introduction to assurance
play

Introduction to Assurance Chapter 19 Computer Security: Art and - PowerPoint PPT Presentation

Jan 06, 2023 •536 likes •825 views

Introduction to Assurance Chapter 19 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-1 Overview Trust Problems from lack of assurance Types of assurance Life cycle and assurance Waterfall life cycle

  1. Introduction to Assurance Chapter 19 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-1

  2. Overview • Trust • Problems from lack of assurance • Types of assurance • Life cycle and assurance • Waterfall life cycle model • Other life cycle models Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-2

  3. Trust • Trustworthy entity has sufficient credible evidence leading one to believe that the system will meet a set of requirements • Trust is a measure of trustworthiness relying on the evidence • Assurance is confidence that an entity meets its security requirements based on evidence provided by applying assurance techniques Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-3

  4. Relationships Statement of requirements that explicitly define Policy the security expectations of the mechanism(s) Provides justification that the mechanism meets Assurance policy through assurance evidence and approvals based on evidence Executable entities that are designed and imple- Mechanisms mented to meet the requirements of the policy Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-4

  5. Trusted System • System that has been shown to meet well-defined requirements under an evaluation by a credible body of experts who are certified to assign trust ratings or assurance levels to evaluated products and systems • Use specific methodologies to gather assurance evidence • These methodologies typically have increasing ”levels of trust” Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 19-5

  6. Problem Sources 1. Requirements definitions, omissions, and mistakes 2. System design flaws 3. Hardware implementation flaws, such as wiring and chip flaws 4. Software implementation errors, program bugs, and compiler bugs 5. System use and operation errors and inadvertent mistakes 6. Willful system misuse 7. Hardware, communication, or other equipment malfunction 8. Environmental problems, natural causes, and acts of God 9. Evolution, maintenance, faulty upgrades, and decommissions Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-6

  7. Examples • Challenger explosion • Sensors removed from booster rockets to meet accelerated launch schedule • Deaths from faulty radiation therapy system • Hardware safety interlock removed • Flaws in software design • Bell V22 Osprey crashes • Failure to correct for malfunctioning components; two faulty ones could outvote a third • Intel 486 chip • Bug in trigonometric functions Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-7

  8. Role of Requirements • Requirements are statements of goals that must be satisfied • Vary from high-level, generic issues to low-level, concrete issues • Security objectives are high-level security issues • Security requirements are specific, concrete issues • Security policy is set of specific statements that, when enforced, result in a secure system • Alternatively, a statement that partitions states of system into a set of authorized states and a set of unauthorized states • Security model describes a family of policies, systems, or entities and is more abstract than a policy • A policy is specific to particular entities Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-8

  9. Types of Assurance • Policy assurance is evidence establishing security requirements in policy is complete, consistent, technically sound • Design assurance is evidence establishing design sufficient to meet requirements of security policy • Implementation assurance is evidence establishing implementation consistent with security requirements of security policy Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-9

  10. Types of Assurance • Operational assurance is evidence establishing system sustains the security policy requirements during installation, configuration, and day-to-day operation • Also called administrative assurance Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-10

  11. Life Cycle Security requirements Design and 1 implementation of refinement 2 Design 3 Assurance justification 4 Implementation Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-11

  12. Life Cycle for Building Secure, Trusted Systems • Life cycle process establish discipline, control in the building of a product or system • This provides confidence in consistency, quality of resulting system • Assurance requires life cycle model end engineering process in every situation • Size and complexity will vary • Life cycle defined in stages Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-12

  13. Generic Life Cycle Model These are present in all models, but the emphasis and focus is different for each project, and will be more detailed than what is presented here • Conception • Manufacture • Deployment • Fielded Product Life Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-13

  14. Conception • Idea • Decisions to pursue it • Proof of concept • See if idea has merit • High-level requirements analysis • What does “secure” mean for this concept? • Is it possible for this concept to meet this meaning of security? • Is the organization willing to support the additional resources required to make this concept meet this meaning of security? • Identify threats, assumptions Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-14

  15. Manufacture • Develop detailed plans for each group involved • May depend on use; internal product requires no sales • Implement the plans to create entity • Includes decisions whether to proceed, for example due to market needs • Software development, engineering process is in this stage Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-15

  16. Deployment • Delivery • Assure that correct masters are delivered to production and protected • Assure integrity of what is delivered to customers, sales organizations • Installation and configuration • Ensure product works appropriately for specific environment into which it is installed • Service people know security procedures • Example of configuration failure • 2013: Target breached via a third party vendor, as network architected with improper security controls Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-16

  17. Fielded Product Life • Routine maintenance, patching • Responsibility of engineering in small organizations • Responsibility may be in different group than one that manufactures product • Example of failure: 2017 Equifax breach believed due to failing to install an important system patch, resulting in breach of financial information for hundreds of millions of people • Customer service, support organizations • Retirement or decommission of product Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-17

  18. Waterfall Life Cycle Model • Requirements definition and analysis • Functional and non-functional • General (for customer), specifications • System and software design • Implementation and unit testing • Integration and system testing • Operation and maintenance Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-18

  19. Relationship of Stages Requirements definition and analysis System and software design Implementa- tion and unit testing Integration and system testing Operation and maintenance Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-19

  20. Agile Software Development • Software development is creative process, always changing, never really completed • Leads to agile methodologies • Focuses on working together • Agile team efficiently works together in their environment • Team engages customer as a member of the team, developing requirements and scoping of the project • Accept, adapt to rapidly changing requirements • Allows for continuous improvement Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-20

  21. Agile Methodologies Term “Agile software development” used to describe several Agile methodologies • Scrum • Kanban • Extreme Programming (XP) • Others • Feature-Driven Development (FDD), Dynamic Systems Development Method (DSDM), Pragmatic Programming In all, evidence of trustworthiness for assurance adduced after development Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-21

  22. Scrum • Split project into small parts that can be done in a short timeframe (called a sprint ) • This product backlog created by product owner, who represents customer, product stakeholders • Scrum team agrees on a small subset from top of backlog, decides how to design, implement it • Goal: complete this within the sprint • Every day, team meets to evaluate progress, adjust as needed to get a workable solution within each sprint • At the end, work completed should be ready to ship, demo, or put back into backlog if not complete • Iterate until product complete Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

TECHNOLOGIES, INC. INTRODUCTION SOFTWARE QUALITY ASSURANCE SOFTWARE QUALITY ASSURANCE Software

TECHNOLOGIES, INC. INTRODUCTION SOFTWARE QUALITY ASSURANCE SOFTWARE QUALITY ASSURANCE Software

TECHNOLOGIES, INC. INTRODUCTION SOFTWARE QUALITY ASSURANCE SOFTWARE QUALITY ASSURANCE Software Quality Assurance consist of a means of monitoring the software engineering processes and methods used to ensure quality IEEE 730-2014 BETA

325 views • 20 slides
MATERIALS AND TESTING QUALITY ASSURANCE QUALITY ASSURANCE What is Quality Assurance? Why

MATERIALS AND TESTING QUALITY ASSURANCE QUALITY ASSURANCE What is Quality Assurance? Why

Luanna Cambas, P.E. LADOTD District 02 Lab Engineer Jason Davis, P.E. LADOTD Field Quality Assurance Administrator MATERIALS AND TESTING QUALITY ASSURANCE QUALITY ASSURANCE What is Quality Assurance? Why needed? Sampling &

1.01k views • 63 slides
1 CONTENT 1 1. INTRODUCTION INTRODUCTION 2. ORGANIZATION 3. SERVICES (1)Quality assurance

1 CONTENT 1 1. INTRODUCTION INTRODUCTION 2. ORGANIZATION 3. SERVICES (1)Quality assurance

1 CONTENT 1 1. INTRODUCTION INTRODUCTION 2. ORGANIZATION 3. SERVICES (1)Quality assurance of meteorological (1)Quality assurance of meteorological instruments (2)R (2)Research and development h d d l t (3)Activities of RIC Tsukuba

525 views • 23 slides
Census Data Quality Assurance 17 May 2010 Types of Quality Assurance (QA) Quality assurance of

Census Data Quality Assurance 17 May 2010 Types of Quality Assurance (QA) Quality assurance of

Census Data Quality Assurance 17 May 2010 Types of Quality Assurance (QA) Quality assurance of captured and coded data Quality assurance of downstream processes (including data security and integrity) Quality assurance of population counts,

129 views • 12 slides
Assurance Challenges for New & In-service Submarines. Roger Coles May 2019 Introduction

Assurance Challenges for New & In-service Submarines. Roger Coles May 2019 Introduction

Safety Assurance Challenges for New & In-service Submarines. Roger Coles May 2019 Introduction High value assets in a hostile environments Acceptable Risk Level Design Build In-Service Assurance Owners Responsibility

400 views • 23 slides
Session 13 INFM 603 Bugs, process, assurance Software assurance: quality assurance for

Session 13 INFM 603 Bugs, process, assurance Software assurance: quality assurance for

Software Assurance Session 13 INFM 603 Bugs, process, assurance Software assurance: quality assurance for software Particularly assurance of security Bad (buggy, insecure software) comes not from discrete, unpredictable,

561 views • 18 slides
SeeTest Quality Assurance Platform On-premise Digital Assurance Lab On-premise Digital Assurance

SeeTest Quality Assurance Platform On-premise Digital Assurance Lab On-premise Digital Assurance

SeeTest Quality Assurance Platform On-premise Digital Assurance Lab On-premise Digital Assurance Lab Centrally manage browsers & mobile devices (physical/emulated), and allow your team to remotely access them from anywhere at anytime Run

534 views • 17 slides
COPERNICUS & GALILEO for environmental compliance assurance AGENDA INTRODUCTION OF THE

COPERNICUS & GALILEO for environmental compliance assurance AGENDA INTRODUCTION OF THE

COPERNICUS & GALILEO for environmental compliance assurance AGENDA INTRODUCTION OF THE IMPLEMENTATION CHALLENGE THROUGH THE ENVIRONMENTAL COMPLIANCE ASSURANCE Irene Wyndham, Moderator Hugo de Groof, European Commission, DG ENV Compliance

822 views • 69 slides
SeeTest Quality Assurance platform SaaS Digital Assurance Lab SaaS Digital Assurance Lab Access

SeeTest Quality Assurance platform SaaS Digital Assurance Lab SaaS Digital Assurance Lab Access

SeeTest Quality Assurance platform SaaS Digital Assurance Lab SaaS Digital Assurance Lab Access hundreds of browsers & mobile devices (physical/emulated) Hosted in Experitest data centers, from anywhere at anytime Run your tests across

288 views • 18 slides
Outline OS trust and assurance CSci 5271 Introduction to Computer Security Announcements

Outline OS trust and assurance CSci 5271 Introduction to Computer Security Announcements

Outline OS trust and assurance CSci 5271 Introduction to Computer Security Announcements intermission Day 11: OS security: higher assurance Stephen McCamant Unix access control University of Minnesota, Computer Science & Engineering

401 views • 6 slides
Outline Introduction Flow assurance challenges and needs Initial Statoil and Tracerco

Outline Introduction Flow assurance challenges and needs Initial Statoil and Tracerco

Outline Introduction Flow assurance challenges and needs Initial Statoil and Tracerco cooperation on developing/testing detection tools Examples of field tests DiscoveryTM - Subsea Pipeline Visualisation Introduction to the

759 views • 44 slides
Outline Capability-based access control CSci 5271 OS trust and assurance Introduction to

Outline Capability-based access control CSci 5271 OS trust and assurance Introduction to

Outline Capability-based access control CSci 5271 OS trust and assurance Introduction to Computer Security Day 11: OS security: higher assurance Assignment debrief and announcements Stephen McCamant University of Minnesota, Computer Science

534 views • 8 slides
Desk-ercise Moderated By: Jill Micklow Wellness Consultant Assurance Agenda About Assurance

Desk-ercise Moderated By: Jill Micklow Wellness Consultant Assurance Agenda About Assurance

Desk-ercise Moderated By: Jill Micklow Wellness Consultant Assurance Agenda About Assurance Speaker Presentation Q&A Session Key Phrase About Assurance Retail insurance and risk management brokerage Independence

331 views • 32 slides
24 th Annual Conference Assurance of Defence Assurance of Defence Programme Costs Programme

24 th Annual Conference Assurance of Defence Assurance of Defence Programme Costs Programme

24 th Annual Conference Assurance of Defence Assurance of Defence Programme Costs Programme Costs Thursday 20 th September 2007 MoD Abbey Wood, Bristol September 2007 Introduction HQ Defence Equipment & Support Security

567 views • 8 slides
LPA 2018 QUALITY ASSURANCE What is Quality Assurance? Why needed? Sampling &

LPA 2018 QUALITY ASSURANCE What is Quality Assurance? Why needed? Sampling &

MATERIALS and TESTING QUALITY ASSURANCE LPA 2018 QUALITY ASSURANCE What is Quality Assurance? Why needed? Sampling & Testing 2059 Report Typical Materials and Tests What? A system for ensuring a desired level of

813 views • 64 slides
Outline Transient execution covert channels (contd) OS trust and assurance CSci 5271

Outline Transient execution covert channels (contd) OS trust and assurance CSci 5271

Outline Transient execution covert channels (contd) OS trust and assurance CSci 5271 Introduction to Computer Security Announcements intermission Transient Execution, OS Assurance, and Networks Brief introduction to networking Stephen

554 views • 7 slides
DM207 I/O-Efficient Algorithms and Data Structures Fall 2009 Rolf Fagerberg IOEADS Fall 2009

DM207 I/O-Efficient Algorithms and Data Structures Fall 2009 Rolf Fagerberg IOEADS Fall 2009

DM207 I/O-Efficient Algorithms and Data Structures Fall 2009 Rolf Fagerberg IOEADS Fall 2009 Page 1 Analysis of algorithms (DM507, DM508,. . . ) The standard model: Memory CPU Add : 1 unit of time Mult : 1 unit of time Branch :

322 views • 19 slides
B a n Parallel DBMS d 1 Terabyte w 1 Terabyte i d Chapter 21, Part A t h Parallelism:

B a n Parallel DBMS d 1 Terabyte w 1 Terabyte i d Chapter 21, Part A t h Parallelism:

Why Parallel Access To Data? At 10 MB/s 1,000 x parallel 1.2 days to scan 1.5 minute to scan. B a n Parallel DBMS d 1 Terabyte w 1 Terabyte i d Chapter 21, Part A t h Parallelism: 10 MB/s Slides by Joe Hellerstein, UCB, with some

509 views • 4 slides
Status of Grid Activities in Pakistan FAWAD SAEED National Centre For Physics, Pakistan 1

Status of Grid Activities in Pakistan FAWAD SAEED National Centre For Physics, Pakistan 1

Status of Grid Activities in Pakistan FAWAD SAEED National Centre For Physics, Pakistan 1 Introduction of NCP-LCG2 q NCP-LCG2 is the only Tier-2 centre in Pakistan for Worldwide LHC computing Grid (WLCG). q NCP-LCG 2 is collaborating

669 views • 37 slides
Bandwidth 1 Terabyte 1 Terabyte Parallelism: 10 MB/s divide a big problem into many smaller

Bandwidth 1 Terabyte 1 Terabyte Parallelism: 10 MB/s divide a big problem into many smaller

Parallel DBMS Chapter 22, Part A Slides by Joe Hellerstein, UCB, with some material from Jim Gray, Microsoft Research. See also: http://www.research.microsoft.com/research/BARC/Gray/PDB95.ppt Database Management Systems, 3 nd Edition. Raghu

458 views • 8 slides
6 th December 2019 Chaired by Claire Murdoch, National Director for Mental Health NHS England and

6 th December 2019 Chaired by Claire Murdoch, National Director for Mental Health NHS England and

Addressing Out of Area Placements: National Webinar Mental Health Team, NHS England and NHS Improvement 6 th December 2019 Chaired by Claire Murdoch, National Director for Mental Health NHS England and NHS Improvement Agenda Aims of the

487 views • 23 slides
QPR Question Persuade Refer Jon Mattleman Website: www.jonmattleman.com Email:

QPR Question Persuade Refer Jon Mattleman Website: www.jonmattleman.com Email:

QPR Question Persuade Refer Jon Mattleman Website: www.jonmattleman.com Email: jonmattleman@gmail.com QPR Q P R QPR is not a form of counseling or treatment QPR is intended to offer hope QPR is an approach which is easy

468 views • 24 slides
Sponsored by Supported in part by grant No. 90ADPI0011-01-00 from the U.S. Administration for

Sponsored by Supported in part by grant No. 90ADPI0011-01-00 from the U.S. Administration for

Sponsored by Supported in part by grant No. 90ADPI0011-01-00 from the U.S. Administration for Community Living, Department of Health and Human Services, Washington, D.C. 20201. Grantees undertaking projects with government sponsorship are

858 views • 81 slides
Accurately Determining Intermediate and Terminal Plan States Using Bayesian Goal Recognition

Accurately Determining Intermediate and Terminal Plan States Using Bayesian Goal Recognition

Accurately Determining Intermediate and Terminal Plan States Using Bayesian Goal Recognition David Pattison and Derek Long University of Strathclyde, Glasgow G1 1XH, UK david.pattison@cis.strath.ac.uk GAPRec Workshop ICAPS 2011, Freiburg

398 views • 37 slides

More recommend