0
3.4kviews
Note on Security Engineering.
1 Answer
0
5views

Security Engineering:

  • Security engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts.
  • It is similar to other systems engineering activities in that its primary motivation is to support the delivery of engineering solutions that satisfy pre-defined functional and user requirements, but with the added dimension of preventing misuse and malicious behavior. These constraints and restrictions are often asserted as a security policy.

For example considering a hospital management system:

  • Hospitals have a number of interesting protection requirements — mostly to do with patient safety and privacy.
  • Patient record systems should not let all the staff see every patient’s record, or privacy violations can be expected. They need to implement rules such as ‘nurses can see the records of any patient who has been cared for in their department at any time during the previous 90 days’.
  • This can be hard to do with traditional computer security mechanisms as roles can change (nurses move from one department to another) and there are cross-system dependencies (if the patient records system ends up relying on the personnel system for access control decisions, then the personnel system may just have become critical for safety, for privacy or for both).
  • Patient records are often anonymized for use in research, but this is hard to do well. Simply encrypting patient names is usually not enough as an enquiry such as ‘show me all records of 59 year old males who were treated for a broken collarbone on September 15th 1966’ would usually be enough to find the record of a politician who was known to have sustained such an injury at college. But if records cannot be anonymized properly, then much stricter rules have to be followed when handling the data, and this increases the cost of medical research.
  • Web-based technologies present interesting new assurance problems in healthcare. For example, as reference books — such as directories of drugs — move online, doctors need assurance that life-critical data, such as the figures for dosage per body weight, are exactly as published by the relevant authority, and have not been mangled in some way.
  • Another example is that as doctors start to access patients’ records from home or from laptops or even PDAs during house calls, suitable electronic authentication and encryption tools are starting to be required.
  • New technology can introduce risks that are just not understood. Hospital administrators understand the need for backup procedures to deal with outages of power, telephone service and so on; but medical practice is rapidly coming to depend on the net in ways that are often not documented. For example, hospitals in Britain are starting to use online radiology systems: X-rays no longer travel from the X-ray machine to the? Operating theatre in an envelope, but via a server in a distant town.
  • So a network failure can stop doctors operating just as much as a power failure. All of a sudden, the Internet turns into a safety-critical system, and denial-of-service attacks might kill people.
  • Security testing is an important feature of security engineering.
  • Security testing is basically a type of software testing that’s done to check whether the application or the product is secured or not. It checks to see if the application is vulnerable to attacks, if anyone hack the system or login to the application without any authorization.
  • It is a process to determine that an information system protects data and maintains functionality as intended.
  • The security testing is performed to check whether there is any information leakage in the sense by encrypting the application or using wide range of software’s and hardware’s and firewall etc.
  • Software security is about making software behave in the presence of a malicious attack.
  • The six basic security concepts that need to be covered by security testing are: confidentiality, integrity, authentication, availability, authorization and non-repudiation.
Please log in to add an answer.