exploring software and hardware security

articles about secure systems, secure protocols, tamperproofing, obfuscation, authentication, attack vectors…

How to design secure systems? Security Analysis

Posted by davitb on 19th October 2009

Secure system is a piece, or any combination of hardware, software or just an operation which protects an information block that is sensitive to the user. There are secure systems which are dedicated to perform only security related operations (such as safe storage, a dongle token, DRM system, firewalls, encryption device, etc). There are also systems which are designed to perform operations which work on sensitive information and thus require having security features implemented inside (such as online payment systems, ATMs, email clients/servers, messengers, etc). Independent of purpose of the system and the operations it allows to perform – the security engineers must threat them identically important and design the security of these systems by taking into account the state of art best practices and techniques.

This article is the first part of a series of articles dedicated to principles and best practices of designing secure systems. It will discuss the following topics:

  • The wrong approach of designing security systems
  • The right approach
  • Assets, threats, security controls, vulnerabilities, attack vectors and risks

Read the rest of this entry »

  • Share/Bookmark

Tags: , , , , ,
Posted in Attacking secure systems, how to design secure systems? | 1 Comment »

Testing the Security of Software

Posted by davitb on 25th September 2009

Citation from Bruce Schneier:

Think about the most recent security vulnerability you’ve read about. Maybe it’s a killer packet, which allows an attacker to crash some server by sending it a particular packet.

Maybe it’s one of the gazillions of buffer overflows, which allow an attacker to take control of a computer by sending it a particular malformed message. Maybe it’s an encryption vulnerability, which allows an attacker to read an encrypted message, or fool an authentication system. These are all software issues.

Testing the software from security standpoint is a key requirement especially for software products with security focus. Even if the product has been architected with the best security protocols and security designing best practices in mind, it doesn’t make much sense as the attacker will prefer focusing on the application layer and eventually will find a vulnerability there and exploit it…. Remember, on application layer

Read the rest of this entry »

  • Share/Bookmark

Tags: , , , , , ,
Posted in software security, software testing | No Comments »

 

Valid XHTML 1.0 Transitional