Question

Q4. Out of three levels of security I.e. Infrastructure security, Application security and Operational security, we can only deal with application security. Although it is the area we work on, but overall security of even our application depends upon the organizational security policies. Do you agree? Comment using an example.

Q5. There are 4 types of security threats namely, Interception, interruption, modification and fabrication. As a software programmer, what threat is the one you may work to avoid and how?

Q6. There are 10 Design guidelines for security engineering given in the book. Which you think is the most important and should be used in your everyday software development practices.

Answer 1

Firstly we understand what is infrastructure,operational,Application security.firstly we know about operational security,Operational security another name is procedural security,

• it is a risk management process the main concept of operational security that view operations from the perspective order .
• it protect sensitive information from falling into the wrong hands.
• different operations are done.

Then next is Application level security refers to security services that are invoked at the interface between an application and a queue manager.Application security may include hardware, software, and procedures that identify or minimize security vulnerabilities.Application level security is also known as end-to-end security/ message level security.just example of A message can be encrypted when it is put on a queue by an application .
message is decrypted when it is retrieved by the receiving application. This is an example of a application level confidentiality service.when application and queue manager are connected .it is prevent data or code within the app from being stolen or hijacked.

Network infrastructure security applied to IT industry,it protecting the underlying networking infrastructure.infrastructure by installing preventative measures to deny unauthorized access, modification, deletion.
These security measures can include access control, application security, firewalls, virtual private networks (VPN), and wireless security.

An organizational security policy is a set of rules or procedures .it is produced by an organization on its operations to protect its sensitive data.Organizational security policies are,

•   Security policies should set out general information access strategies that should apply across the organization.
• From a security engineering perspective, the security policy defines, in broad terms, the security goals of the organization.
• The point of security policies is to inform everyone in an organization about security.
• The security engineering process is concerned about implementing these goals.

fig:Security policy life cycle

Application depends upon the organizational security policies.for example the majority of your staff have little understanding of security issues, and there is no reason to expect that to change unless the organization does its part to correct the situation. the part of the organization to adequately prepare staff for making security policy a part of the work environment protect a system from threats .protect from unauthorized access.for example social media webiste the application changed based ob the organizational policy. Company ABCD must protect restricted, confidential or sensitive data from loss to avoid reputation damage .protect data of the companey.provide security.This policy outlines the requirements for data leakage prevention, a focus for the policy and a rationale.  The protection of data in scope is a critical business requirement, flexibility .It’s primary objective is user awareness and to avoid accidental loss scenarios. overall security of even our application depends upon the organizational security policies. i agree this statements.