DIGITAL SECURITY AND INFORMATION ASSURANCE


This blog is created to stimulate academic discussion in partial fulfillment of the degree of Doctorate of Computer Science in DIGITAL SECURITY AND INFORMATION ASSURANCE for the Colorado Technical University, Colorado Springs, Colorado.

Courses includes - EM835 Information Accountability and Web Privacy Strategies; SC862 Digital Security; Quantitative Analysis; Software Architecture and Design - CS854;















Monday, March 14, 2011

SECURITY BY DESIGN - Overall Security Is Beautiful


                              It is always a good information security strategy to treat security as a critical aspect of system development during early stages of system design lifecycle. The author went on a memory lane and identified many information system and design projects that failed because risk-based security programs that address security at all phases of system development cycle were not followed. According to the author, system security is interwoven with system quality, reliability, availability, maintainability and usability. We can only have a secure software or system if all vulnerabilities are curtailed and all system functionalities are devoid of security problems in all phases of the system lifecycle. Shortcuts in system and software development lifecycle must be avoided.
Due to network interconnects postures of most environments, it is imperative to guide all access points against attacks and reduced the overall systems exploits to such abuses. Perimeter security model often failed to accomplish the desire security goals because systems are exposed to risks they are not protected against in the initial stage of development.
Security metrics should be measured at the component levels to fully address all security concerns in system architecture. It is equally important to embark upon quality test and system integration testing in order to account for all key security issues at the developmental stages. Security metrics should not be based on just quality but security roles in cost reduction, safety and speed of system delivery must also be considered.
System testing is an essential requirement to gather modest system security metrics. Testing should be done at component levels. It is also important that integration testing must be conducted. Unit testing is a must.
The author found to his dismay that system development and engineering, robust system architecture, security procedures, and sound deployment methodologies are sacrificed on the altar of quick product turnaround and race to the market. Solid system engineering practices are thrown to the winds. Thus many systems have serious architectural and programming flaws that ultimately undermine their security.
The book showed that consistent software design and development best practices are being achieved through:
 * Standard configuration management
* Good product quality, security and reliability controls
* Good testing procedures
* Deployment of standard foundational elements for determining operational metrics, project management and training
* Risk management
A system development lifecycle that lacks proper security elements and integrations during all the phases of design is bound to fail and the resulting final product is always:
1. Fragile in nature
2. Difficult to operate
3. Difficult to maintain.
In conclusion, to have a good secured system all component parts must be tested using various test scenarios, risks analyzed,  and system performance test for reliability, availability and usability.
Reference
Oram A. & Viega J. (Eds.). (2009) Beautiful security: Leading security experts explain how they think (pp 171-182). Beijing: O’Reilly Media




Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)