In last month's newsletter, I introduced the notion of computer security, and explained how security testing is different from other types of software testing. This month, I'll explain what we want to secure, as well as where and how security is implemented.
What Are We Trying to Secure?
First and foremost, we are trying to secure the data stored within our applications and network resources. This can further be broken down into:
1、Data integrity: Ensuring that business transaction data is not altered or corrupted. If something has been changed or modified since it was created, verifying that the changes are legitimate.
2、Confidentiality: Ensuring unauthorized access to information will be denied.
3、User Data Privacy: Web sites and applications should have a privacy statement that defines how user information will be handled. User's private data should be protected from potential access and misuse.
4、Securing Intellectual Property: Ensuring that assets such as business intelligence, source code, and any data related to intellectual property are safeguarded.
5、Availability: Ensuring that data availability is as expected. A denial-of-service attack or natural disasters are examples of data availability threats.
A good security policy should also address the security of resources, including computing power and storage space. Hackers may attempt to use these resources for purposes such as hosting illegitimate download sites, or other resource-intensive activities.
Where and how do we secure it?
Today's applications and networks consist of many different hardware and software components. If the security of any of these components is compromised, it may affect the security of the rest of the network. Security policies can be broken down into the following areas:
1、Host-based: securing data at the individual computer level. These computers can be part of the private network such as a LAN behind the firewall, which are protected from outsiders; or they might be placed in a public network such as the Internet, which exposes them to un-trusted users.
2、Private network-based: securing data and resources at the private network level. Requiring a VPN connection to access resources is an example of this.
3、Perimeter-based: securing data and resources at the private network entrances. An example of perimeter-based protection is the use of a firewall.
4、Public network-based: securing the data transferred across a public network, like Internet Encryption technology is an example of safeguarding data from attackers on a public network.
5、Application-based: securing the applications from exposure to threats due to vulnerabilities in the applications. The common causes for these vulnerabilities are poor programming practices and software configuration errors. There are many common application-level security issues which can lead to security breaches, including buffer overflows and SQL injection.
In order to develop effective security policies and security testing, you must first understand the components that make up your network. Once you have this understanding, you must analyze the security risks of each component, and determine how that will affect your security policy and testing.
Next month's article will be the final part in this series, and will discuss who is responsible for security and security testing, and where you can find more resources on security testing.作者: WUHA 时间: 2006-5-14 22:38
8错作者: hayerk 时间: 2006-5-16 00:14
尝试翻译了一下: