Thursday, January 12, 2012

[ vuZs.net ] Cs507 Idea Solution


Assignment No. 04
SEMESTER Fall 2011
CS507- Information Systems

Question No 1

What are the problems that system engineers face while designing a secure information system?    [5 marks]                                                               

 

Answer:

 

There are at least two reasons for the lack of support for security engineering [5].

Firstly security requirements are generally difficult to analyse and model. A major

problem in analysing non-functional requirements is that there is a need to separate

functional and non-functional requirements yet, at the same time, individual nonfunctional

requirements may relate to one or more functional requirements. If the nonfunctional

requirements are stated separately from the functional requirements, it is

sometimes difficult to see the correspondence between them. If stated with the

functional requirements, it may be difficult to separate functional and non-functional

considerations. Secondly developers lack expertise for secure software development.

Many developers, who are not security specialists, must develop systems that require

security features. Without an appropriate methodology to guide those developers on

the development processes, it is likely that they will fail to produce effective solutions

 

Question no 2

 

How security vulnerabilities can be over come by using the technique presented by the authors?    [5 marks]

 

Answer:

 

Throughout our case study, the security policy principles identified in [7] are used.

In addition, some more principles are added: (1) System Authorisation, only

authorised professionals and patients can access the system; (2) Access Control, each

Care Plan shall be marked with an access control list naming the people or groups

who may read it and append data to it. The system should prevent anyone not on the

list from accessing the record in any way; (3) Care Plan Opening, a professional may

open a care plan with themselves and the older person on the access control list.

When an older person has been referred, the professional might open a record with

themselves, the older person, and the referring professional on the access control list;

(4) Control, only one of the professionals (most likely the professional responsible for

the older person) may alter the control list, and add other professionals; (5)

Information Flow, information derived from care plan A may be appended to care

plan B if and only if B's Access control list is contained in A's; (6) Availability, the

information must be available whenever a person included in the access control list

requires any information.

 


___________________________________


                                                                                                                                                                                                                                                                1.injection application  2. cross-site scripting (XSS)  3. broken authentication and session management  4. insecure direct object references 5. cross-site request forgery (CSRF)  6. security misconfiguration  7. insecure cryptographic storage  8. failure to restrict URL access  9. insufficient transport layer protection  10. unvalidated redirects and forwards  ................  Why is this of interest to the WAF community? The naive answer would be that scanners and WAFs are alternatives. While they do not perform the same function, they compete for the same budget and are offered as alternatives by PCI DSS. If scanners are not as good as expected, WAF might be the right solution after all. This is especially important as WAFs are usually under more fire than scanners as it is much simpler to find a fault in a WAF - just find the right evasion vector. For a scanner a full analysis as done by Suto is required.  However the paper has other more far reaching conclusions on the state of security products in general and therefore WAFs:  No single security solution is sufficient. Only combining multiple defense mechanism would provide adequate security, which still does not imply 100%  Security products do differ in the security functionality they provide. Many times customers select security products according to every other feature but security assuming that the security aspect of the product are performed adequately by all. However Suto's paper shows that this may not be the case.  The lack of scrutiny of the security features drive security vendors to neglect security and focus on other areas such as GUI, reporting or manageability. This is shown in its extreme by the inability of some scanners to find existing vulnerabilities in sites provides for testing by the vendor itself.  All this is true for the WAF market as much as it is true to the scanner market. The WAF market is eagerly expecting its Larry Suto. Some vendors may bleed, but finally gold and iron would be differentiable.  .................  Obstacles for WAFs:  Web application firewalls (WAFs) take a different approach. WAFs inspect inbound and outbound traffic to an application and enforce a security policy meant to prevent attackers from compromising the site. Security techniques implemented by WAFs vary, but most WAFs will include positive security (allow only that which is known to be good usage) and negative security (block usage that is known to be malicious).  Advanced WAFs combine these two types of security rules as well as correlate multiple user behaviors to increase accuracy. Proponents of WAFs (and I am one of them) will argue that WAFs provide the most effective mechanism to immediately address security issues, as the security rule set can be adjusted to prevent new attack types without the time required to change application code. The common objections to WAF technology are:  • Some issues can only be corrected in code. The most commonly cited example is logical flaws in the application, meaning that if the application was intentionally built to do something insecure, only rewriting the application can fix this issue. This is true to some extent, but a good WAF will provide ongoing monitoring information that helps to identify when logical flaws are being exploited.  • WAFs can't understand enough about the application to be effective and accurate. The answer to this is that some WAFs indeed can't. As with any technology product, it's important to pick a good one.  What to Do?  Given these differences, how is someone faced with PCI's dilemma, false or not, to choose?  For those only concerned with compliance, the answer is simple: WAF. Because a WAF can be  deployed without affecting the application and without engaging outside consultants to review  application code, WAF is a faster and more costeffective approach to meeting the letter of the law.  For those concerned with actually doing the right thing and asking "which first?" rather than "which?" the answer is actually the same: WAF. That's because a WAF can be deployed to provide immediate protection, and a WAF can be quickly configured to adjust as applications and application attacks change. WAFs not only provide the most cost-effective first step, but a sound building block for the second step. Once a WAF is in place, code review projects can proceed at a controlled pace, reducing the risk of errors. WAFs also provide critical information on usage patterns and changes in usage patterns that can guide code review teams and point out obvious problems.  An instructive analogy can be found in application performance Verio brings something extra to Linux:  Reliability. Click to learn about free test.  Tuning. Re-coding slow parts of an application is a great way to improve system performance. However, finding those slow parts requires a performance measurement tool and sometimes a little extra help -- in the form of content acceleration techniques like caching and compression -- is warranted. WAFs serve a similar function for application vulnerability assessment by providing a roadmap that code reviewers can follow to find and fix underlying logical issues.  ...............  WAFS concept (understanding) of:  Hacker's attackers / H TTP (port 80) and HTTPS (port 443) through channel attacks Web server, which was never designed for safety. Thus we often see Web server requests delivery strange SQL, authorization or cookie injection attack. Many cross the attack site. As a result, the security industry is a new field. Name of Web Application Firewalls (WAF), which means actually the Web. Demand, as more traditional network firewalls, which just looking at HTTP Or HTTPS (excellent), but it really does not understand the purpose and content.  WAF, on the other hand, web applications and learning HTTP / HTTPS understand  Traffic in strength and, as some web application will respond well to understand Question. WAFS is not easy to implement and the implementation plan for thought. And third-party developers, engineers, security, network engineers, includes all Managers and business owners.  Here are some web applications Firewalls problems:  1. Providing comprehensive network security.  2. Inform / improve security flaws.  3. The right speed, reliability, integrity, delivery and redundancy.  4. Management capacity of the ports.  5. The best investment in data and seal deals.  6. The search for protected area (IDS) system should work.  7. For the data theft, hacking, preventing holiday setting.  8. To effectively a high balance of cash and spirit.  9. Effectively protects the network from CSS, CSRF, SQL injection, buffer overflow Safe.  10. Continuously monitor network 

--
Zindagi mein 2 Logo ka buhat khayal rahkoooo

Ist woh jiss ney tumhari jeet ke Liye buhat kuch hara hoo (Father)

2nd woh jiss ko tum ney har dukh me pukaara hoo (Mother)

Regards, 
Umair Saulat

--
--
Please visit www.vuzs.net For Current & Old Papers, Quizzes, Assignments and study material.
 
To post a new message on this group, send email to vuZs@googlegroups.com
 
Message Posting Rules: http://vuzs.net/faq/4795-vuzs-google-groups-basic-rules-for-posting-messages.html
--
To unsubscribe from this group, send email to vuZs+unsubscribe@googlegroups.com
--
To join this group Send blank email to vuZs+subscribe@googlegroups.com
or visit
http://groups.google.com/group/vuZs/subscribe

No comments:

Post a Comment