SlideShare a Scribd company logo

Security Design Concepts

Mohammed Fazuluddin
Mohammed Fazuluddin

This document provides an overview of key concepts for application security design. It discusses the importance of incorporating security throughout the application development lifecycle. It outlines several security design aspects that should be considered, including authentication, authorization using roles, session management, and implementing a secure access layer. It also emphasizes the importance of security testing, code reviews, and conducting risk assessments and assurance testing prior to deployment. Finally, it discusses how to establish security guidelines and build a centralized security infrastructure with interoperable components to provide identity, authentication, authorization and other security services across applications in a standardized way.

Technology
1 of 40
SECURITY DESIGN CONCEPTS @Mohammed Fazuluddin
TOPICS • Overview • Security Design Aspects • Application Security Design Concepts • Application Security Guidelines • Security Architecture/Design Analysis • Security Risk Assessment And Assurance • Security Infrastructure With Interoperable Components
OVERVIEW Basic Security Design
OVERVIEW
OVERVIEW • Application security has always been a risk and it is always ignored by assuming that the firewalls will protect everything. • Many application attacks are happening even we have layered perimeter security, corporations need to realize the threat and raise its priority. • While designing the application the architect team need to work on security features with application teams to incorporate this life cycle within the various development styles that are being used. • To avoid the security risks , tools/products need to be acquired to perform risk assessment and assurance of the systems and applications that are being deployed. • New applications need to use the security infrastructure from the start and the older applications need to start migrating towards it.
OVERVIEW • In architectural designs need to be planned for the analysis of the vulnerabilities and a common, centralized security infrastructure. • While designing the application architecture we need to understand the functional, performance, cost and process requirements from a security perspective. • The infrastructure may provide the security components in a certain language and the application might be using a different language. • Standards for systems and applications need to be established and the guidelines, processes and checklists need to be developed for supporting the application security lifecycle.
OVERVIEW
Principles of Software Security: • Secure the weakest link. • Practice defense in depth. • Fail securely- If your software has to fail, make sure it does it securely. • Follow the principle of least privilege. • Compartmentalize- Minimize the amount of damage that can be done by breaking the system into units. • Keep it simple- Complex design is never easy to understand. • Promote privacy- Try not to do anything that compromises the privacy of the user. • Remember that hiding secrets is hard. • Be reluctant to trust- Instead of making assumptions that need to hold true, you should be reluctant to extend trust. • Use your community resources- Public scrutiny promotes trust. OVERVIEW
Software Security Best Practices: • Institute awareness programs. • Perform application assessments. • Capture security requirements. • Implement secure development practices. • Build vulnerability remediation procedures. • Define and monitor metrics. • Publish operational security guidelines. OVERVIEW
SECURITY DESIGN ASPECTS
SECURITY DESIGN ASPECTS Authentication: • Authentication is used to determine the legitimacy of a user who wants to access the application. • Different levels of authentication can be used to protect the application based on the risk associated with the application. • Sensitivity of the data, application functionality, application architecture (the more distributed it is, the more the risk), user base could be factors determining the risk. • Every user may not need access to the all the application resources including business logic and/or data. • The resources need to be grouped based on the functional roles different users have, this way of assigning privileges to a user is called the roles based access control (RBAC) method.
SECURITY DESIGN ASPECTS
SECURITY DESIGN ASPECTS Authentication: • Once a user is authenticated and is authorized to perform a business function (transaction), there may be data/control transfer between different processes on different systems. • If the data is corrupted or compromised, there will be integrity and confidentiality issues. In addition to protecting data in transit, protection of static data is required to provide integrity and confidentiality. • If the configuration files containing the connection and initialization attributes of an application were compromised, integrity and confidentiality of the application resources could be severely compromised. • The cost of implementing a solution varies widely with the different authentication technology that is used. In some cases, where there is a need for strong authentication, a combination of these factors should be used.
SECURITY DESIGN ASPECTS Confidentiality: • Confidentiality keeps the data secret from all but those who are authorized to see it. Various cryptographic methods can be used to provide confidentiality component. • ‘Cryptography is the art or science encompassing the principles and methods of transforming an intelligible message into one that is unintelligible and then retransforming that message back to its original form’. • Encryption transforms plain text to cipher text using a secret key and decryption transforms cipher text back to plain text using the secret key. • The cryptography method using the same secret key to encrypt and decrypt the messages is called symmetric and the one using different keys is called asymmetric. • Application data can be kept confidential using cryptography, if the secret key can be secured.
SECURITY DESIGN ASPECTS Auditing: • Auditing is another security feature that needs to be implemented in the application. • Since no application can ever be completely invulnerable to threats, auditing must be in- place to provide data needed for incident response. • The auditing feature should provide a trail of which user did what and when at any given point of the application lifetime. • The final component, Non-repudiation provides proof of existence of message. • The goal of a nonrepudiation component is to collect, maintain, make available irrefutable evidence.
SECURITY DESIGN ASPECTS Integrity: • Integrity is ‘the property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner’. • Incorporating integrity into an application will inform the recipient of data modification by unauthorized users during storage or transmittal. • Various hash methods such as SHA-1 or MD5 can provide the integrity component. • Confidentiality is ‘the property that information is not made available or disclosed to unauthorized individuals, entities, or processes [i.e., to any unauthorized system entity]’.
SECURITY DESIGN ASPECTS
APPLICATION SECURITY DESIGN CONCEPTS
APPLICATION SECURITY DESIGN CONCPTS • In application design the security parameters needs to be involved with the application team to assist them in implementing proper security technology and/or processes. • The below mentioned security controls needs to be considered as part of security design… • Single Access Point • Session • Roles • Secure Access Layer • Audit • Administration layer
APPLICATION SECURITY DESIGN CONCEPTS
APPLICATION SECURITY DESIGN CONCEPTS Single Access Point: • User entry into an application should be though a single point. • This feature also saves the user from having to remember multiple passwords which can provide enhanced security by eliminating a need to write down passwords in unsecured places (for example, sticky notes under a keyboard or on a monitor) • Identification and authentication components need to be performed at this point. • Access points to multiple applications can be consolidated to a single point, often called a portal. Also, technologies such as single sign-on are gaining popularity. • Single sign-on enables a single access point into multiple applications by authenticating once. • Backdoors should be avoided and application entry should be restricted to a single point for all types of users, including administrators.
APPLICATION SECURITY DESIGN CONCEPTS
APPLICATION SECURITY DESIGN CONCEPTS Session: • Users should not have to authenticate multiple times while they are traversing an application, their current interaction with the application needs to be maintained by the application. • This session must be unique and separately maintained for every user. • If a user is away from the application for sometime, the session should help the application from determining the user and their current state with the application. • Authentication details like last active time can help the application determine whether it needs to authenticate the user again per the authentication policy.
APPLICATION SECURITY DESIGN CONCEPTS
APPLICATION SECURITY DESIGN CONCEPTS Roles: • Users have different needs in an application. Users should be given different privileges (read, change, add, delete) to various application resources within an application. • Users are grouped into a certain role and privileges to required application resources will be given to that role. Once that is done, all the users who perform that role are assigned that role instead of each privilege individually. • Instead of changing a privilege for every user, the administrator will just have to change it for that role. • Check points have to be established at every resource level where a privilege to a user needs to be defined. These check points should query the access control data to make a decision for the user to access the resource.
APPLICATION SECURITY DESIGN CONCEPTS
APPLICATION SECURITY DESIGN CONCEPTS Secure Access Layer: • Applications use various mechanisms to communicate with the user or other applications. • Depending on the classification of the data that is exchanged or control that is transferred during the communication, the access mechanisms and access layer need to be secured. • Confidentiality and integrity components need to be used to secure the communication, as well as static data. For example, SSL can be enabled on a web server using certificates to provide authentication of the application to the user, confidentiality between the application and the end user and integrity of the information transferred.
APPLICATION SECURITY DESIGN CONCEPTS
APPLICATION SECURITY DESIGN CONCEPTS Audit: • Components need to be placed in an application for tracking the actions being performed on the application resources. • The placement of these components should help tracing any application event. • Proper backup and recovery procedures need to be implemented for the audit output using retention guidelines. Also, the audit output should be properly formatted to help searches or statistic generation. • The output should definitely contain the successful and unsuccessful attempts by a user accessing a resource at the single access point and all the checkpoints. • Adding a timestamp, message code and message description will add value to the output.
APPLICATION SECURITY DESIGN CONCEPTS
APPLICATION SECURITY DESIGN CONCEPTS Administration layer: • Easy to use administration functionality needs to be provided to the application administrators to maintain user identification attributes, authentication and authorization information. • The administration functionality needs to be accessible to the administrators though the single entry point and proper authorization. • Some features that would help application administrators are: • Support for RBAC(creating roles and assigning them to users) • User administration(enable/disable users) • Application scan facility to generate new access points when changes are made to existing applications
Logic analysis: • Logic analysis evaluates the equations, algorithms, and control logic of the software design. Data analysis: • Data analysis evaluates the description and intended usage of each data item used in design of the software component. The use of interrupts and their effect on data should receive special attention to ensure interrupt handling routines do not alter critical data used by other routines. Interface analysis: • Interface analysis verifies the proper design of a software component's interfaces with other components of the system, including computer hardware, software, and end-users. Constraint analysis: • Constraint analysis evaluates the design of a software component against restrictions imposed by requirements and real-world limitations. The design must be responsive to all known or anticipated restrictions on the software component. These restrictions may include timing, sizing, and throughput constraints, input and output data limitations, equation and algorithm limitations, and other design limitations. SECURITY ARCHITECTURE/DESIGN ANALYSIS
Secure code reviews, inspections, and walkthroughs: • Secure Code reviews are conducted during and at the end of the development phase to determine whether established security requirements, security design concepts, and security-related specifications have been satisfied. Informal reviews: • Informal secure code reviews can be conducted on an as-needed basis. To conduct an informal review, the developer simply selects one or more reviewer(s) and provides and/or presents the material to be reviewed. The material may be as informal as pseudo-code or hand-written documentation. Formal reviews: • Formal secure code reviews are conducted at the end of the development phase for each software component. The client of the software appoints the formal review group, who may make or affect a "go/no-go" decision to proceed to the next step of the software development life cycle. Security testing: • Software security testing, which includes penetration testing, confirms the results of design and code analysis, investigates software behavior, and verifies that the software complies with security requirements. Special security testing, conducted in accordance with a security test plan and procedures, establishes the compliance of the software with the security requirements. SECURITY ARCHITECTURE/DESIGN ANALYSIS
APPLICATION SECURITY GUIDELINES • Application security development guideline needs to be created, specifying various technologies and a coding style to eliminate vulnerabilities and help mitigate risk. • A common vulnerability of application is buffer overflow. • Authorization needs to be handled carefully, just defining roles and assigning those to users will not completely secure authorization. • Situations where multiple roles are assigned to the same user with different types of privilege on the same resource need to be considered. • Error/exception handling mechanisms used should not display too many development details. • System configuration needs to be analyzed, never use the default configuration. • Some coding scheme needs to be used which could be cross-referenced to an error description database.
SECURITY RISK ASSESSMENT AND ASSURANCE • Applications need to be assessed at the business level to ascertain the risk based on information compromise, unauthorized access and availability for determining the security level that needs to be assigned to them. • After an application has been developed and functionally tested and before deploying it to production environment, we need to meticulously perform a security risk assessment and assurance test. • This test will help ensure the total system is in compliance based on the security level assigned to it. These tests need to be mandated on all applications, newly developed or changing an existing application or a purchased product. • Application risk checklists need to be developed to assure that proper security controls have been placed at the appropriate locations within the application. • The checklist must be updated at a regular interval to accommodate newer technologies and threats.
SECURITY RISK ASSESSMENT AND ASSURANCE • The checklist should contain all aspects of logical access for various security levels including: • User identification (registration process). • Authentication (level, password strength, sign-on attempts, account lockout policies, helpdesk processes on unlocking, session tracking) – authorization. • Sensitive data handling(encryption, hashing). • Auditing features. • Security administration. • Tools, products or processes need to be employed to standardize the methodology of security assessments. • Application contingency plans should be reviewed to make sure all the backup and recovery plans are up to date so that there is no disruption of service (availability).
Software security assurance program should ensure that: • A security evaluation has been performed for the software. • Security requirements have been established for the software. • Security requirements have been established for the software development and/or operations and maintenance (O&M) processes. • Each software review, or audit, includes an evaluation of the security requirements. • A configuration management and corrective action process is in place to provide security for the existing software and to ensure that any proposed changes do not inadvertently create security violations or vulnerabilities. • Physical security for the software is adequate. SECURITY RISK ASSESSMENT AND ASSURANCE
SECURITY INFRASTRUCTURE WITH INTEROPERABLE COMPONENTS
SECURITY INFRASTRUCTURE WITH INTEROPERABLE COMPONENTS • The infrastructure needs to be interoperable with any application and be maintained by a team that can keep pace with the latest standards. • Accomplishing the above and offering security as a centralized component can be a tedious and painful task. Eventually, the Enterprise will realize the fruits - cost savings and controlled environment. • This centralized infrastructure should: • Provide Identity, authentication, authorization, confidentiality, integrity non-repudiation and audit components. • Adhere to industry standards. • Easily manageable and scalable. • Provide the framework which needs to adapt to newer technologies with less effort (security is a race where the good guys always need to be in front of the bad guys). • To provide the above infrastructure, the security team needs to analyze the existing applications and define the requirements.
THANKS • If you feel it is helpful and worthy to share with other people, please share the same

Recommended

Design of security architecture in Information Technology
Design of security architecture in Information TechnologyDesign of security architecture in Information Technology
Design of security architecture in Information Technology
trainersenthil14
 
Software Engineering : Requirement Analysis & Specification
Software Engineering : Requirement Analysis & SpecificationSoftware Engineering : Requirement Analysis & Specification
Software Engineering : Requirement Analysis & Specification
Ajit Nayak
 
Software design
Software designSoftware design
Software design
Benazir Fathima
 
Design Concept software engineering
Design Concept software engineeringDesign Concept software engineering
Design Concept software engineering
Darshit Metaliya
 
Quality Concept
Quality ConceptQuality Concept
Quality Concept
Anand Jat
 
Introduction to Network and System Administration
Introduction to Network and System AdministrationIntroduction to Network and System Administration
Introduction to Network and System Administration
Duressa Teshome
 
Software architecture design ppt
Software architecture design pptSoftware architecture design ppt
Software architecture design ppt
farazimlak
 
Csslp
CsslpCsslp
Csslp
Sushil Shakya
 

Recommended

Design of security architecture in Information Technology
Design of security architecture in Information TechnologyDesign of security architecture in Information Technology
Design of security architecture in Information Technology
trainersenthil14
 
Software Engineering : Requirement Analysis & Specification
Software Engineering : Requirement Analysis & SpecificationSoftware Engineering : Requirement Analysis & Specification
Software Engineering : Requirement Analysis & Specification
Ajit Nayak
 
Software design
Software designSoftware design
Software design
Benazir Fathima
 
Design Concept software engineering
Design Concept software engineeringDesign Concept software engineering
Design Concept software engineering
Darshit Metaliya
 
Quality Concept
Quality ConceptQuality Concept
Quality Concept
Anand Jat
 
Introduction to Network and System Administration
Introduction to Network and System AdministrationIntroduction to Network and System Administration
Introduction to Network and System Administration
Duressa Teshome
 
Software architecture design ppt
Software architecture design pptSoftware architecture design ppt
Software architecture design ppt
farazimlak
 
Csslp
CsslpCsslp
Csslp
Sushil Shakya
 
Software Configuration Management (SCM)
Software Configuration Management (SCM)Software Configuration Management (SCM)
Software Configuration Management (SCM)
Er. Shiva K. Shrestha
 
Software Quality Management
Software Quality ManagementSoftware Quality Management
Software Quality Management
Krishna Sujeer
 
Software quality assurance
Software quality assuranceSoftware quality assurance
Software quality assurance
Er. Nancy
 
Functional and non functional
Functional and non functionalFunctional and non functional
Functional and non functional
Dikshyanta Dhungana
 
Analysis concepts and principles
Analysis concepts and principlesAnalysis concepts and principles
Analysis concepts and principles
saurabhshertukde
 
Component based software engineering
Component based software engineeringComponent based software engineering
Component based software engineering
Charotar University Of Science And Technology,Gujrat
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
Interaction Modeling
Interaction ModelingInteraction Modeling
Interaction Modeling
Hemant Sharma
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
Tariq Islam
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
Shreeraj Shah
 
REQUIREMENT ENGINEERING
REQUIREMENT ENGINEERINGREQUIREMENT ENGINEERING
REQUIREMENT ENGINEERING
Saqib Raza
 
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
Application Security
Application SecurityApplication Security
Application Security
florinc
 
Documenting Software Architectures
Documenting Software ArchitecturesDocumenting Software Architectures
Documenting Software Architectures
Paulo Gandra de Sousa
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
Elimity
 
unit 5 Architectural design
unit 5 Architectural design unit 5 Architectural design
unit 5 Architectural design
devika g
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
Aidy Tificate
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
Divya Tiwari
 
Selecting best NoSQL
Selecting best NoSQL Selecting best NoSQL
Selecting best NoSQL
Mohammed Fazuluddin
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework's
Mohammed Fazuluddin
 

More Related Content

What's hot

Software Configuration Management (SCM)
Software Configuration Management (SCM)Software Configuration Management (SCM)
Software Configuration Management (SCM)
Er. Shiva K. Shrestha
 
Software Quality Management
Software Quality ManagementSoftware Quality Management
Software Quality Management
Krishna Sujeer
 
Software quality assurance
Software quality assuranceSoftware quality assurance
Software quality assurance
Er. Nancy
 
Functional and non functional
Functional and non functionalFunctional and non functional
Functional and non functional
Dikshyanta Dhungana
 
Analysis concepts and principles
Analysis concepts and principlesAnalysis concepts and principles
Analysis concepts and principles
saurabhshertukde
 
Component based software engineering
Component based software engineeringComponent based software engineering
Component based software engineering
Charotar University Of Science And Technology,Gujrat
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
Interaction Modeling
Interaction ModelingInteraction Modeling
Interaction Modeling
Hemant Sharma
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
Tariq Islam
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
Shreeraj Shah
 
REQUIREMENT ENGINEERING
REQUIREMENT ENGINEERINGREQUIREMENT ENGINEERING
REQUIREMENT ENGINEERING
Saqib Raza
 
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
Application Security
Application SecurityApplication Security
Application Security
florinc
 
Documenting Software Architectures
Documenting Software ArchitecturesDocumenting Software Architectures
Documenting Software Architectures
Paulo Gandra de Sousa
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
Elimity
 
unit 5 Architectural design
unit 5 Architectural design unit 5 Architectural design
unit 5 Architectural design
devika g
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
Aidy Tificate
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
Divya Tiwari
 

What's hot (20)

Software Configuration Management (SCM)
Software Configuration Management (SCM)Software Configuration Management (SCM)
Software Configuration Management (SCM)
 
Software Quality Management
Software Quality ManagementSoftware Quality Management
Software Quality Management
 
Software quality assurance
Software quality assuranceSoftware quality assurance
Software quality assurance
 
Functional and non functional
Functional and non functionalFunctional and non functional
Functional and non functional
 
Analysis concepts and principles
Analysis concepts and principlesAnalysis concepts and principles
Analysis concepts and principles
 
Component based software engineering
Component based software engineeringComponent based software engineering
Component based software engineering
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Interaction Modeling
Interaction ModelingInteraction Modeling
Interaction Modeling
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
REQUIREMENT ENGINEERING
REQUIREMENT ENGINEERINGREQUIREMENT ENGINEERING
REQUIREMENT ENGINEERING
 
Security policies
Security policiesSecurity policies
Security policies
 
Application Security
Application SecurityApplication Security
Application Security
 
Documenting Software Architectures
Documenting Software ArchitecturesDocumenting Software Architectures
Documenting Software Architectures
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
 
unit 5 Architectural design
unit 5 Architectural design unit 5 Architectural design
unit 5 Architectural design
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
 

Viewers also liked

Selecting best NoSQL
Selecting best NoSQL Selecting best NoSQL
Selecting best NoSQL
Mohammed Fazuluddin
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework's
Mohammed Fazuluddin
 
NOSQL vs SQL
NOSQL vs SQLNOSQL vs SQL
NOSQL vs SQL
Mohammed Fazuluddin
 
Software Design Concepts
Software Design ConceptsSoftware Design Concepts
Software Design Concepts
Mohammed Fazuluddin
 
Selecting the right cache framework
Selecting the right cache frameworkSelecting the right cache framework
Selecting the right cache framework
Mohammed Fazuluddin
 
Cloud computing and data security
Cloud computing and data securityCloud computing and data security
Cloud computing and data security
Mohammed Fazuluddin
 
BFS-2016-06-journal
BFS-2016-06-journalBFS-2016-06-journal
BFS-2016-06-journal
James Wilson
 
30-Minute Social Media Marketing by Susan Gunelius
30-Minute Social Media Marketing by Susan Gunelius30-Minute Social Media Marketing by Susan Gunelius
30-Minute Social Media Marketing by Susan Gunelius
KeySplash Creative, Inc.
 
The power of “we got it wrong”
The power of “we got it wrong”The power of “we got it wrong”
The power of “we got it wrong”
WorkInConfidence
 
Parę spostrzeżeń dot. sklepów w Nowej Zelandii
Parę spostrzeżeń dot. sklepów w Nowej ZelandiiParę spostrzeżeń dot. sklepów w Nowej Zelandii
Parę spostrzeżeń dot. sklepów w Nowej Zelandii
Grzegorz Osóbka
 
Asian mythology-workbook
Asian mythology-workbookAsian mythology-workbook
Asian mythology-workbook
Guerrero Nora
 
Aptech maliviya nagar is the best IT training institute in Delhi
Aptech maliviya nagar is the best IT training institute in DelhiAptech maliviya nagar is the best IT training institute in Delhi
Aptech maliviya nagar is the best IT training institute in Delhi
MCM Infotech
 
HOLYTHURSDAYSALVMbcsnet
HOLYTHURSDAYSALVMbcsnetHOLYTHURSDAYSALVMbcsnet
HOLYTHURSDAYSALVMbcsnet
Nkor Ioka
 
Press Release1
Press Release1Press Release1
Press Release1
Heather Dennis
 
No seatbealts = 8x chances of getting killed
No seatbealts = 8x chances of getting killedNo seatbealts = 8x chances of getting killed
No seatbealts = 8x chances of getting killed
PODIS Ltd
 

Viewers also liked (15)

Selecting best NoSQL
Selecting best NoSQL Selecting best NoSQL
Selecting best NoSQL
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework's
 
NOSQL vs SQL
NOSQL vs SQLNOSQL vs SQL
NOSQL vs SQL
 
Software Design Concepts
Software Design ConceptsSoftware Design Concepts
Software Design Concepts
 
Selecting the right cache framework
Selecting the right cache frameworkSelecting the right cache framework
Selecting the right cache framework
 
Cloud computing and data security
Cloud computing and data securityCloud computing and data security
Cloud computing and data security
 
BFS-2016-06-journal
BFS-2016-06-journalBFS-2016-06-journal
BFS-2016-06-journal
 
30-Minute Social Media Marketing by Susan Gunelius
30-Minute Social Media Marketing by Susan Gunelius30-Minute Social Media Marketing by Susan Gunelius
30-Minute Social Media Marketing by Susan Gunelius
 
The power of “we got it wrong”
The power of “we got it wrong”The power of “we got it wrong”
The power of “we got it wrong”
 
Parę spostrzeżeń dot. sklepów w Nowej Zelandii
Parę spostrzeżeń dot. sklepów w Nowej ZelandiiParę spostrzeżeń dot. sklepów w Nowej Zelandii
Parę spostrzeżeń dot. sklepów w Nowej Zelandii
 
Asian mythology-workbook
Asian mythology-workbookAsian mythology-workbook
Asian mythology-workbook
 
Aptech maliviya nagar is the best IT training institute in Delhi
Aptech maliviya nagar is the best IT training institute in DelhiAptech maliviya nagar is the best IT training institute in Delhi
Aptech maliviya nagar is the best IT training institute in Delhi
 
HOLYTHURSDAYSALVMbcsnet
HOLYTHURSDAYSALVMbcsnetHOLYTHURSDAYSALVMbcsnet
HOLYTHURSDAYSALVMbcsnet
 
Press Release1
Press Release1Press Release1
Press Release1
 
No seatbealts = 8x chances of getting killed
No seatbealts = 8x chances of getting killedNo seatbealts = 8x chances of getting killed
No seatbealts = 8x chances of getting killed
 

Similar to Security Design Concepts

Security Design Principles.ppt
Security Design Principles.ppt Security Design Principles.ppt
Security Design Principles.ppt
DrBasemMohamedElomda
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
Sameer Paradia
 
Un enfoque práctico para implementar confianza cero en el trabajo híbrido
Un enfoque práctico para implementar confianza cero en el trabajo híbridoUn enfoque práctico para implementar confianza cero en el trabajo híbrido
Un enfoque práctico para implementar confianza cero en el trabajo híbrido
Cristian Garcia G.
 
Principles for Secure Design and Software Security
Principles for Secure Design and Software Security Principles for Secure Design and Software Security
Principles for Secure Design and Software Security
Mona Rajput
 
System Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxSystem Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptx
rahulkumarcscsf21
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the Enterprise
Will Adams
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptx
dotco
 
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentorImplementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentor
tmbainjr131
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
99X Technology
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture
Nirosh Jayaratnam
 
Quality attributes in software architecture
Quality attributes in software architectureQuality attributes in software architecture
Quality attributes in software architecture
Gang Tao
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
Security Innovation
 
LOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGLOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODING
Sri Latha
 
Avoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slidesAvoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slides
AlgoSec
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern
 
Computer Security.pptx
Computer Security.pptxComputer Security.pptx
Computer Security.pptx
KENNEDYDONATO1
 
Unit4
Unit4Unit4
Unit4
Integral university, India
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
Frances Coronel
 

Similar to Security Design Concepts (20)

Security Design Principles.ppt
Security Design Principles.ppt Security Design Principles.ppt
Security Design Principles.ppt
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
 
Un enfoque práctico para implementar confianza cero en el trabajo híbrido
Un enfoque práctico para implementar confianza cero en el trabajo híbridoUn enfoque práctico para implementar confianza cero en el trabajo híbrido
Un enfoque práctico para implementar confianza cero en el trabajo híbrido
 
Principles for Secure Design and Software Security
Principles for Secure Design and Software Security Principles for Secure Design and Software Security
Principles for Secure Design and Software Security
 
System Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxSystem Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptx
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the Enterprise
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptx
 
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentorImplementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentor
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture
 
Quality attributes in software architecture
Quality attributes in software architectureQuality attributes in software architecture
Quality attributes in software architecture
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
LOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGLOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODING
 
Avoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slidesAvoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slides
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
Computer Security.pptx
Computer Security.pptxComputer Security.pptx
Computer Security.pptx
 
Unit4
Unit4Unit4
Unit4
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
 

More from Mohammed Fazuluddin

SQL Injection Introduction and Prevention
SQL Injection Introduction and PreventionSQL Injection Introduction and Prevention
SQL Injection Introduction and Prevention
Mohammed Fazuluddin
 
DOMAIN DRIVER DESIGN
DOMAIN DRIVER DESIGNDOMAIN DRIVER DESIGN
DOMAIN DRIVER DESIGN
Mohammed Fazuluddin
 
New Relic Basics
New Relic BasicsNew Relic Basics
New Relic Basics
Mohammed Fazuluddin
 
Terraform Basics
Terraform BasicsTerraform Basics
Terraform Basics
Mohammed Fazuluddin
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Software architectural patterns - A Quick Understanding Guide
Software architectural patterns - A Quick Understanding GuideSoftware architectural patterns - A Quick Understanding Guide
Software architectural patterns - A Quick Understanding Guide
Mohammed Fazuluddin
 
Mule ESB - An Enterprise Service Bus
Mule ESB - An Enterprise Service BusMule ESB - An Enterprise Service Bus
Mule ESB - An Enterprise Service Bus
Mohammed Fazuluddin
 
Docker - A Quick Introduction Guide
Docker - A Quick Introduction GuideDocker - A Quick Introduction Guide
Docker - A Quick Introduction Guide
Mohammed Fazuluddin
 
Cassandra - A Basic Introduction Guide
Cassandra - A Basic Introduction GuideCassandra - A Basic Introduction Guide
Cassandra - A Basic Introduction Guide
Mohammed Fazuluddin
 
React JS - A quick introduction tutorial
React JS - A quick introduction tutorialReact JS - A quick introduction tutorial
React JS - A quick introduction tutorial
Mohammed Fazuluddin
 
Rest API Design Rules
Rest API Design RulesRest API Design Rules
Rest API Design Rules
Mohammed Fazuluddin
 
Scrum process framework
Scrum process frameworkScrum process framework
Scrum process framework
Mohammed Fazuluddin
 
DevOps and Tools
DevOps and ToolsDevOps and Tools
DevOps and Tools
Mohammed Fazuluddin
 
UI architecture & designing
UI architecture & designingUI architecture & designing
UI architecture & designing
Mohammed Fazuluddin
 
Data streaming fundamentals
Data streaming fundamentalsData streaming fundamentals
Data streaming fundamentals
Mohammed Fazuluddin
 
Microservice's in detailed
Microservice's in detailedMicroservice's in detailed
Microservice's in detailed
Mohammed Fazuluddin
 
Java performance tuning
Java performance tuningJava performance tuning
Java performance tuning
Mohammed Fazuluddin
 
Java workflow engines
Java workflow enginesJava workflow engines
Java workflow engines
Mohammed Fazuluddin
 
Choosing The Right ESB
Choosing The Right ESBChoosing The Right ESB
Choosing The Right ESB
Mohammed Fazuluddin
 
Kafka presentation
Kafka presentationKafka presentation
Kafka presentation
Mohammed Fazuluddin
 

More from Mohammed Fazuluddin (20)

SQL Injection Introduction and Prevention
SQL Injection Introduction and PreventionSQL Injection Introduction and Prevention
SQL Injection Introduction and Prevention
 
DOMAIN DRIVER DESIGN
DOMAIN DRIVER DESIGNDOMAIN DRIVER DESIGN
DOMAIN DRIVER DESIGN
 
New Relic Basics
New Relic BasicsNew Relic Basics
New Relic Basics
 
Terraform Basics
Terraform BasicsTerraform Basics
Terraform Basics
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
Software architectural patterns - A Quick Understanding Guide
Software architectural patterns - A Quick Understanding GuideSoftware architectural patterns - A Quick Understanding Guide
Software architectural patterns - A Quick Understanding Guide
 
Mule ESB - An Enterprise Service Bus
Mule ESB - An Enterprise Service BusMule ESB - An Enterprise Service Bus
Mule ESB - An Enterprise Service Bus
 
Docker - A Quick Introduction Guide
Docker - A Quick Introduction GuideDocker - A Quick Introduction Guide
Docker - A Quick Introduction Guide
 
Cassandra - A Basic Introduction Guide
Cassandra - A Basic Introduction GuideCassandra - A Basic Introduction Guide
Cassandra - A Basic Introduction Guide
 
React JS - A quick introduction tutorial
React JS - A quick introduction tutorialReact JS - A quick introduction tutorial
React JS - A quick introduction tutorial
 
Rest API Design Rules
Rest API Design RulesRest API Design Rules
Rest API Design Rules
 
Scrum process framework
Scrum process frameworkScrum process framework
Scrum process framework
 
DevOps and Tools
DevOps and ToolsDevOps and Tools
DevOps and Tools
 
UI architecture & designing
UI architecture & designingUI architecture & designing
UI architecture & designing
 
Data streaming fundamentals
Data streaming fundamentalsData streaming fundamentals
Data streaming fundamentals
 
Microservice's in detailed
Microservice's in detailedMicroservice's in detailed
Microservice's in detailed
 
Java performance tuning
Java performance tuningJava performance tuning
Java performance tuning
 
Java workflow engines
Java workflow enginesJava workflow engines
Java workflow engines
 
Choosing The Right ESB
Choosing The Right ESBChoosing The Right ESB
Choosing The Right ESB
 
Kafka presentation
Kafka presentationKafka presentation
Kafka presentation
 

Recently uploaded

Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
Techgropse Pvt.Ltd.
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 

Recently uploaded (20)

Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 

Security Design Concepts

  • 2. TOPICS • Overview • Security Design Aspects • Application Security Design Concepts • Application Security Guidelines • Security Architecture/Design Analysis • Security Risk Assessment And Assurance • Security Infrastructure With Interoperable Components
  • 5. OVERVIEW • Application security has always been a risk and it is always ignored by assuming that the firewalls will protect everything. • Many application attacks are happening even we have layered perimeter security, corporations need to realize the threat and raise its priority. • While designing the application the architect team need to work on security features with application teams to incorporate this life cycle within the various development styles that are being used. • To avoid the security risks , tools/products need to be acquired to perform risk assessment and assurance of the systems and applications that are being deployed. • New applications need to use the security infrastructure from the start and the older applications need to start migrating towards it.
  • 6. OVERVIEW • In architectural designs need to be planned for the analysis of the vulnerabilities and a common, centralized security infrastructure. • While designing the application architecture we need to understand the functional, performance, cost and process requirements from a security perspective. • The infrastructure may provide the security components in a certain language and the application might be using a different language. • Standards for systems and applications need to be established and the guidelines, processes and checklists need to be developed for supporting the application security lifecycle.
  • 8. Principles of Software Security: • Secure the weakest link. • Practice defense in depth. • Fail securely- If your software has to fail, make sure it does it securely. • Follow the principle of least privilege. • Compartmentalize- Minimize the amount of damage that can be done by breaking the system into units. • Keep it simple- Complex design is never easy to understand. • Promote privacy- Try not to do anything that compromises the privacy of the user. • Remember that hiding secrets is hard. • Be reluctant to trust- Instead of making assumptions that need to hold true, you should be reluctant to extend trust. • Use your community resources- Public scrutiny promotes trust. OVERVIEW
  • 9. Software Security Best Practices: • Institute awareness programs. • Perform application assessments. • Capture security requirements. • Implement secure development practices. • Build vulnerability remediation procedures. • Define and monitor metrics. • Publish operational security guidelines. OVERVIEW
  • 11. SECURITY DESIGN ASPECTS Authentication: • Authentication is used to determine the legitimacy of a user who wants to access the application. • Different levels of authentication can be used to protect the application based on the risk associated with the application. • Sensitivity of the data, application functionality, application architecture (the more distributed it is, the more the risk), user base could be factors determining the risk. • Every user may not need access to the all the application resources including business logic and/or data. • The resources need to be grouped based on the functional roles different users have, this way of assigning privileges to a user is called the roles based access control (RBAC) method.
  • 13. SECURITY DESIGN ASPECTS Authentication: • Once a user is authenticated and is authorized to perform a business function (transaction), there may be data/control transfer between different processes on different systems. • If the data is corrupted or compromised, there will be integrity and confidentiality issues. In addition to protecting data in transit, protection of static data is required to provide integrity and confidentiality. • If the configuration files containing the connection and initialization attributes of an application were compromised, integrity and confidentiality of the application resources could be severely compromised. • The cost of implementing a solution varies widely with the different authentication technology that is used. In some cases, where there is a need for strong authentication, a combination of these factors should be used.
  • 14. SECURITY DESIGN ASPECTS Confidentiality: • Confidentiality keeps the data secret from all but those who are authorized to see it. Various cryptographic methods can be used to provide confidentiality component. • ‘Cryptography is the art or science encompassing the principles and methods of transforming an intelligible message into one that is unintelligible and then retransforming that message back to its original form’. • Encryption transforms plain text to cipher text using a secret key and decryption transforms cipher text back to plain text using the secret key. • The cryptography method using the same secret key to encrypt and decrypt the messages is called symmetric and the one using different keys is called asymmetric. • Application data can be kept confidential using cryptography, if the secret key can be secured.
  • 15. SECURITY DESIGN ASPECTS Auditing: • Auditing is another security feature that needs to be implemented in the application. • Since no application can ever be completely invulnerable to threats, auditing must be in- place to provide data needed for incident response. • The auditing feature should provide a trail of which user did what and when at any given point of the application lifetime. • The final component, Non-repudiation provides proof of existence of message. • The goal of a nonrepudiation component is to collect, maintain, make available irrefutable evidence.
  • 16. SECURITY DESIGN ASPECTS Integrity: • Integrity is ‘the property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner’. • Incorporating integrity into an application will inform the recipient of data modification by unauthorized users during storage or transmittal. • Various hash methods such as SHA-1 or MD5 can provide the integrity component. • Confidentiality is ‘the property that information is not made available or disclosed to unauthorized individuals, entities, or processes [i.e., to any unauthorized system entity]’.
  • 19. APPLICATION SECURITY DESIGN CONCPTS • In application design the security parameters needs to be involved with the application team to assist them in implementing proper security technology and/or processes. • The below mentioned security controls needs to be considered as part of security design… • Single Access Point • Session • Roles • Secure Access Layer • Audit • Administration layer
  • 21. APPLICATION SECURITY DESIGN CONCEPTS Single Access Point: • User entry into an application should be though a single point. • This feature also saves the user from having to remember multiple passwords which can provide enhanced security by eliminating a need to write down passwords in unsecured places (for example, sticky notes under a keyboard or on a monitor) • Identification and authentication components need to be performed at this point. • Access points to multiple applications can be consolidated to a single point, often called a portal. Also, technologies such as single sign-on are gaining popularity. • Single sign-on enables a single access point into multiple applications by authenticating once. • Backdoors should be avoided and application entry should be restricted to a single point for all types of users, including administrators.
  • 23. APPLICATION SECURITY DESIGN CONCEPTS Session: • Users should not have to authenticate multiple times while they are traversing an application, their current interaction with the application needs to be maintained by the application. • This session must be unique and separately maintained for every user. • If a user is away from the application for sometime, the session should help the application from determining the user and their current state with the application. • Authentication details like last active time can help the application determine whether it needs to authenticate the user again per the authentication policy.
  • 25. APPLICATION SECURITY DESIGN CONCEPTS Roles: • Users have different needs in an application. Users should be given different privileges (read, change, add, delete) to various application resources within an application. • Users are grouped into a certain role and privileges to required application resources will be given to that role. Once that is done, all the users who perform that role are assigned that role instead of each privilege individually. • Instead of changing a privilege for every user, the administrator will just have to change it for that role. • Check points have to be established at every resource level where a privilege to a user needs to be defined. These check points should query the access control data to make a decision for the user to access the resource.
  • 27. APPLICATION SECURITY DESIGN CONCEPTS Secure Access Layer: • Applications use various mechanisms to communicate with the user or other applications. • Depending on the classification of the data that is exchanged or control that is transferred during the communication, the access mechanisms and access layer need to be secured. • Confidentiality and integrity components need to be used to secure the communication, as well as static data. For example, SSL can be enabled on a web server using certificates to provide authentication of the application to the user, confidentiality between the application and the end user and integrity of the information transferred.
  • 29. APPLICATION SECURITY DESIGN CONCEPTS Audit: • Components need to be placed in an application for tracking the actions being performed on the application resources. • The placement of these components should help tracing any application event. • Proper backup and recovery procedures need to be implemented for the audit output using retention guidelines. Also, the audit output should be properly formatted to help searches or statistic generation. • The output should definitely contain the successful and unsuccessful attempts by a user accessing a resource at the single access point and all the checkpoints. • Adding a timestamp, message code and message description will add value to the output.
  • 31. APPLICATION SECURITY DESIGN CONCEPTS Administration layer: • Easy to use administration functionality needs to be provided to the application administrators to maintain user identification attributes, authentication and authorization information. • The administration functionality needs to be accessible to the administrators though the single entry point and proper authorization. • Some features that would help application administrators are: • Support for RBAC(creating roles and assigning them to users) • User administration(enable/disable users) • Application scan facility to generate new access points when changes are made to existing applications
  • 32. Logic analysis: • Logic analysis evaluates the equations, algorithms, and control logic of the software design. Data analysis: • Data analysis evaluates the description and intended usage of each data item used in design of the software component. The use of interrupts and their effect on data should receive special attention to ensure interrupt handling routines do not alter critical data used by other routines. Interface analysis: • Interface analysis verifies the proper design of a software component's interfaces with other components of the system, including computer hardware, software, and end-users. Constraint analysis: • Constraint analysis evaluates the design of a software component against restrictions imposed by requirements and real-world limitations. The design must be responsive to all known or anticipated restrictions on the software component. These restrictions may include timing, sizing, and throughput constraints, input and output data limitations, equation and algorithm limitations, and other design limitations. SECURITY ARCHITECTURE/DESIGN ANALYSIS
  • 33. Secure code reviews, inspections, and walkthroughs: • Secure Code reviews are conducted during and at the end of the development phase to determine whether established security requirements, security design concepts, and security-related specifications have been satisfied. Informal reviews: • Informal secure code reviews can be conducted on an as-needed basis. To conduct an informal review, the developer simply selects one or more reviewer(s) and provides and/or presents the material to be reviewed. The material may be as informal as pseudo-code or hand-written documentation. Formal reviews: • Formal secure code reviews are conducted at the end of the development phase for each software component. The client of the software appoints the formal review group, who may make or affect a "go/no-go" decision to proceed to the next step of the software development life cycle. Security testing: • Software security testing, which includes penetration testing, confirms the results of design and code analysis, investigates software behavior, and verifies that the software complies with security requirements. Special security testing, conducted in accordance with a security test plan and procedures, establishes the compliance of the software with the security requirements. SECURITY ARCHITECTURE/DESIGN ANALYSIS
  • 34. APPLICATION SECURITY GUIDELINES • Application security development guideline needs to be created, specifying various technologies and a coding style to eliminate vulnerabilities and help mitigate risk. • A common vulnerability of application is buffer overflow. • Authorization needs to be handled carefully, just defining roles and assigning those to users will not completely secure authorization. • Situations where multiple roles are assigned to the same user with different types of privilege on the same resource need to be considered. • Error/exception handling mechanisms used should not display too many development details. • System configuration needs to be analyzed, never use the default configuration. • Some coding scheme needs to be used which could be cross-referenced to an error description database.
  • 35. SECURITY RISK ASSESSMENT AND ASSURANCE • Applications need to be assessed at the business level to ascertain the risk based on information compromise, unauthorized access and availability for determining the security level that needs to be assigned to them. • After an application has been developed and functionally tested and before deploying it to production environment, we need to meticulously perform a security risk assessment and assurance test. • This test will help ensure the total system is in compliance based on the security level assigned to it. These tests need to be mandated on all applications, newly developed or changing an existing application or a purchased product. • Application risk checklists need to be developed to assure that proper security controls have been placed at the appropriate locations within the application. • The checklist must be updated at a regular interval to accommodate newer technologies and threats.
  • 36. SECURITY RISK ASSESSMENT AND ASSURANCE • The checklist should contain all aspects of logical access for various security levels including: • User identification (registration process). • Authentication (level, password strength, sign-on attempts, account lockout policies, helpdesk processes on unlocking, session tracking) – authorization. • Sensitive data handling(encryption, hashing). • Auditing features. • Security administration. • Tools, products or processes need to be employed to standardize the methodology of security assessments. • Application contingency plans should be reviewed to make sure all the backup and recovery plans are up to date so that there is no disruption of service (availability).
  • 37. Software security assurance program should ensure that: • A security evaluation has been performed for the software. • Security requirements have been established for the software. • Security requirements have been established for the software development and/or operations and maintenance (O&M) processes. • Each software review, or audit, includes an evaluation of the security requirements. • A configuration management and corrective action process is in place to provide security for the existing software and to ensure that any proposed changes do not inadvertently create security violations or vulnerabilities. • Physical security for the software is adequate. SECURITY RISK ASSESSMENT AND ASSURANCE
  • 39. SECURITY INFRASTRUCTURE WITH INTEROPERABLE COMPONENTS • The infrastructure needs to be interoperable with any application and be maintained by a team that can keep pace with the latest standards. • Accomplishing the above and offering security as a centralized component can be a tedious and painful task. Eventually, the Enterprise will realize the fruits - cost savings and controlled environment. • This centralized infrastructure should: • Provide Identity, authentication, authorization, confidentiality, integrity non-repudiation and audit components. • Adhere to industry standards. • Easily manageable and scalable. • Provide the framework which needs to adapt to newer technologies with less effort (security is a race where the good guys always need to be in front of the bad guys). • To provide the above infrastructure, the security team needs to analyze the existing applications and define the requirements.
  • 40. THANKS • If you feel it is helpful and worthy to share with other people, please share the same