Friday, November 7, 2014

Chapter 10: Different Environments Demand Different Security 

 Environment vs. Application
  • Software controls can be implemented by the operating system or by the application, but usually its a combination of both.
  • Application controls and database management controls are specific to their needs and security compromises they understand.
  • Application:
    • Application protects data by allowing only certain types of inputs and not permitting certain users to view data kept in sensitive database fields.
    • It does not protect against users inserting bogus data into Address Resolution Protocol (ARP) table.
  • The downsides to relying mainly on operating system controls:
    • Although they can control a subject's access to different objects and restrict the actions of that subject within the system, they do not necessarily restrict the subject's actions within an application.  
      •  In other words, if an application has a security vulnerability within its own programming code, it is hard for the operating system to predict and control this vulnerability. 
Functionality vs. Security
  • Trying to account for all the "what-ifs" and programming with caution can reduce the overall functionality of the application.
  • You have to balance functionality and security but in the development world functionality is more important. 
  • Each module of the system should be capable of being tested individually and in concert with other modules so the product can be more secure because flaws could be exploited early on.
Implementation and Default Issues
  • Most security has to be configured and turned on after installation.
  • Settings have to be configured to properly integrate it into different environments.
  • When a security application or device is installed, it should default to "No Access" because when a user installs a packet-filter firewall, it should not allow any packets to pass into the network that were not specifically granted access.
  • A fine balance exists between security, functionality, and user-friendliness.
  • A user-friendly application requires a lot of extra coding for potential user errors, dialog boxes, wizards, and step-by-step instructions, this could result in bloated codes that can create unforeseeable compromises because of extra coding. 
  • Various servers are enabled when a system is installed.
  • Implementation errors and misconfigurations are common items that cause a majority of security issues in network environments. 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)