Introduction to software security
< استفاده از مطالب سایت فراکنش با ذکر منبع مجاز است.>
What is Security?
Security /sɪˈkjʊərɪti/
noun
the state of being free from danger or threat.
synonyms: certainty, safe future, assured future, safety, reliability, dependability, solidness, soundness
A successful organization should have multiple layers of security in place:
Physical security: to protect the physical items, objects, or areas of an organization from unauthorized access and misuse.
Personal security: to protect the (group of) authorized individual.
Operations security: to protect the details of a particular operation or series of activities.
Communications security: to protect an organization’s communications media, technology, and content.
Network security: to protect networking components, connections, and contents.
Information security
Basic Components
An Information System is secure if it supports CIA:
Confidentiality
a good example is cryptography, which traditionally is used to protect secret messages. But cryptography is traditionally used to protect data, not resources. Resources are protected by limiting information, for example by using firewalls or address translation mechanisms.
Integrity
a good example here is that of an interrupted database transaction, leaving the database in an inconsistent state (this foreshadows the Clark-Wilson model). Trustworthiness of both data and origin affects integrity, as noted in the book’s example. That integrity is tied to trustworthiness makes it much harder to quantify than confidentiality. Cryptography provides mechanisms for detecting violations of integrity, but not preventing them (e.g., a digital signature can be used to determine if data has changed).
Availability
this is usually defined in terms of “quality of service,” in which authorized users are expected to receive a specific level of service (stated in terms of a metric). Denial of service attacks are attempts to block availability.
The History of Information Security
Began immediately following development first mainframes
Developed for code-breaking computations
During World War II
Multiple levels of security were implemented
Physical controls
Elementary
Mainly composed of simple document classification
Defending against physical theft, espionage, and sabotage
The need for computer security, or the need to secure the physical location of hardware from outside threats, began almost immediately after the first mainframes were developed.
Groups developing code-breaking computations during World War II created the first modern computers .
Badges, keys, and facial recognition of authorized personnel controlled access to sensitive military locations.
In contrast, information security during these early years was elementary and mainly composed of simple document classification schemes.
There were no application classification projects for computers or operating systems at this time, because the primary threats to security were physical theft of equipment, espionage against the products of the systems, and sabotage.
The 1960s
Original communication by mailing tapes
Advanced Research Project Agency (ARPA)
Examined feasibility of networked communications
Larry Roberts developed ARPANET
Plan
Link computers
Resource sharing
Link 17 Computer Research Centers
Cost 3.4M $
ARPANET is predecessor to the Internet
During the 1960s, the Department of Defence’s Advanced Research Procurement Agency (ARPA) began examining the feasibility of a redundant networked communications system designed to support the military’s need to exchange information.
Larry Roberts, known as the founder of the Internet, developed the project from its inception.
ادامه مطلب و دانلود فایل مقاله
References
Matt Bishop, Computer Security: Art and Science, the author homepage, 2004.
Michael E. Whitman, Principles of Information Security: Chapter 1: Introduction to Information Security, 4/e, 2011.
Chris Clifton, CS 526: Information Security course, Purdue university, 2010.