Software Security Standards

Source: Internet
Author: User
I. Security Objectives
& Oslash; prevention:
& Oslash; tracking audit: From Data Library System Set Audit options in three aspects: subject and object. Database Object Access and security-related events. Database auditors can analyze audit information, track audit events, and trace responsibility. And minimize the impact on system efficiency.
& Oslash; Monitoring: monitors real-time operations on software or databases and sends alerts for unauthorized or dangerous actions.
& Oslash; confidentiality and confidentiality: prevents unauthorized user intrusion and leakage of confidential information.
& Oslash; multi-level security: refers to the multi-level security of relational databases stored in a single database system and Management Data with different sensitivity needs to be secured through autonomous access control and mandatory access control mechanisms.
& Oslash; anonymity:
& Oslash; Data Integrity: prevents data integrity from exceptions.
II, Technology Select
& Oslash; Distribution Platform Object Selection
& Oslash; Operating System Selection
& Oslash; Authentication Technology
III, Code Security
& Oslash; concealed security: security of software with blurred codes and tight packets
& Oslash; multi-eye symptom: Vulnerability Detection, others
& Oslash; Password Algorithm
& Oslash; Troy Trojan
Iv. Security Principles
& Oslash; reinforce the most vulnerable connections: conduct risk analysis and submit reports to reinforce the weak links.
& Oslash; implements in-depth protection: manages risks using distributed protection policies.
& Oslash; Failure security: when the system fails to run, corresponding measures are taken to ensure software security.
& Oslash; minimum priority: the principle is that for an operation, only the minimum necessary access permission is granted and only the minimum required time is allocated.
& Oslash; split: divide the system into small units as much as possible, isolate code with security privileges, and minimize possible damage to the system.
& Oslash; simplification: software design and implementation should be as direct as possible, and a system should be constructed as simple as possible to meet security requirements. Key Security operations should be deployed at choke points).
& Oslash; Confidentiality: avoid misuse of users' confidential information.
V. Software Auditing
& Oslash; architecture security
& Oslash; Security Analysis
Source code Audit
Use rats (Remote Access Trojan)
Software Scanning
6. Buffer Overflow
& Oslash; prevention of internal Buffer Overflow
& Oslash; protection against input Overflow
& Oslash; prevention of heap and Stack Overflow
VII. Access Control
& Oslash; Unix
File Attributes and attribution
Program Interface
& Oslash; winnt
Refined permissions and Division
VIII. Cryptographic Application
& Oslash; cryptographic goals: confidentiality, integrity, testability, and anti-repudiation.
& Oslash; cryptographic algorithms (symmetric and asymmetric): consider the impact of the basic functions, strength, weakness, and key length of the algorithms.
& Oslash; key management functions: generation, distribution, verification, revocation, destruction, storage, recovery, survival, and integrity.
& Oslash; cryptographic programming: encryption, hash calculation, public key encryption, multithreading, encryption cookie
& Oslash; Private Key algorithm, Public Key algorithm and PKI
& Oslash; one-time password and group password
IX. Effectiveness of trust management and Input
& Oslash; trusted deliverable
& Oslash; prevent malicious access
& Oslash; secure calling program
& Oslash; Web Security
& Oslash; Client Security
& Oslash; Format String Attack
10. Password Authentication
& Oslash; Password Storage
& Oslash; add a user
& Oslash; Password Authentication
& Oslash; select Password
& Oslash; database security
& Oslash; access control (use view)
& Oslash; protection domain
& Oslash; Defense Against Statistical Attacks
11. Client Security
& Oslash; Copyright Protection Mechanism (license file, identity authentication for untrusted customers)
& Oslash; tamper-Proofing Technology (Anti-debugging programs, checks, and responses to abuse)
& Oslash; code obfuscation Technology
& Oslash; Program Encryption technology
12. System Development Control
& Oslash; system development lifecycle
Function Requirement Determination
Protection specification development
Statistical Review
& Oslash; security control/architecture
Process isolation
Separation of rights
Auditability
Data Hiding
Secure Kernel
& Oslash; Integrity Level
Network /System
Operating System
Database
File

glossary
independent access control (DAC) it means that when you have certain operation permissions on database objects and the corresponding authorization permissions, you can follow your own wishes, manually grant some or all of these operation permissions to other users, so that other users can obtain the right to use these database objects.
Mandatory Access Control (MAC) refers to the use of subject (user) and object (data object) security-level matching principle to determine whether the subject is allowed to access the object.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.