Security Engineering Flashcards Preview

COMP 3521: Software Engineering > Security Engineering > Flashcards

Flashcards in Security Engineering Deck (19)
Loading flashcards...
1

Application security

  • The application is designed to resist attacks.

2

Infrastructure security

  • The software is configured to resist attacks.

3

Security dimensions

  • Confidentiality
  • Integrity
  • Availability

4

Three controls to enhance system security

  • Vulnerability avoidance
  • Attack detection and neutralization
  • Exposure limitation and recovery

5

Stages of preliminary risk assessment

  • Asset value assessment/exposure assessment
  • Threat identification/attack assessment
  • Control identification
  • Security requirements definition

6

Operational security

  • Primarily a human and social issue

7

Security trade off

  • More secure system, less usable

8

Protection issues in system design

  • How should the system be organized so that critical assets can be protected against an external attack?

9

Distribution issues in system design

  • How should system assets be distributed so that the effects of a successful attack are minimized?

10

Design guidelines for secure systems engineering:

  • Base security decisions on an explicit security policy.
  • Avoid a single point of failure.
  • Use redundancy and diversity to reduce risk.
  • Validate all inputs.

11

Experience-based testing

  • The system is analyzed against known types of attack.

12

Penetration testing

  • An external team is contracted to discover security flaws in a system.

13

Tool-based testing

  • Tools are used to exhaustively test some features of a system, such as the strength of passwords.

14

Formal verification

  • A system is formally verified against a formal security specification.

15

Interception threats

  • Allows attacker to gain access to an asset

16

Interruption threats

  • Make part or all of a system unavailable

17

Modification threats

  • Attacker tampers with a system asset

18

Fabrication threats

  • Insert false information in the system

19

Security specification

  • Avoid something bad happening