Security Quality Requirements - Annotated Bibliography Example

Annotated Bibliography Allen, Julia H.; Mead Nancy R.; Barnum, Sean J.; Ellison, Robert J.; & McGraw Gary. Software security engineering: a guide for project managers. Upper Saddle River, NJ: Addison-Wesley, 2008. Print. The authors of this complete textbook draw widely on the systematic method created for the Build Security In (BSI) Web site to represent two renowned resources in the security world: Cigital, Inc., and a consulting company that specializes in software security and the CERT Program at the Software Engineering Institute (SEI). The Department of Homeland Security Software Assurance Program sponsored the project, and the BSI website contains a range of guidelines, tools, principles, rules, among other resources that project managers would find useful in addressing security concerns at each stage of the software development life cycle. The authors present a detailed explanation as to why software security entails more than simply getting rid of vulnerabilities and carrying out penetration tests, “ determining that such requirements have been satisfied will do nothing to ensure that the software will also behave securely even when it operates correctly” (31). The authors emphasize that IT infrastructure security practices and the techniques of network security do not adequately guard application software against security threats. They propose that software security programs should pursue a risk-management approach in order to set priorities and identify adequate measures. Security engineers and project managers must understand that software security risks will keep changing throughout the SDLC. They need to have the perspective of an attacker so as to address the array of tasks that software should perform, and how to improve the capacity of software to can resist, endure, and recuperate when under attack “the community needs to think creatively and have a firm grasp of the attackers perspective and the approaches used to exploit software” (45). The book contributes to the annotated bibliography collection by providing a wide overview that can help firms to select a set of policies, processes and techniques that are suitable for their security development purposes. This source addresses the entire life cycle of software development with a detailed outline and review of emerging topics and trends which is absent in most publications related to this subject. Brian Witten, Carl Landwehr, and Michael Caloyannides. Does open source improve system security? IEEE Software, 18(5):57{61, 2001. UIC Public This article deals with the efficiency of open source for security. The authors state that trust of closed source also implies trust of compilers and getting rid of randomizing defenses for buffer overflow. Some kinds of threats best realized by code review such as race conditions and backdoors are featured. The authors emphasize that the objective of commercial software is to produce upgrades and this may indirectly raise security issues. “The recent Digital Millennium Copyright Act and UCITA legislation seem designed to discourage law abiding citizens from reconstructing source code to improve its security but are unlikely to deter those with baser motives." (58) They also note that the responsiveness of open source to security reviews are faster compared to propriety and can be further reduced by half. This article checks an important technique of system security which is essential to security engineering thereby contributing to the annotated bibliography collection in a significant aspect. Similar to The Code Red worm, the article also focused on one single area of computer security and provides a detailed analysis. The source is different from other publications because the authors do not use any real-world cases in their analysis. Carl Ellison and Bruce Schneier. Ten risks of PKI: What youre not being told about Public Key Infrastructure. Computer Security Journal, 16(1):1{7, 2000. Risks: - Who do we trust, and for what? (Who gave authority to CA over what?) - Who is using my key? (Physical/logical protection of key) - How secure is the verifying computer? (Integrity root keys and SW in general) - Which John Robinson is he? (Does a distinguished name mean anything?) - Is the CA an authority? (SSL certifications contain DNS name but not issued by authority of DNS names.) - Is the user part of the security design? (In browser user cannot (reasonably) be expected to make correct decision; SSL-closed key/lock in browser not sufficient!) - Was it one CA or a CA plus a Registration Authority? (RA+ separate CA model is weaker than all-in-one-CA. [really? physical protection.]) - How did the CA identify the certificate holder (unsecure basis of identification at registration time (e.g., through credit bureaus.) - How secure are the certificate practices (Are CPS designed with solid security reasons?) - Why are we using the CA process anyway? Chung, L.; Hung, F.; Hough, E.; & Ojoko-Adams, D. Security Quality Requirements Engineering (SQUARE): Case Study Phase III, CMU/SEI-2006-SR-003. Software Engineering Institute, Carnegie Mellon University. This special report is the third in a series focusing on the practical function of the Security Quality Requirements Engineering (SQUARE) practice. In the report, a team of students present their findings from their work involving three clients over the course of a semester. During the practice, each client was creating a large-scale software application and engaged the students in generating the security requirements for the application. The students executed three different structured requirements-elicitation methods with each client. These included Joint Application Development (JAD) the Delta client, Issue-Based Information Systems (IBIS) with an information technology firm, and the Accelerated Requirements Method (ARM) with the Beta client. The ARM method, which is a modification of JAD, came out as the most appropriate for incorporation in future functions of SQUARE; “ARM outperformed both IBIS and JAD in efficiency and ability to elicit security requirements.” (65). Besides analyzing the three elicitation methods, the team of students also produced feedback and recommendations on various stages of the SQUARE practice, such as inspection and requirements prioritization. They students’ findings showed that the Analytic Hierarchy Process would be greatly valuable for quick prioritization of requirements; “ARM was very successful in eliciting and Categorizing results, but we feel that it would be very easy to add AHP to the ARM process.” (66). However, the students did not find a method of requirements inspection that was ideal for any of the clients. This source contributes to the annotated bibliography collection by evaluating essential techniques of security requirements relevant to security engineering. Unlike other works, it presents direct appropriate recommendations that are helpful to security engineering practice and does not involve a lot of theory. David D. Clark and David R. Wilson. A comparison of commercial and military computer security policies. In Proc. IEEE Symp. Security and Privacy, pages 184-194, 1987. This paper argues that the mechanisms for commercial needs rest more on integrity and is best characterized by well formed transactions (double entry bookkeeping) and separation of duties; “any discussion of mechanisms to enforce computer security must involve a particular security policy that specifies the security goals the system must meet and the threats it must resist” (184). The requirements include (1) Authentication (2) require data to be manipulated only by certain programs (3) Associate users with the programs they can run (proper assignment ensures separation of duty), (4) Audit log. In addition, administrative controls are needed to ensure the configuration changes only in well-defined ways. To ensure correctness, Integrity Verification Procedure (IVP) is used to ensure the current state is sound and Transformation Procedures to change it “the validity of a TP (or an IVP) can be determined only by certifying it with respect to a specific integrity policy” (189). The article explores TP ensuring, for example, time of day restrictions. Other examples are the order of TPs. It separates enforcement (application independent) from certification (application dependent issues). This article contributes to this annotated bibliography collection by giving a different perspective to the subject of security engineering-data integrity. Compared to other computer security publications, this paper explores security policies without any inclusion of complex security engineering concepts. Denning, Dorothy. Information Warfare and Security. Reading, MA: Addison-Wesley, 1998 (ISBN 0201433036). In this publication, security expert Dorothy Denning puts a spotlight on the information terrorists and criminals who pose information-related risks to individuals, states and corporations through their depredations. The book explore a wide range of security areas including government practice of using information warfare to carry out intelligence and military operations and law enforcement inquiries and conflicts cropping up in the areas of encryption and free speech and. Denning puts cybercrime into a wider context, combining the diverse types of information crime and the remedies for such, to create a methodology-based structure. The book addresses offensive information warfare (as well as acquirement of information), denial of access to information, and misleading use of information. Furthermore, the author presents several case examples, such as the Persian Gulf War, emphasizing real-life occurrences to demonstrate case in points of information warfare, “ Gulf War—Infowar” (11). Denning, a computer security expert offers a framework for identifying and handling information-based threats such as fraud, computer break-ins “computer break-Ins and Hacking” (308), espionage, and sabotage, and piracy, invasion of privacy, identity theft, and electronic warfare. She also provides sound advice for security policies and practices, detailing countermeasures that are both achievable and necessary. This book contributes to this annotated bibliography collection by providing a comprehensive treatment of technologies and methods of information warfare which a security engineer should be well-versed in. Compared to Software Security Engineering: A Guide for Project Managers, both publications offer information useful to governments, individuals and corporations. However, Denning integrates real-world cases absent in other texts to explain the concepts of information warfare. Hal Berghel. Digital village: The Code Red worm. Communications of the ACM (CACM), 44(12):15{19, 2001. This article describes the working principles of a self-replicating program released to the Internet on the evening of November 2, 1988. The worm program used techniques of attack such as: network discovery methods via system configuration files and network instruments; “buffers overrun susceptibility in finger to download vax binary and overwrite the return address on the stack, tricking finger into invoking a shell” (2); password guessing (3); sendmail executables that were compiled with a fix flag would normally effect a shell when request is sent. “The program invaded VAX and Sun-3 computers running versions of Berkeley UNIX, and used their resources to attack still more computers” (2) . Within hours, the worm had spread and infected many computers in the U.S., rendering them unfeasible as a result of the burden of its activity. This article provides a history of the outbreak and an in-depth review of the feature of the worm, developed on a C version generated by decompiling. It used defense techniques such as: an encoding string that required xoring with x82; respawing, sporadically sleeping, and rewriting argv to trick ps; reducing debug info to lower its traceability. This article is a remarkable contribution to this annotated bibliography collection since it deals with security attacks which are a common issue in security engineering. As opposed to other sources, this article focuses entirely on one case describing it in detain. Lee Badger, Daniel F. Sterne, David L. Sherman, Kenneth M. Walker, and Sheila A. Haghihat. Practical domain and type enforcement for UNIX. In Proc. IEEE Symp. Security and Privacy, pages 66-77, Oakland, CA, 1995. This paper describes the concepts behind domain and type enforcement, founded on type enforcement. The authors argue that the access matrix is divided into classes of equivalence, with types partitioning objects and domains partitioning subjects. Seemingly, the two are layered on top of Unix DAC. The domain which a user is in is depends on the rules that specify the domain for init, automatic transition rules through exec, and process-induced modifications of domain; the last especially for domain. The object types specify the domains that they can be accessed from and the types are assigned to points in the directory tree, and all subtrees inherit this until a new assignment is done “on a DTE system, root programs could be bound, in both single user and multiuser modes, to domains that allow them to operate normally but prevent them from accessing files or processes unrelated to the functions” (74). One can also add assignments dynamically, and it is essential to disambiguate numerous assignments for interlinked files. By assigning, the per file need for attributes is eliminated. The authors describe the possibility of inserting predicates to test information flow in future research “one enhancement is to add a small logical assertion to DTEL that allows predicates (involving information flow, for example) over a policy to be expressed and automatically checked.” (74). Matt Blaze, Joan Feigenbaum, and Jack Lacy. Decentralized trust management. In Proc. IEEE Symp. Security and Privacy, 1996. UIC This paper on distributed protection deals with decentralized trust management. The authors distinguish verification of identities from the trust given to them. Also, this publication asserts that the present systems have a tendency of combining the two into certificate management. PolicyMaker is a rule-based system used to evaluate trust. The rules or “assertions” take the form: source ASSERTS AuthorityStruct WHERE filter where source either represents a key-id or the keyword POLICY. Rules create filters which can verify conditions under which trust is shifted from source to the key-ids which fulfill AuthorityStruct. AuthorityStruct represents a function on key-ids that can either be a simple key-id or a program which takes key-ids as parameters and filter is a grogram. Queries to PolicyMakers take the form: key-id list REQUESTS ActionString. ActionString is a string build by the application. The PolicyMaker does not interpret ActionString apart from the fact that the filters of rules will take action strings as input and returns a Boolean status (annotations may also be appended to the action string by filters). Assertions are either local (referred to as policies, and having the source as the POLICY keyword) or signed binding of an authority structure to a string and the “environment” that consists of information like the calling application’s name and the current time. PolicyMaker does not perform any crypto-signature certifications are assumed to be performed elsewhere. This source provides a complex analysis of the operation of a program for evaluating trust which can be used by security systems experts in organizations. It is therefore very much pertinent to this annotated bibliography collection. The authors employ use software development language and terms which is rarely the case in most publications discussed in this collection. McClure, Stuart; Scambray, Joel; & Kurtz, George. Hacking Exposed: Network Security Secrets and Solutions, 5th ed. New York, NY: Osborne/McGraw-Hill, 2005 (ISBN 0072260815). Stuart McClure, Joel Scambray, and George Kurtz, three renowned security professionals, use real-world case studies to show IT experts how to protect networks and computers s against the latest security vulnerabilities. This book contains detailed up-to-date examples of the most recent underhanded break-ins that can help security engineers to think like hackers so as to counter attacks on computers and networks. The text covers code hacking techniques and countermeasures, new developments for Cisco, Windows 2003 Server “There are some signs that the message is beginning to sink in. Windows XP Service Pack 2…” (69), UNIX/Linux, and Web and wireless applications. The authors also review and discuss the most recent DDoS methods and new categories of risks. This publication adds to the annotated bibliography collection by providing security experts with the latest trends and information on network security that is essential in handling the risk of network hacking. It is unique to other sources because it presents the latest information available on the subject at the time of publication. Northcutt, Stephen, and Judy Novak. Network Intrusion Detection. Indianapolis, Ind: New Riders, 2002. Print. Taking into account the growing need for intrusion detection analysis, this book can be used as a reference and training aid for intrusion detection analysis. The text is founded on the experience of the author in certification and training of intrusion analysts and the official training framework. The book explores concepts of intrusion detection that are essential to a user preparing for certification. The authors offer both the knowledge and framework for a quick learning process for security engineers wishing to gain skills in intrusion detection. They have diverse experience in security engineering. They explain the basic techniques of guarding against illicit accesses of networked computers and minimizing the destruction that intruders may cause and stress authentic techniques for identifying intruders while they are on the network. Author Stephen Northcutt describes methods of spotting suspicious behavior and how to handle it both manually and automatically. The text does not place too much fault or emphasis on any specific computer software, operating system or software developer. The book contains small and large case studies such as a technical brief at the beginning of the book, describing the “techniques that Kevin Mitnick used to attack Tsutomu Shimomura’s server” (273). In his documentation of the famous attack, the author explains TCP hijacking and SYN flooding with a great deal of detail and clarity, enabling readers to create an accurate visual of Mitnick’s actions and Shimomuras machine response. Northcutt employs another case study in the text that presents a highly detailed analysis of a history file demonstrating how an “attacker with root privileges intruded a Domain Name System (DNS) server” (359). This source is important to the annotated bibliography collection because it provides clear and detailed network intrusion detection techniques essential to the practice of security experts. It also uses real-world incidents to explain the concepts as in the cases of Information Security Management Handbook and Denning’s Information Warfare and Security. Norton, Peter. Peter Nortons Complete Guide to Network Security. Indianapolis, Ind: Sams, 1999. Print. Peter Norton provides a fundamentals reference that comes handy in building and implementing an effective network strategy. The textbook provides an overview of basic network types and the issues and practices entailed in securing a computer network both internally and externally. Norton demonstrates how to limit access and maintain full control of computer data and systems. Common network protocols and systems used in today’s world are addressed including a description of the security measures necessary to maintain the security and operation of a system “the most powerful element you have working for you are preparation and information”. For instance, the book teaches you how to set up your network to signal when an intrusion occurs, where to find latest updates on defects and fixes and more secure replacements. Norton stresses that in securing networks; security analysts, educational security forces like CERT, and security products developers can aid in protecting such as intrusion detection systems. The author further describes how to win the cooperation of these stakeholders in the war against network crackers by educating network users, network administrators can guard against social engineering attacks, password cracking attacks, and other external attacks. “This requires education and cooperation of your users.” (336) Norton also explains how to provide access to a network safely while supporting users and protecting network resources. This publication is an essential part of this bibliography as it discusses networks security in detail, which is a crucial subject in security engineering. It presents network types and then describes the details required to build and implement an efficient network security strategy integrating concepts omitted in other texts. R. OBrien and C. Rogers. Developing applications on LOCK. In Proc. 14th NIST-NCSC National Computer Security Conference, pages 147-156,1991. The Logical Co processing Kernel (LOCK) system is a highly assured INFOSEC system that can be used as a platform to develop countermeasures to current and future security threats. In this paper, the authors have discussed the manner in which applications are developed on LOCK and features of the LOCK system that allow these applications to be developed quickly and securely. The paper focuses on the design of such applications using LOCKs type enforcement and the implementation of these applications using the current LOCK software development environment. This is a very coherent description of Type Enforcement (TE) and was written some time after the original paper by BoebertKain [?]. There is a table of subjects vs. objects. The subjects are associated with \modules". Each object has a type and subjects have a domain. Roles enable users to execute within domains. TE uses a lattice and allows trusted users to violate the lattice for write (but not read) permission. This source contributes to the annotated bibliography collection by presenting the methods of developing applications on LOCK which is essential in computer security. The authors have used simple direct language similar to Practical domain and type enforcement for UNIX . however, the text has drawn widely from the work of BoebertKain. Rocky K. C. Chang. Defending against flooding-based, distributed denial-of-service attacks: A tutorial. IEEE Communications Magazine, 40(10):42-51, 2002. This paper describes a number of “flooding” type DDOS attacks that either consumes the memory resources of victims or bandwidth resources (fake packets leading to RST). These attacks can either be direct or based on reflector, causing hosts or routers that are neither attackers nor victims to take part in the attacks by issuing replies to fake IP addresses. Defenses to these types of attacks can either be located at source (fake IP), at the destination (DDOS attack) or somewhere in the middle. The ones located in the middle are the most complex. This paper details another type of security attack that security engineers should be aware of, therefore making great contribution to this annotated bibliography list. As in the case of The Code Red worm the author describes the attack and defense modes for these types of attacks. It however fails o provide remedial measures of dealing with these attacks as presented in most publications. Shirley C. Payne. SANS Institute 2007: Infosec Reading Room. “A guide to Security Metrics”. SANS Security Essentials GSEC Practical Assignment Version 1.2e. June 2006, 3-7. This guide offers gives the meaning of security metrics, gives explanations of their value, discussed the challenges faced in accomplishing these metrics, and suggests suitable methodology for constructing a security metrics program. The authors provide a captivating read that helps to clarify the distinction between measurement and metrics. These two terms are often a subject of confusion. This guide contrasts the two and concludes that while metrics are generated by analysis, measurement is generated by counting. The authors also demonstrate how metrics assist in the identification of the degree of risk in the event that a particular action is performed and therefore offer guidance on how to prioritize corrective actions. This is valuable to security managers especially in creating awareness regarding the security level within an organization. This text presents security mangers with direct answers to several many questions that may spring from high-level executives and other colleagues. The authors describe the challenges that security experts may encounter while generating metrics given the discipline is still in its early phases of development. Advice is provided to security experts to view themselves as pioneers and be prepared to amend strategies appropriately as new events unfold. This guide also offers a seven step method for security experts involved in construction of security metrics programs; recommending that they should focus on easy, cheap, and quick tasks and protect current metrics and measures. This text is an essential part of this annotated bibliography collection as it describes many concepts that relate to security practice. Compared to other publications, the text offers direct recommendations that security experts would find handy. Timothy Fraser. LOMAC{low water-mark integrity protection for COTS environments. In Proc. IEEE Symp. Security and Privacy, 2000. Low water-mark protection reduces the level of protection of a subject depending on the level of objects it observes. Timothy employs it to develop a security monitor for Linux based on a loadable kernel module, which does not require the applications to be modified in any way “LOMAC should not require any changes to preexisting kernel or application configurations.” (1). The security monitor averts destruction of system binaries and configuration files by placing them at a higher degree than “ordinary” root object. This paper on operating system implementation claims that the level of a subject or process is the lowest level of the objects it observes in a transitive order. This approach faces a number of issues: it only protects system objects and it is difficult to extend the protection to user objects; protection of logs is difficult, since they must remain at the most restricted level; and change of user behavior requirements, for instance, cannot edit both level 1 and level 2 in one session and then save level 2 “The scenario in section 4 described how LOMAC’s Default Policy protects level 2 objects from a compromised level 1 subject” “The Default Policy provides no protection for other subjects and objects at level 1. This deficiency could be addressed by the addition of Integrity Categories to complement the model’s existing level concept” (14). This publication offers great insight into OS implementation, which is an important part of computer security therefore it contributes effectively to this annotated bibliography collection. While other sources introduce and elaborate on topics and related concepts, this article focuses entirely on low water-mark protection and assumes that readers have prior knowledge of this method and COTS environments. Tipton, Harold F, and Micki Krause. Information Security Management Handbook. Boca Raton, Fl: Auerbach, 2003. Internet resource. This security engineering text reveals the important methods and means of securing systems against all security risks and intruders. The authors offer several case studies and examinations that demonstrate how to guard systems and data employing the latest techniques. This text is also one of the most vital publications used for preparation for the Certified Information Systems Security Professionals exam. It offers the security engineer an enthusiastic perspective at computer crimes, security, and the legal side to carrying out technical investigative tasks. Tipton and Micki present thirty-three articles that are arranged into ten domains: telecommunications and network security; access control systems and methodology; security models for object oriented databases; security architecture and models; cryptography; business continuity planning and disaster recovery planning; operations security threats; physical security; and law, investigations and ethics. This content is suitable for security experts, especially manager. The cases covered are technical enough to help the reader gain confidence in the security concepts presented. It is appropriate for learning introductory concepts which may require additional in-depth research and for presentations. The authors provide many detailed concepts on actual risk assessment techniques supported by high level articles. This source contributes to the annotated bibliography by presenting up to date essential techniques of information security management that are essential to the practice of security engineering. Similar to Information Warfare and Security, the authors present a variety of cases on the subject that makes it easy to grasp the concepts and apply them to professional practice. Tudor, Jan K. Information Security Architecture. Boca Raton, FL: Auerbach, 2000. Internet resource. In this book, Jan Killmeyer Tudor demonstrates that an efficient and all-inclusive security infrastructure is most effectively developed within the structure of information security architecture (ISA), taking the present day distributed nature of client and server computing into account. The need for security was not as compelling in the past when systems were proprietary and closed compared to the current open systems. This text explores crucial ISA concerns such as risk assessment, the nature of the firm, standards and policies, baselines and risk assessment, compliance, awareness and training, compliance, among other issues. The author emphasizes the concept that these components must function jointly to form a solid ISA and that both software and hardware are useless if they are not properly incorporated into the ISA. A prevailing theme in the entire text is that an understanding of both the vulnerabilities and risks linked to technologies and of the technologies’ return on investment to the firm is necessary for the implementation of security technologies require. The methodology of ISA offers security experts an exceptional technique for accomplishing these requirements. Considering the significance of policy to an ISA, the author provides a number of appendices including procedures, policies, and work plans which give an excellent basis for building security architecture. This source contributes to the annotated bibliography list by offering a detailed description of five information security architecture components: infrastructure, procedure and policy, security awareness and treatment, compliance, and security baseline of system components. The book is unique to other sources on similar subject since it provides worksheets that assist the user in executing their own information security plan in the company. Vern Paxson. Bro: a system for detecting network intruders in real-time. Computer Networks, 31(23-24):2435{2463, 1999. UIC Vern describes a program for monitoring networks that captures remarkable network incidents then provides an analysis of these events for security problems. Bro is defined “a stand-alone system for detecting network intruders in real-time by passively monitoring a network link over which the intruders traffic transits.” (1). The author also explains logs and presents a captivating discussion of the kinds of attacks, mainly regarding disguise of interest at the packet level, and how the program deals with such . The program is “conceptually divided into an “event engine” that reduces a stream of (filtered) packets to a stream of higher-level network events, and an interpreter for a specialized language that is used to express a sites security policy” (3). In general, the system is ordered into layers, whereby lowest layers process the highest volume of data, and therefore must restrict the tasks performed to a minimum. As more layers are added, the data stream lessens, creating room for more processing per data item. The basic design of Bro is a reflection of the need to save processing as much as possible, so as to achieve the objectives of monitoring high-speed, huge volumes of traffic flows without losing packets. The paper emphasizes on detection, rather than prevention such as the use of firewalls. The article is relevant to this bibliography collection because it concerns network security, a critical element of security engineering. As opposed to Network Intrusion Detection, this paper only deals with one network monitoring program and network security at the packet level. However the kinds of attacks are discussed as with the previous source. Read More