Overview of Security Java based on GS Ch

Overview of Security & Java (based on GS: Ch. 1) csci 5233 Computer Security & Integrity 1

Security Goals for Application Development Protect sensitive data 2. Control access to resources 3. Log activity 1. q c. f. , Five security goals: authenticity, confidentiality, integrity, availability, and non-repudiatibility q Q: Compare three goals in this chapter with the five goals above. csci 5233 Computer Security & Integrity 2

Security Policy An explicit statement of what actions are and are not allowed within an organization. q § § § Acceptable use of corporate resources Remote access policy User privileges, … It helps to define the limits of what your application needs to protect against. q It helps to identify the important resources. q It is guided by the business needs, rules, and related laws (example: HIPAA - Health Insurance Portability and Accountability Act of 1996) q csci 5233 Computer Security & Integrity 3

Analysis of Security Requirements Security requirements of an application is affected by the organization’s security policy. It is usually a compromise. q Two areas need to be carefully examined: A. Risk Assessment q § § § B. Cost of data loss or exposure “Worthiness” of data Value of the application Cost of unauthorized use of the application Where is the weakest link? … Data Exposure csci 5233 Computer Security & Integrity 4

Analysis of Security Requirements § § § B. Data Exposure Identify the types of vulnerability: When, where, how and by whom would the data be most likely be exposed? Which of the vulnerability are most in need of strengthening (per the security policy)? Two major types of vulnerability: 1. People § External § Internal § Roles 2. Vulnerability points § Potential points of vulnerability in the system, where data are access, transmitted, stored, etc. csci 5233 Computer Security & Integrity 5

Analysis of Security Requirements An example of security requirements analysis q Design of a Network Security Testing Environment (a draft) q http: //sce. cl. uh. edu/yang/research/Network. Security. Testing. Enviro nment. pdf csci 5233 Computer Security & Integrity 6

Analysis of Security Requirements Usability of the system should be integrated into the security requirements. q Ideally, the enforcement of the security requirements should be “transparent” to the end users. q Achieving a successful balance between usability and security of a system is one of the hardest parts of creating a secure system. q csci 5233 Computer Security & Integrity 7

Analysis of Security Requirements q Contingency plans § How would the organization respond to security breaches? § How about violation of privacy? § Violation of copyright? csci 5233 Computer Security & Integrity 8

Implementation of Security q Security technologies & tools § The OS § IP security § VPN (virtual private networks) § Firewalls § ID (intrusion detection) tools & systems § Java security features and tools o Java language features (Ch. 2) o Byte code verifier o Class loader o Java cryptography (JCA, JCE: Ch. 3) csci 5233 Computer Security & Integrity 9