Software Engineering - Old Questions

10. Explain the security assessment.

Security assessment is a measurement of the security posture of a system or organization. The security posture is the way information security is implemented. Security assessments are risk-based assessments, due to their focus on vulnerabilities and impact.

The assessment of system security is increasingly important as more and more critical systems are Internet-enabled and so can be accessed by anyone with a network connection. There are daily stories of attacks on web-based systems, and viruses and worms are regularly distributed using Internet protocols. The verification and validation processes for web-based systems must focus on security assessment, where the ability of the system to resist different types of attack is tested.

Approaches to security checking:

1. Experience-based validation: In this case, the system is analyzed against types of attack that are known to the validation team. This type of validation is usually carried out in conjunction with tool-based validation. This approach may use all system documentation and could be part of other system reviews that check for errors and omissions.

2. Tool-based validation: In this case, various security tools such as password checkers are used to analyze the system. Password checkers detect insecure passwords such as common names or strings of consecutive letters.

3. Tiger teams: In this case, a team is set up and given the objective of breaching the system security. They simulate attacks on the system and use their ingenuity to discover new ways to compromise the system security.

4. Formal verification: A system can be verified against a formal security specification. It is very difficult for end-users of a system to verify its security.