Types of Security Requirements Flashcards
Core Security Requirements
Confidentiality, Integrity, Availability, Authentication, Authorization, Accountability
General Security Requirements
Session Management, Error/Exceptions Management, Configuration Parameters Management
Operational Security Requirements
Deployment environment, Archiving, Anti-piracy
Other Security Requirements
Sequencing & Timing, International, Procurement
Confidentiality Requirements
address protection against the unauthorized discplosure of data or information that are private/sensitive
Data classification
public (directory), non-public
Confidentiality controls
secret writing (i.e. overt and covert), and masking
Secret writing goal
to prevent the disclosure of the information deemed secret, includes overt cryptographic mechanism (encryption and hashing) or covert (steganography, digital watermarking - e.g. hinding)
Describe covert
steganography is invisible writing (camuflaging - military spionage), digital watermarking is embedded information in audio, video or pictures - used for copyright, deterring and preventing unauthorized copying of media.
Masking
This is primarily used to protect against shoulder surfing attacks, which are characterized by someone looking over another’s shoulder and observing sensitive information (e.g. hiding password when typing, last 4 creditcard numbers).
non-public data state
In transit (transmitted), In processing (held in computer memory or media for processing), Storage (at rest)
time bound confidentiality
some information may require protection only for a certain period of time (e.g. during merge or acquisition)
Integrity requirements
address two primary areas of software security (reliability and protection/prevention) against unauthorized modifications
Integrity refers to
system integrity and data integrity
data integrity
information and programs can be changed only in a specified and authorized manner by authorized personnel.
Example system integrity violation
SQL Injection that makes the software act or respond in a manner not originally designed.
Integrity security controls
input validation, CRC and hashing
Input validatoin check
provides a high degree of protection against injection flaws and provides both system and data integrity.
CRC
useful in the detection of errors or changes made to data when it is transmitted.
Hashing
mainly used for integrity assurance, it can also provide confidentiality assurance
Availability requirements
ensure the protection against destruction of the software system and/or data, thereby assisting in the prevention against DoS to authorized users.
MTD
Maximum Tolerable Downtime - measure of the maximum amount of time that the software can be in a state of not providing expected service
RTO
Recovery Time Objective - amount of time by which the system or software needs to be restored back to the expected state of business operations for authorized business users
RPO
the maximum allowed data or productivity loss when the system becomes disrupted or down
BIA
Bussiness Impact Analysis - determine the adverse impact that the unavailability of software will have on business operations
Authentication requirements
verify and assure the legitimacy and validity of the identity (a person, a process, a hardware device) that is presenting entity claims for verification.
authentication credentials
different factors or a combination of factors that include knowledge, ownership or characteristics.