronic and paper documentation;– Packaging and associated publicity.

• Systems are now normally released on optical disks (CD or DVD) or as downloadable installation files from the web.

• Customer may not want a new release of the system– They may be happy with their current

system as the new version may provide unwanted functionality.

• Release management should not assume that all previous releases have been accepted. All files required for a release should be re-created when a new release is installed.

Release problems

Release decision making

• Preparing and distributing a system release is an expensive process.

• Factors such as the technical quality of the system, competition, marketing requirements and customer change requests should all influence the decision of when to issue a new system release.

System release strategy

Factor Description

Technical quality ofthe system

If serious system faults are reported which affect the way in whichmany customers use the system, it may be necessary to issue a faultrepair release. However, minor system faults may be repaired by issuingpatches (often distributed over the Internet) that can be applied to thecurrent release of the system.

Platform changes You may have to create a new release of a software application when anew version of the operating system platform is released.

LehmanÕs fifth law(see Chapter 21)

This suggests that the increment of functionality that is included in eachrelease is approximately constant. Therefore, if there has been a systemrelease with significant new functionality, then it may have to befollowed by a repair release.

Competition A new system release may be necessary because a competing product isavailable.

Marketingrequirements

The marketing department of an organisation may have made acommitment for releases to be available at a particular date.

Customer changeproposals

For customised systems, customers may have made and paid for aspecific set of system change proposals and they expect a system releaseas soon as these have been implemented.

Release creation

• Release creation involves collecting all files and documentation required to create a system release.

• Configuration descriptions have to be written for different hardware and installation scripts have to be written.

• The specific release must be documented to record exactly what files were used to create it. This allows it to be re-created if necessary.

• The process of compiling and linking software components into an executable system.

• Different systems are built from different combinations of components.

• This process is now always supported by automated tools that are driven by ‘build scripts’.

System building

• Do the build instructions include all required components?– When there are many hundreds of components making up

a system, it is easy to miss one out. This should normally be detected by the linker.

• Is the appropriate component version specified?– A more significant problem. A system built with the wrong

version may work initially but fail after delivery.

• Are all data files available?– The build should not rely on 'standard' data files. Standards

vary from place to place.

System building problems

• Are data file references within components correct?– Embedding absolute names in code almost always causes

problems as naming conventions differ from place to place.

• Is the system being built for the right platform– Sometimes you must build for a specific OS version or

hardware configuration.

• Is the right version of the compiler and other software tools specified?– Different compiler versions may actually generate different

code and the compiled component will exhibit different behaviour.

System building problems

System building

Systembuilder

Versionmanagement

systemCompilers Linker

Buildscript

Source codecomponent

versions

Object codecomponents

Executablesystem

CASE tools for configuration management

• CM processes are standardised and involve applying pre-defined procedures.

• Large amounts of data must be managed.

• CASE tool support for CM is therefore essential.

• Mature CASE tools to support configuration management are available ranging from stand-alone tools to integrated CM workbenches.

CM workbenches

• Open workbenches– Tools for each stage in the CM process are

integrated through organisational procedures and scripts. Gives flexibility in tool selection.

• Integrated workbenches– Provide whole-process, integrated support

for configuration management. More tightly integrated tools so easier to use. However, the cost is less flexibility in the tools used.

Change management tools

• Change management is a procedural process so it can be modelled and integrated with a version management system.

• Change management tools– Form editor to support processing the change request

forms;– Workflow system to define who does what and to

automate information transfer;– Change database that manages change proposals and is

linked to a VM system;– Change reporting system that generates management

reports on the status of change requests.

Version management tools

• Version and release identification– Systems assign identifiers automatically when a new version

is submitted to the system.• Storage management.

– System stores the differences between versions rather than all the version code.

• Change history recording– Record reasons for version creation.

• Independent development – Only one version at a time may be checked out for change.

Parallel working on different versions.• Project support

– Can manage groups of files associated with a project rather than just single files.

Delta-based versioning

Version1.0

Version1.1

Version1.2

Version1.3

D1 D2 D3

Creation date

System building

• Building a large system is computationally expensive and may take several hours.

• Hundreds of files may be involved.• System building tools may provide

– A dependency specification language and interpreter;

– Tool selection and instantiation support;– Distributed compilation;– Derived object management.

Component dependencies

comp

scan.o syn.o sem.o cgen.o

scan.c syn.c

defs.h

sem.c cgen.c

SCM Tools

• Subversion• CruiseControl• ant• ClearCase• Serena TeamTrack

• Configuration management is the management of system change to software products.

• A formal document naming scheme should be established and documents should be managed in a database.

• The configuration data base should record information about changes and change requests.

• A consistent scheme of version identification should be established using version numbers, attributes or change sets.

Key points

Key points

• System releases include executable code, data, configuration files and documentation.

• System building involves assembling components into a system..

• CASE tools are available to support all CM activities

• CASE tools may be stand-alone tools or may be integrated systems which integrate support for version management, system building and change management.

• Tools, techniques and methods to support the development and maintenance of systems that can resist malicious attacks that are intended to damage a computer-based system or its data.

• A sub-field of the broader field of computer security.

Security engineering

System layers

Operating System

Generic, shared applications (Browsers, e--mail, etc)

Database management

Middleware

Reusable components and libraries

Application

Application/infrastructure security

• Application security is a software engineering problem where the system is designed to resist attacks.

• Infrastructure security is a systems management problem where the infrastructure is configured to resist attacks.

• The focus of this chapter is application security.

Security concepts

Term Definition Asset A system resource that has a value and has to be protected. Exposure The possible loss or harm that could result from a successful

attack. This can be loss or damage to data or can be a loss of time and effort if recovery is n ecessary after a se curity breach.

Vulnerability A weakness in a computer-based system that may be exploited to cause loss or harm.

Attack An exploitation of a s ystemÕs vulnerability. Generally, this is from outside the system and is a deliberate attempt to cause some damage.

Threats Circumstances that have potential to cause loss or harm. You can think of these as a system vulnerability that is subjected to an attack.

Control A protective measure that reduces a s ystemÕs vulnerability. Encryption would be an example of a control that reduced a vulnerability of a weak access control system.

Examples of security concepts

Term Definition Asset The records of each patient that is receiving or has received

treatment. Exposure Potential financial loss from future patients who do not seek

treatment because they do not trust the clinic to maintain their data. Financial loss from legal action by the sports star. Loss of reputation.

Vulnerability A weak password system which makes it easy for u sers to set guessable passwords. User ids that are the same as names.

Attack An impersonation of an authorised user. Threat An unauthorised user will gain access to th e system by

guessing the credentials (login name and password) of a n authorised user.

Control A password checking system that disallows passwords that are set by users which are proper names or word s that are normally included in a dictionary.

Security threats

• Threats to the confidentiality of a system or its data

• Threats to the integrity of a system or its data

• Threats to the availability of a system or its data

Security controls

• Controls that are intended to ensure that attacks are unsuccessful. This is analagous to fault avoidance.

• Controls that are intended to detect and repel attacks. This is analagous to fault detection and tolerance.

• Controls that are intended to support recovery from problems. This is analagous to fault recovery.

Security risk management

• Risk management is concerned with assessing the possible losses that might ensue from attacks on the system and balancing these losses against the costs of security procedures that may reduce these losses.

• Risk management should be driven by an organisational security policy.

• Risk management involves– Preliminary risk assessment– Life cycle risk assessment

Preliminary risk assessment

Assetidentification

Asset valueassessment

Threatidentification

Probabilityassessment

Exposureassessment

Security req.definition

Controlidentification

Feasibilityassessment

Asset analysis

Asset Value Exposure

The information system

High. Required to support all clinical consultations. Potentially safety critical.

High. Financial loss as c linics may have to be cancelled. Costs of restoring system. Possible patient harm if treatment cannot be prescribed.

The patient database

High. Required to support all clinical consultations. Potentially safety critical.

High. Financial loss as c linics may have to be cancelled. Costs of restoring system. Possible patient harm if treatment cannot be prescribed.

An individual patient record

Normally low although may be high for specific high-profile patients

Low direct losses but possible loss of reputation.

Threat and control analysis

Threat Probability Control Feasibility Unauthorised user gains access as system manager and makes system unavailable

Low Only allow system management from specific locations which are physically secure.

Low cost of i mplementation but care must be taken with key distribution and to e nsure that keys are available in the event of an emergency.

Unauthorised user gains access as system user and accesses confidential information

High Require all users to authenticate themselves using biometric mechanism. Log all changes to patient information to track system usage.

Technically feasible but high cost solution. Possible user resistance. Simple and transparent to implement and also supports recovery.

Security requirements

• Patient information must be downloaded at the start of a clinic session to a secure area on the system client that is used by clinical staff.

• Patient information must not be maintained on system clients after a clinic session has finished.

• A log on a separate computer from the database server must be maintained of all changes made to the system database.

Life cycle risk assessment

• Risk assessment while the system is being developed and after it has been deployed

• More information is available - system platform, middleware and the system architecture and data organisation.

• Vulnerabilities that arise from design choices may therefore be identified.

Examples of design decisions

• System users authenticated using a name/password combination.

• The system architecture is client-server with clients accessing the system through a standard web browser.

• Information is presented as an editable web form.

Technology vulnerabilities

Login/passwordauthentication

Users setguessablepasswords

Authorised users revealtheir passwords tounauthorised users

Technology choice Vulnerabilities

Client/serverarchitecture using

web browser

Server subject todenial of service

attack

Confidential info. may beleft in browser cache

Browser securityloopholes lead to

unauthorised access

Use of editableweb forms

Fine-grain loggingof changes isimpossible

Authorisation can’t bevaried according to user’s

role


Security Vulnerabilities


Creating Security Strategies


Key Security Terminology


Security in the Application Development Process


STRIDE Threat Model

• The STRIDE threat model is a technique used for identifying and categorizing threats to an application. Most security threats combine more than one element of the STRIDE model:


STRIDE

• Spoofing identity: Security threats that fall into the category of spoofing identity are those in which a malicious user can pose as a trusted entity, undifferentiated by the computer system.

• Tampering: Tampering occurs when a user gains unauthorized access to a computer and then changes its operation, configuration, or data.

• Repudiation: A repudiation threat results when a system administrator or security agent is unable to prove that a user—malicious or otherwise—has performed some action.


STRIDE

• Information disclosure: An information disclosure threat results when an unauthorized user can view private data, such as a file that contains a credit card number and expiration date.

• Denial of service: A denial-of-service (DoS) threat includes any attack that attempts to shut down or

• prevent access to a computing resource. Denial-of-service attacks can cause the following behaviors on a computer:

• An application or the operating system stops functioning.• The CPU is engaged in long, pointless calculations.• System memory is consumed so that the functioning of

applications and the operating system is impaired.• Network bandwidth is reduced or completely throttled.


STRIDE

• Elevation of privilege: Elevation of privilege results when a user gains access to greater privileges than the administrator intended. Elevation of privilege creates the opportunity for a malicious user to initiate attacks of every other category of security threat.


How to Create a Threat Model


Example (Web-based expense report application)






How to Use a Threat Model


Mitigation techniques


Mitigation techniques


Mitigation techniques as appliedto various STRIDE threats.


Security Policy

Design for security

• Architectural design - how do architectural design decisions affect the security of a system?

• Good practice - what is accepted good practice when designing secure systems?

• Design for deployment - what support should be designed into a system to avoid the introduction of vulnerabilities when a system is deployed for use?

Architectural design

• Protection– How should the system be organised so that

critical assets can be protected against external attack?

• Distribution– How should system assets be distributed so that

the effects of a successful attack are minimised?

• Potentially conflicting– If assets are distributed, then they are more

expensive to protect.

Protection

• Platform-level protection• Application-level protection• Record-level protection

Layered protectionPlatform level protection

Application level protection

Record level protection

Patient records

Systemauthentication

Systemauthorisation

File integritymanagement

Databaselogin

Databaseauthorisation

Transactionmanagement

Databaserecovery

Record accessauthorisation

Recordencryption

Record integritymanagement

A distributed equity system

US equity dataUS tradinghistory

Internationalequity prices

US funds data

US user accounts Internationaluser accounts

New York trading system

Authentication and authorisation

UK equity dataUK tradinghistory


UK funds data

UK user accounts Internationaluser accounts

London trading system


Euro. equity dataEuro. tradinghistory


Euro. funds data

European useraccounts

Internationaluser accounts

Frankfurt trading system


Asian equity dataHK tradinghistory


Asian funds data

HK user accounts Internationaluser accounts

Hong Kong trading system


Design guidelines

• Design guidelines encapsulate good practice in secure systems design

• Design guidelines serve two purposes:– They raise awareness of security issues

in a software engineering team.– They can be used as the basis of a

review checklist that is applied during the system validation process.

Design guidelines 1

• Base security decisions on an explicit security policy

• Avoid a single point of failure• Fail securely• Balance security and usability• Be aware of the possibilities of social

engineering

Design guidelines 2

• Use redundancy and diversity to reduce risk

• Validate all inputs• Compartmentalise your assets• Design for deployment• Design for recoverability

Design for deployment

• Deployment involves configuring software to operate in its working environment, installing the system and configuring it for the operational platform.

• Vulnerabilities may be introduced at this stage as a result of configuration mistakes.

• Designing deployment support into the system can reduce the probability that vulnerabilities will be introduced.

System deployment

Understand and definethe software’s operational

environment

Configure software withenvironment details

Install software oncomputers where it will

operate

Configure software withcomputer details

Deployment support

• Include support for viewing and analysing configurations

• Minimise default privileges and thus limit the damage that might be caused

• Localise configuration settings• Provide easy ways to fix security

vulnerabilities

System survivability

• Survivability is an emergent system property that reflects the systems ability to deliver essential services whilst it is under attack or after part of the system has been damaged

• Survivability analysis and design should be part of the security engineering process

Service availability

• Which system services are the most critical for a business?

• How might these services be compromised?

• What is the minimal quality of service that must be maintained?

• How can these services be protected?• If a service becomes unavailable, how

quickly can it be recovered?

Survivability strategies

• Resistance – Avoiding problems by building capabilities

into the system to resist attacks• Recognition

– Detecting problems by building capabilities into the system to detect attacks and failures and assess the resultant damage

• Recovery– Tolerating problems by building capabilities

into the system to deliver services whilst under attack

System survivability method

1. Review systemrequirements and

architecture

2. Identify critical servicesand components

3. Identify attacks andcompromisablecomponents

4. Identify softspots andsurvivability strategies

Key activities

• System understanding– Review golas, requirements and

architecture• Critical service identification

– Identify services that must be maintained• Attack simulation

– Devise attack scenarios and identify components affected

• Survivability analysis– Identify survivability strategies to be applied

Trading system survivability

• User accounts and equity prices replicated across servers so some provision for survivability made

• These servers are called Disaster Recovery servers (DR servers).

• Key capability to be maintained is the ability to place orders for stock

• Orders must be accurate and reflect the actual sales/purchases made by a trader

Survivability analysis

Attack Resistance Recognition Recovery Unauthorised user places malicious orders

Require dealing password to place orders that is different from login password.

Send copy of order by email to authorised user with contact phone number (so that they can detect malicious orders) Maintain userÕs order history and check for unusual trading patterns.

Provide mechanism to automatically ÔundoÕ trades and restore user accounts. Refund users for losses that are due to malicious trading. Insure against consequential losses.

Corruption of transactions database

Require privileged users to be authorised using a stronger authentication mechanism, such as digital certificates.

Maintain read-only copies of transactions for an office on an international server. Periodically compare transactions to check for corruption. Maintain cryptographic checksum with all transaction records to detect corruption.

Recover database from backup copies. Provide a mechanism to replay trades from a specified time to recreate transactions database.


Reading from the Book

• Chapter 29 :Page 689-711• Chapter 30 :Page 717-742

Documents

CS 220 – Software Engineering© Binayak Bhattacharyya 20061 CS 220 - Software Engineering Instructor: Binayak Bhattacharyya [email protected]