Networking and SecurityBest Strategies for Analyzing Security Requirements and Tradeoffs

Best Strategies for Analyzing Security Requirements and Tradeoffs

Security is a crucial thing to count on initially for our data, either it’s a hard copy of online programs and its never been perfect or enough in all aspects. With the popularity of online trading and data processing now it’s even more hard and vital to secure our data from the hackers and viruses crawling all around the internet to find any single vulnerability to attack our data. The queries rise, like how one can analyze their security requirements and important tradeoffs. In this article, we will discuss few crucial factors and strategies one can consider to pin their hopes.

Although every single customer have their specific goals! But in general, security requirements boil down to the need to protect the following assets:

  • Confidentiality of data, to authorized valid user access only.
  • Data integrity, validate authorize users access for change only.
  • System and data availability, for valid users to access important data without interruption.
  • The cost of protecting yourself against a hack or threat should be less than the cost of recovering.

Access control of Database:

The “Access Control: Database” is where the code isn’t specific enough in the query to get commands so it can potentially allow users to view information, one is not allowed. The examples of this vulnerability will be a payroll database, where its a textbox that says “the ID of the employee and gives their salary”, and here is the point of vulnerability. By a simple change in user ID, they can check the salary of other employees too. Similarly, it is also applicable in website URL where the product ID is used in a parameter, which means a user can go through any product one have on their site.

For instance:

"SELECT account_balance FROM accounts WHERE account_number = " + $input_from_attacker + ";" // even if we safely build the query above, preventing change to the query structure, // the attacker can still send someone else's account number, and read Grandma's balance!

Similarly how one can make access control in .Net framework:
One can access these permissions via an API similar to:

CheckAccountPermission(Role, Feature), IsAccountInRole(Role)

Another way of access control is:

core.get( '/', [ function (req, res, next) { if (req.isAuthenticated()) { return next(); } res.redirect('/login'); }, function( request, response ){ console.log( "****************** GOOD! I am rendering index.html ********************" ); return response.render( 'index.html' ); }, ] );

The key of misunderstanding was that other strategies like BearerStrategy are used to run authentication process on every new request.

Check source code vulnerability:

The original and best, the method for finding security vulnerabilities in code is to read the source code manually and here we will describe few vulnerability factors and commands to use.

Buffer overflows: Now the functions used to check the vulnerability are:
gets(), scanf(), sprintf(), strcat(), strcpy(), printf(), fprintf(), vprintf(), snprintf(), vsnprintf(), syslog(), access(), chown(), chgrp(), chmod(), mktemp(), tempnam(), tmpfile(), tmpnam(), rand(), random(), exec(), popen(), system().

Predictable resource location:
Any vulnerability or attacker can make arbitrary directory requests to any publicly available web server. This can be a great threat for the resource location so there are several of Predictable Resource Location attack variations:

Blind searches for common files and directories
/admin/
/backup/
/logs/
/test/
/test.asp
/test.txt
/test.jsp
/test.log
/Copy%20of%test.asp
/Old%20test.asp
/vulnerable_file.cgi
Adding extensions to existing filename: (/test.asp)
/test.asp.bak
/test.asp.txt
/test.bak
/test

Apart from this here are plenty other vulnerabilities, which can take place like:

  • Random number vulnerability
  • Format string vulnerability
  • Shell metacharacter vulnerabilities
  • URL access vulnerabilities, etc,.

Set data encryption syntax

The data encryption is one of the crucial points to prevent from vulnerability and this section provides a detailed description of syntax and features for XML Encryption. Features described in this section MUST be implemented unless otherwise noted. The syntax is defined with the following XML preamble, declaration, internal entity, and import:

 Schema Definition:

  <?xml version="1.0" encoding="utf-8"?>
  <!DOCTYPE schema  PUBLIC "-//W3C//DTD XMLSchema 200102//EN"
   "http://www.w3.org/2001/XMLSchema.dtd"
   [
     <!ATTLIST schema
       xmlns:xenc CDATA #FIXED 'http://www.w3.org/2001/04/xmlenc#'
       xmlns:ds CDATA #FIXED 'http://www.w3.org/2000/09/xmldsig#'>
     <!ENTITY xenc 'http://www.w3.org/2001/04/xmlenc#'>
     <!ENTITY % p ''>
     <!ENTITY % s ''>
    ]>
  
  <schema xmlns='http://www.w3.org/2001/XMLSchema' version='1.0'
          xmlns:ds='http://www.w3.org/2000/09/xmldsig#'
          xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'
          targetNamespace='http://www.w3.org/2001/04/xmlenc#'
          elementFormDefault='qualified'>

    <import namespace='http://www.w3.org/2000/09/xmldsig#'
            schemaLocation='http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd'/>

Now how it affects upon Tradeoffs is the case with most technical design requirements, achieving security goals means making tradeoffs.

  • Security do affect network performance too so security features as packet filters and data encryption take CPU power and memory on hosts, routers as well as servers. Encryption can use as 15 percent of available CPU power on a router or server.
  • Encryption needs are implemented on one particular and dedicated appliances than on shared routers or servers for better performance.
  • There can be effect on network performance as of the delay of packets experience while they are being encrypted or decrypted.

Hope this article will helps you out to check all threads and recover them one by one and also check the issue with the tradeoff, as it’s the crucial thing to consider.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Exclusive content

- Advertisement -

Latest article

21,501FansLike
4,106FollowersFollow
106,000SubscribersSubscribe

More article

- Advertisement -