csce548-lect7 - CSCE 548 Architectural Risk Analysis...

Info iconThis preview shows pages 1–10. Sign up to view the full content.

View Full Document Right Arrow Icon
CSCE 548 CSCE 548 Architectural Risk Analysis Architectural Risk Analysis
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CSCE 548 - Farkas 2 Reading Reading This lecture: McGraw: Chapter 5 Next lecture: Secure Software Construction Jan Jürjens, Towards Development of Secure Systems using UMLsec, http://citeseer.ist.psu.edu/536233.html Lodderstedt et. al, SecureUML: A UML-Based Modeling Language for Model-Driven Security, http://citeseer.ist.psu.edu/lodderstedt02secureuml.html
Background image of page 2
CSCE 548 - Farkas 3 Application of Touchpoints Application of Touchpoints Requirement and Use cases Architecture and Design Test Plans Code Tests and Test Results Feedback from the Field 5. Abuse cases 6. Security Requirements 2. Risk Analysis External Review 4. Risk-Based Security Tests 1. Code Review (Tools) 2. Risk Analysis 3. Penetration Testing 7. Security Operations
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CSCE 548 - Farkas 4 Requirement Analysis Requirement Analysis Identify and document the customer’s requirements for a proposed system Client: brief idea on what the system should do Requirement Analyst: Detailed system requirements Implied requirements Regulatory requiremetns Create: Software Requirements Specification (SRS) What the product should do
Background image of page 4
CSCE 548 - Farkas 5 Software Requirement Specification Software Requirement Specification Functional requirements Features a software has Implied requirements Non-Functional requirements Performance, reliability, security, etc. Effects quality of product Regulatory requirements Law, standards, organizational regulation, contract, etc. External interface requirements Interaction with other software and hardware Acceptance criteria Confirm that the software is working according to the client’s specification
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CSCE 548 - Farkas 6 Review SRS Review SRS Cost effective: getting the requirements right Manual review: team of experts (at least 3) for 1.5- 2 hours/session Detection rate of good review: 60-90% More cost effective to do requirement review than code testing alone
Background image of page 6
CSCE 548 - Farkas 7 Design Flaws Design Flaws 50 % of security problems Need: explicitly identifying risk Quantifying impact: tie technology issues and concerns to business Continuous risk management
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CSCE 548 - Farkas 8 Security Risk Analysis Security Risk Analysis Risk analysis: identifying and ranking risks Risk management: number of discrete risk analysis exercises, tracking risk, mitigating risks Need: understanding of business impact
Background image of page 8
9 Security Risk Analysis Security Risk Analysis Learn about the target of analysis Discuss security issues
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 10
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 12/13/2011 for the course CSCE 548 taught by Professor Farkas during the Spring '10 term at South Carolina.

Page1 / 36

csce548-lect7 - CSCE 548 Architectural Risk Analysis...

This preview shows document pages 1 - 10. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online