Software Security and Security Engineering (Part 1) Software Engineering Sources: Introduction to Computer Security, Matt Bishop, Addison Wesley, 2003 Chapter 1 Ian Somerville, Software Engineering, Chapter 12, 14 Fundamental of Information Systems Security, Kim and Solomon, Jones and Bartlett, 2012, Chapter 1 and 8

Software Engineering

Sources:Introduction to Computer Security, Matt Bishop, Addison Wesley, 2003

Chapter 1Ian Somerville, Software Engineering, Chapter 12, 14

Fundamental of Information Systems Security, Kim and Solomon, Jones and Bartlett, 2012, Chapter 1 and 8

Security: A Persistent Problem

Why? Financial motivation Religious/political motivation Personal grudge Boredom ..

How? Physical access Exploit lack of awareness and training Exploit weak security policies and procedures Exploit vulnerabilities in applications and security mechanisms

Victim? Financial institutions Education institutions Government agencies E-commerce web sites ANYONE

Cost of Security Incidents in USA Average cost to company for security breach: $5.5 million

2011 Cost of Data Breach Study, Ponemon Institute Dollar loss reported for Internet crime

Latest Internet Crime (IC3) Annual Report (2012)

Source of Security Incidents

Global State of Information Security Survey 2013http://www.pwc.com/gx/en/consulting-services/information-security-survey/giss.jhtml

Impact of Security Incidents

Global State of Information Security Survey 2013http://www.pwc.com/gx/en/consulting-services/information-security-survey/giss.jhtml

We are @top of the game …

Symantec Intelligence Report January 2013

Symantec Intelligence Report January 2013

Symantec Intelligence Report February 2013

Symantec Intelligence Report January 2013

Malicious Activity by Source, Overall Ranking 2011-2012

Symantec 2013 Internet Security Threat Report

Who is Targeting Whom

Symantec 2010 Annual Security Report

Problem with Security• Most do not understand/know about it• Those who do understand, underestimates it• Those who understands and don’t underestimate, address

it insufficiently

Attention Factors Increased attack frequency

More attacks and attackers, more motivations for attacks, more availability of attack tools

Increased awareness More activities and coverage in media Presidents’ Executive Order on CyberSecurity Cyber Security Act of 2012 controversy Cyber-warfare/cyber-espionage

More Laws The Personal Data Protection and Breach Accountability Act of 2011 The Personal Data Privacy and Security Act of 2011 Data Security and Breach Notification Act of 2012 CyberSecurity and American Cyber Competitiveness Act (2013) Cyber Intelligence Sharing and Protection Act (2013)

What’s Trending in Security Cyber-crime as a service Cyber-warfare Targeted attacks Attacks/defenses in

Cross platform Mobile platform Web technologies/platforms Cloud computing/Virtual environment Big data Critical Infrastructure



Security Prioritized


Boost in Security Expenditures Homeland Security

$756 Million in 2013 $786 Million for 2014

US Cyber Command $3.2 Billion in 2012 $3.4 Billion in 2013

Private Sector $35.1 Billion in 2011 $49.1 Billion by 2015



NSF Spending in Security


Security Employment - Current Demand for cyber security professionals grew

73% during the five years from 2007 to 2012– 3.5 times the pace of the overall IT job market– 12 times the overall job market

Bureau of Labor Statistics May 2012 Report 72,670 Information Security Analysts $89,290 Mean Annual Salary



Security Job Market


Security Employment - Future


Defense Department’s Cyber Command to recruit 4900 in next few years (now at 900)

Bureau of Labor Statistics 2010 – 20 Projected Growth

Security Fundamentals Information assurance and security Offensive and defensive goals Threats and attacks CIA model Defense in Depth Security policy/controls

Information Assurance (IA) & Security


IA is the perception that systems are operating as expected in a protected environment.

Security is measures and controls to achieve IA.

Two Sides in Security Offensive Side

Defensive Side

Offensive Goal


& AttacksVulnerabilities Harm/Loss




Terms Threat

Potential to inflict harm to an asset or cause security violations Attack

Infliction of harm to an asset or causing security violations Vulnerability

A weakness in security procedures or system design, implementation, or operation that can be used to cause security policy violation

Risk Potential loss or harm or security violation Likelihood that a particular threat can exploit a particular

vulnerability or a set of vulnerabilities to violate security policy

General Classes of Threats

Disclosure Deception Disruption Usurpation

Specific Types of Attacks Snooping/Sniffing Spoofing Modification Repudiation of Origin Delay Denial of Receipt Denial of Service

Security Controls

Defensive Goal





Security Perimeter

CIA Model of IA Confidentiality

Keeping data and resources hidden Integrity (Data and Origin)

Keeping data (and data sources) and resources uncorrupted Availability

Keeping data and resources usable

Accountability (a.k.a. Non-Repudiation) Holding one accountable for action

Offensive & Defensive Goal Snooping/Sniffing



Repudiation of Origin

Denial of Receipt


Denial of Service


Origin Integrity

Data Integrity

Origin Integrity, Accountability




Confidentiality Integrity (Data and origin) Availability Accountability

Cyber Good, bad and ugly


Ten Commandments of Computer Ethics1. Thou shalt not use a computer to harm other people.2. Thou shalt not interfere with other people's computer work.3. Thou shalt not snoop around in other people's computer files.4. Thou shalt not use a computer to steal.5. Thou shalt not use a computer to false witness.6. Thou shalt not copy or use proprietary software for which you have not paid.7. Thou shalt not use other people's computer resources without authorization or

proper compensation.8. Thou shalt not appropriate other people's intellectual output.9. Thou shalt think about the social consequences of the program you are writing or

the system you are designing.10. Thou shalt always use a computer in ways that ensure consideration and respect

for your fellow humans.

Goals of Security: Defense in Depth

1) Prevent• Securing an environment to avoid penetration

2) Deter• Applying protection mechanisms to hurdle intruder efforts and thus causing

delays in achieving a malicious goal 3) Detect

• Ensuring visibility of suspicious activities4) Response

• Reacting to security incidents by notification, eradication, interdiction, prosecution

• Continuing to survive to some extent5) Recover

• Assessing and repairing damage• Improving

End to End Security Hardware Software Data

In processing In transit In storage


Security Policy An organizational security policy applies to all systems and

its users and sets out what should and should not be allowed. Types

Military– Readers may not access documents above his/her privilege level

Commercial– A customer may not change price of the product.

A security policy helps identify system security requirements with risk management processes in place.

Enforcing Policy Explicit Policy

X cannot view Y’s notes Y have to protect notes

– If anything happens, both X and Y can be held accountable

Explicit Policy X cannot view Y’s notes Implicit Policy

Y have to protect notes

– If anything happens, only X can be hold accountable

Policy, Model & Mechanism

Security Policy Statement of what is allowed and how

– The system is only available to use by employees. Security Model

Representation of policy– Formal/mathematical models

Security Mechanism Methods and tools to ensure policy by implementing

model– Password based login system

Trust Trust and assumption play crucial role in policy, especially,

integrity policy As trust is hard to quantify, policies are hard to evaluate

completely Attackers look for assumptions and trusted users to find

possible weak points in implementation of policy

Role of Trust Higher level assumption example

• Administrator installs patch• Trusts patch came from vendor, not

tampered with in transit• Trusts vendor tested patch thoroughly• Trusts vendor’s test environment

corresponds to local environment• Trusts patch is installed correctly

Role of Trust cont.

Lower level assumption example– A security-related program S is formally verified to

work with operating system O• Proof has no errors

» Bugs in automated theorem provers• Preconditions hold in environment in which S is to be used• S transformed into executable S whose actions follow source code

» Compiler bugs, linker/loader/library problems• Hardware executes S as intended

» Hardware bugs

“Secure” vs. “Trusted” Trusted System

A Characteristic

Degrees of Trustworthiness

Judged based on evidence/analysis

Secure System A Goal

Either … or

Asserted based on features

Note “Perfectly” secure system does not exist. Security is difficult

Security is not inherent. Security is not universal. Security is not static. Security is not an absolute.

Security is a compromise between usability, cost and peace of mind.

Security engineering

Tools, techniques and methods to support the development and maintenance of systems that can resist malicious attacks that are intended to damage a computer-based system or its data.

Risk Management Risk assessment Risk mitigation/control Risk evaluation/assurance

Phased Risk Assessment Types Preliminary Life cycle Operational

Preliminary Risk Assessment

Identifies risks from analyzing environment prior to development

Independent of technology Aim is to develop an initial set of security requirements Steps:

Identify Risk– Inventory of assets– Determine value of asset– Estimate percentage of asset that will be lost per incident (exposure)– Identify threats and vulnerabilities

Evaluate Risk

Asset analysis in a preliminary risk assessment report for the

MHC-PMSAsset Value Exposure

The information system High. Required to support all clinical consultations. Potentially safety-critical.

High. Financial loss as clinics may have to be canceled. Costs of restoring system. Possible patient harm if treatment cannot be prescribed.

The patient database High. Required to support all clinical consultations. Potentially safety-critical.

High. Financial loss as clinics may have to be canceled. Costs of restoring system. Possible patient harm if treatment cannot be prescribed.

An individual patient record Normally low although may be high for specific high-profile patients.

Low direct losses but possible loss of reputation.

Page 49: Software  Security and Security Engineering (Part 1)

Threat Identification with Misuse cases

Identify the most probable threats to the system assets Misuse cases are instances of threats to a system Models malicious user actions to figure out strategies to

prevent the actions. Relationship with use case

Misuse case threatens use case Use case mitigates misuse case

Page 50: Software  Security and Security Engineering (Part 1)

Threat Identification with Misuse cases

Sindre G, Opdahl AL (2001) Templates for misuse casedescription. In: Proceedings of the 7th international workshopon requirements engineering: foundation for software quality(REFSQ’01), Interlaken, Switzerland

Risk AssessmentIdentify RiskEvaluate Risk

Risks are quantified based on importanceor impact severity

Risks are prioritized for probable impact

Quantitative (Objective) Risk Analysis

Single loss expectancy (SLE) Total loss expected from a single incident Asset value X Exposure

Annual rate of occurrence (ARO) Number of times an incident is expected to

occur in a yearAnnual loss expectancy (ALE)

Expected loss for a year


Page 53: Software  Security and Security Engineering (Part 1)

Qualitative (Subjective) Risk Analysis

Probability Likelihood a threat will exploit a


Result if a risk occurs

Risk level = Subjective measure of probability AND impact

Page 54: Software  Security and Security Engineering (Part 1)

Risk Mitigation Risk reduction

Uses security controls for potential prevention Risk transference

Delegating controls to another entity Risk acceptance

Taking conscious decision to accept the consequences should undesirable event occur

Risk avoidance Not taking the risk at all

Risk and Mitigation

Risk Level Mitigation Feasibility

Unauthorized user may gain access to information system left unsecured with machine in an open environment

Very high (Reduction) Keep machines running the system physically secure

Low cost of implementation but care must be taken with key distribution and to ensure that keys are available in the event of an emergency.

Unauthorized user may gain access as patient database

High (Reduction) Require all users to authenticate themselves before accessing the DB.

Technically feasible but cost to implement solution. Possible user resistance.

Page 56: Software  Security and Security Engineering (Part 1)

Derived Security requirements for the MHC-PMS

Only allow systems to installed in machines that are physically secure.

Require all users to authenticate themselves prior to accessing database.

Risk Evaluation/Assurance Assessment of control strategies

Selection of control strategies Cost effectiveness evaluation

Planning Incident response plan Business continuity plan Disaster recovery plan

Implementation Compliance

Life cycle risk assessment Identifies risks that emerge during design and development

Risks that are associated with the technologies used for system construction.

More information is available - system platform, tools, middleware and the system architecture and data organization.

Requirements are extended to protect against new risks.

Additional Security Requirements generated from

Design Choice Design Decision

Patient information shall be downloaded at the start of a clinic session to an area on the system that is used by clinical staff.

Additional security requirement All patient information on the system client shall be encrypted. Patient information shall be uploaded to the database after a

clinic session has finished and deleted from the client computer.

Page 60: Software  Security and Security Engineering (Part 1)

Additional Security Requirements generated from Technology Choice

Technology Decision The system architecture is client-server with clients accessing

the system through a standard web browser. Additional security requirement

Browser has to be secured against common web attacks

Operational risk assessment Identifies risks that emerge from actual use of the system

with additional information about the environment where the system is used. Environment characteristics can lead to new system risks

Further protection requirements may be added to cope with these.

Additional Security Requirements generated from Operational Use

Observation Employees frequently leave work station for administrative

reasons leaving system unprotected and accessible Additional security requirement

Computer must have password protected screen saver

