共查询到20条相似文献,搜索用时 31 毫秒
1.
2.
3.
How can you tell if an IT security product (or a product that includes security components) can secure your application? How can you be certain that a product will fully deliver on its claims that it will protect against malice in a deployed environment? Unfortunately, few vendors - and even fewer customers - can make these judgments. The article won't make you a security wizard, but it will give you a feel for what to look for in, and when to be concerned about, a vendor's claims. To ensure that a product has a chance of being secure; customers should check that vendors use adequate approaches in four primary areas. In order of importance (and maturity and availability), they are: quality-control (QC) mechanisms; cryptographic primitives; hardware assist mechanisms; and separation mechanisms. 相似文献
4.
As organizations search for more secure authentication methods for user access, e-commerce. and other security applications, biometrics is gaining increasing attention. But should your company use biometrics? And, if so, which ones should you use and how do you choose them? There is no one best biometric technology. Different applications require different biometrics. To select the right biometric for your situation, you will need to navigate through some complex vendor products and keep an eye on future developments in technology and standards. Your options have never been more diverse. After years of research and development, vendors now have several products to offer. Some are relatively immature, having only recently become commercially available, but even these can substantially improve your company's information security posture. We briefly describe some emerging biometric technologies to help guide your decision making 相似文献
5.
In 1999, the International Organization for Standardization and the International Electrotechnical Commission jointly published the Common Criteria for Information Technology Security revaluation to provide IT security evaluation guidelines that extend to an international community. The assurance requirements, including prepackaged sets of Evaluation Assurance Levels (EALs) in the Common Criteria (CC), represent the paradigm that assurance equals evaluation, and more evaluation leads to more assurance. This paradigm is at odds with the commercial off-the-shelf (COTS) marketplace, neither reflecting how confidence is typically achieved nor providing a cost-effective means for supplying grounds for confidence in the security capabilities of the information technology being evaluated. 相似文献
6.
Although embedded systems share many characteristics with their desktop and server counterparts, the unique advantages, limitations, and requirements of the applications they run demand a careful selection process and tailored implementation. The key strategy in choosing database tools for embedded systems is to focus on the application's requirements. Embedded database products vary widely from vendor to vendor. Some will do less than a particular application needs, some will do much more. By surveying the choices carefully, you can choose the tool that most closely matches your requirements. After choosing the operating system, hardware platform, and database software for a new embedded system, you must design a system that runs reliably with little or no human intervention. Unlike desktop and server systems, embedded systems cannot ask for operator help when the application encounters a problem. Finally, performance matters. Designing for performance up front, and evaluating it once you've built the application, is crucial. Fortunately, you can choose from a variety of techniques for evaluating and improving performance in database applications. To arrive at the best embedded-database-system solution, you must select the product that best matches your specific needs, then integrate that solution with your application. Start this process by evaluating which services your embedded application will provide 相似文献
7.
8.
《计算机信息系统安全保护等级划分准则》是我国计算机安全产品和系统必须遵循的标准,而CC是一个新的国际性通用标准,设计一个满足CC标准的网络安全产品或系统,目前国内还没有借鉴之处。文章对国际国内的安全标准现状进行了分析比较,研究了将我国的计算机信息系统安全保护等级的要求用CC标准来描述的问题,并对基于IPSEC的VPN的安全功能要求的实现进行了研究。 相似文献
9.
《EDPACS》2013,47(9):18-19
Abstract Whether you are responsible for ensuring the availability of your enterprise network or you are a chief technology officer or information security manager, you will likely ask yourself these questions: How much should I spend on security? Am I more secure today than I was yesterday? What metrics can I use to measure whether my security is improving or not? When can I stop patching so I can get back to doing real work? 相似文献
10.
安全Linux内核安全功能的设计与实现 总被引:12,自引:1,他引:11
CC标准是一个新的国际标准,由于缺乏可借鉴的范例,开发符合CC标准 的安全操作系统是一项挑战性的工作。借助一项研究实验结合中国安全保护等级划分准则等3条款,讨论了安全Linux内核安全功能在CC框架下的设计与实现问题,通过CC功能需求组件给出安全功能的定义,从系统结构和安全模型方面讨论安全功能的实现方法,并测算安全机制产生的性能负面影响。研究表明,中国国家标准的要求可以通过CC标准进行描述。最后,还指出了安全操作系统进一步的研究方向。 相似文献
11.
Eliciting security requirements and tracing them to design: an integration of Common Criteria, heuristics, and UMLsec 总被引:1,自引:1,他引:0
Siv Hilde Houmb Shareeful Islam Eric Knauss Jan Jürjens Kurt Schneider 《Requirements Engineering》2010,15(1):63-93
Building secure systems is difficult for many reasons. This paper deals with two of the main challenges: (i) the lack of security expertise in development teams and (ii) the inadequacy of existing methodologies to support developers who are not security experts. The security standard ISO 14508 Common Criteria (CC) together with secure design techniques such as UMLsec can provide the security expertise, knowledge, and guidelines that are needed. However, security expertise and guidelines are not stated explicitly in the CC. They are rather phrased in security domain terminology and difficult to understand for developers. This means that some general security and secure design expertise are required to fully take advantage of the CC and UMLsec. In addition, there is the problem of tracing security requirements and objectives into solution design, which is needed for proof of requirements fulfilment. This paper describes a security requirements engineering methodology called SecReq. SecReq combines three techniques: the CC, the heuristic requirements editor HeRA, and UMLsec. SecReq makes systematic use of the security engineering knowledge contained in the CC and UMLsec, as well as security-related heuristics in the HeRA tool. The integrated SecReq method supports early detection of security-related issues (HeRA), their systematic refinement guided by the CC, and the ability to trace security requirements into UML design models. A feedback loop helps reusing experience within SecReq and turns the approach into an iterative process for the secure system life-cycle, also in the presence of system evolution. 相似文献
12.
《Computer Graphics and Applications, IEEE》2002,22(4):16-21
Biometrics technology has come a long way from simpler forms of systems security. But are biometrics-based systems more secure or do they simply require crackers to become more proficient at breaking into systems? To recognize your fingerprint requires that a template of your fingerprint actually be present in the system that verifies your access. If you want to pass as somebody else, presumably you'd have to either have that person's finger with you or you'd need to change the verifying template residing in the system that verifies your print. Cracking into a system and replacing a legitimate print with your own isn't easy to do unless the system's security is poor. While biometric proponents stress the strength of their proprietary technologies or biometrics in general, no system is ever completely secure. Contrary to what many biometric proponents would have us believe-that biometric security outclasses traditional forms of security-all biometric systems are, after all, another form of computer security with its own set of strengths and weaknesses. Biometrics effectively trade some amount of privacy and cost effectiveness for ultimate convenience-and these systems are certainly no less secure than standard password systems. Password systems are cheap. Complex biometric scanning equipment is usually expensive. But biometrics seems to be where the industry is headed. 相似文献
13.
The best prototype for designing a new user interface is your old user interface. The second best prototype is a competing product. Your competitors have invested significant resources in designing and implementing what they believe to be good user interfaces. You can glean much of what you need to create a new interface by examining products designed to solve similar problems. As with your own old user interface, you can analyze competing interfaces to see what works and what doesn't. You can also watch how users interact with competing products, and thus learn how they approach tasks. This, in essence, is competitive usability analysis. I recommend performing it very early in the usability engineering life-cycle-after you have visited the customer, gathered requirements, and defined the product vision, but before you design and prototype your new user interface 相似文献
14.
Software licenses are of vital concern to vendors and users. Software vendors use contracts, called licenses, to make sure that their products are used in a way that will benefit them. Users want to know the conditions that licenses impose on software so they can buy software that meets their needs. Beyond this, however, licenses and their enforceability are not always a straightforward matter. Are you bound by the conditions of a license even if the license is inside a container of shrinkwrap software, and you can't see its terms until after you buy the product? What if you can't see the license until you load your software into your computer and its terms appear on the monitor? This is particularly an issue with software sold by phone or mail, or over the Internet. In some of these cases, buyers purchase only a serial number or security code that activates publicly accessible software. In many cases, buyers don't even receive a solid product. They receive only a stream of electrons that contains data, an application program, instructions, and license conditions. The thorny legal issues that these situations raise recently confronted the US Court of Appeals for the Seventh Circuit, which hears appeals of cases from US District Courts in Illinois, Indiana, and Wisconsin. The changing nature of the software business has raised questions about the enforceability of shrinkwrap licenses 相似文献
15.
Richard E. Smith 《Information Security Journal: A Global Perspective》2013,22(4):203-216
ABSTRACT Government-endorsed security evaluations, like those performed under the Common Criteria (CC), use established techniques of software quality assurance to try to evaluate product security. Despite high costs and disputed benefits, the number of evaluated products has grown dramatically since 2001, doubling between 2003 and 2005 and leaping again in 2006. Using details from more than 860 security evaluations, this paper looks at the types of products evaluated, the “assurance levels” achieved, where the evaluations occur, and ongoing participation by product vendors. These observations are combined with other lessons learned to make recommendations on product evaluation strategies. 相似文献
16.
Jon David 《Network Security》1996,1996(11):9-12
The opinion of many truly knowledgeable in the areas of security in general, and Internet security in particular, is that the only true security will come from full encryption. If the messages you send are encrypted, what does it matter if they are intercepted and viewed by unauthorized individuals? If an intruder breaks into your system or network and finds that all files are encrypted, what secretes will leak, what vital information can be altered without user knowledge? If your encryption algorithm is solid, and your encryption keys are both good (i.e. not readily guessed) and secure (i.e. not readily stolen — not written on a post-it note on your VDT, not written on the last page of your desk diary, not kept in a clear text file on your disk or sent in clear text on a LAN, etc.), and if you maintain complete, current and correct backups of all critical files (which you should certainly do, independent of any Internet connectivity), then at worst you may suffer inconveniences as a result of security breaches. 相似文献
17.
《Information Security Journal: A Global Perspective》2013,22(6):336-342
As security professionals we have a good handle on securing our perimeters, yet security compromises continue to rise. Hackers have found a new attack vector and are successfully exploiting it. Application exploits are to blame for this rise in security compromises and security professionals need to identify and secure the application. While risk cannot be completely eliminated, a strong Application Security Program can identify and mitigate these risks to a more manageable level. Organizational support, framework selection, and adherence to compliance and regulatory requirements are vital to the success of the program and the security of your applications. If you lack any of these elements the program will fail. There are many frameworks to choose from, so careful consideration must be taken to ensure the right framework is chosen for your organization. A successful Application Security Program will be fully integrated within the SDLC. It will enable your organization to identify and remediate risks with applications. If implanted and executed effectively it will also meet the requirements for FISMA compliance. 相似文献
18.
Due to the international nature of supply chains, organizations interact by proxy with suppliers that they have little or no knowledge of. Limited knowledge of suppliers’ security practices means less control over overall product security, which can increase corporate risk. Formal risk management is critical to the overall procurement process and the risk to the critical components throughout the acquisition lifecycle can be managed by installing proactive supply chain risk management (SCRM) key practices. A properly managed supply chain is a critical requirement in ensuring trust in an organization’s sourced products. We discuss the assurance process requirements as well as a well-defined and recognized set of system engineering practices that apply scientific and engineering principles to ensure systematic direction, control, and trust. 相似文献
19.
The worst thing that can happen in requirements engineering is that your set of requirements, however expressed, doesn't accurately represent your users' needs and consequently leads your team down the wrong development path. The whole point of requirements engineering is to steer your development toward producing the right software. If you don't get the requirements right, how well you execute the rest of the project doesn't matter because it will fail. The article looks at how we can be led astray 相似文献
20.
《IT Professional》2001,3(6):49-52
Wireless LAN technology is a swiftly moving target. Knowing the basics can help you deploy it safely in your organization. WLAN is actually a series of standards and not just one. The initial IEEE 802.11 standard supported three transmission methods-infrared, direct sequence spread spectrum, and frequency hopping spread spectrum-although a single product would use only one method. All three transmission methods can operate at 1 and 2 Mbps 相似文献
