Question

Compare and contrast security functional requirements and functional securiydesign principles.

Answer 1

Security functional requirements

A functional requirements defines a function of a system or its component. A function is described as a set of inputs the behavior and outputs. Functional requirements may be calculations technical details data manipulation processing and other specific functionality that defines what is system is supposed to accomplish. Behavior of requirements describing all the cases where the system uses the functional requirements are captured in the use cases.

A security functional requirements describes functional behavior which can apply on security. Requirements can access control, data integrity,authentication etc. These all are in the functional requirements of a security functional requirements. Common Criteria for Information Technology mainly uses this Security functional requirements. It is used because when a product provides a security function then it specifies the individual security.

Security-related goals:

For an example one user's bank account balance should not be learned by or modified by another user, unless authorized.

Required mechanism for enforcing them:

For an example users can identify themselves only by putting the password which they have provided. Whatever password given by them may be that is strong or weak. And the password database storing the password must not be accessable to any program other than authenticating login program.

Typical kinds of security requirements:

1. Confidentiality:: Here sensitive information not leaked to unauthorized party or third party when the user wants to send something to another it should be bounded between them only.

2. Integrity:: Here sensitive information not damaged by unauthorized parties Violation of integrity can be direct or indirect.

3. Availability:: Here system is responsive to request.Dos(Denial of service ) attacks attempt to compromise availability.

Supporting mechanism:

1. Authentication:: The goal of this is to determine the subject of a particular security policy. In particular many policies needed to define a notion of identity.

2. Authorization:; It defines when a principal may perform an action.

3. Audit:: Here we need to retain enough information to be able to determine the circumstances of a branch or misbehavior.

functional security design principles:

There are different types of design principles of security.

1. Principles of least privileges:: Privilege means rights. The first principle states that how the privileges are to be granted to a subject means the subject should be given only those rights of privilege that require for completing a task means you have to give those rights which are require to complete a task of a subject.

for example if a subject requires append rights to an object then it must be given only the append rights not the write rights.

2.Principles of fail state defaults:: This principle states that unless the subject is given explicitly access to the object it should be denied access to that object. This means the default access to object is none.

3. Principle of economy of mechanism:: This principle states that security mechanism should be as simple as possible.If the design is simple there are few errors. And also checking and testing procedures also become easier.

4. Principle of open design:: This suggests that complexity doesn't add security. Also state that security of mechanism should not depend on the secrecy of its design.