The Role of the Development Process in Operating System Security
Increasing numbers of computer security vulnerabilities mean that, more than ever before, internetworked computers are at risk from attack. Unfortunately research to date has not found suitable solutions to these problems and therefore further work is required in order to understand what is necessary to develop secure systems. This study sought to explore the relationship between the development process and the security of the fielded system. Specifically an attempt was made to analyse the “real-world” security of three modern Unix systems and this was compared with the consideration of security during their development. The results not only show that a consideration of security at all phases of development leads to significantly more secure products, but also indicates the specific roles that each development phase plays in this process.
KeywordsSecurity Analysis Computer Security Security Problem Security Feature Software Vendor
Unable to display preview. Download preview PDF.
- 3.David E. Bell and Leonard J. LaPadula. Secure computer systems: Mathematical foundations and model. Technical Report M74-244, Mitre Corporation, Bedford, MA, 1973.Google Scholar
- 4.Silvana Castano, Giancarlo Martella, and Pierangela Samarati. A new approach to security system development. In Proceedings of the 1994 ACM SIGSAC on New Security Paradigms Workshop, pages 82–88, 1994.Google Scholar
- 6.Simson Garfinkel and Eugene Spafford. Practical Unix and Internet Security. O'Reilly & Associates, second edition, 1996.Google Scholar
- 10.National Computer Security Center. NCSC-TG-002 Trusted Product Evaluations-A Guide for Vendors, 22 June 1990. “Bright Blue Book”, Available Online: http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-002.html
- 11.Peter G. Neumann. Architectures and formal representations for secure systems. Technical report, Computer Science Laboratory, SRI International, Menlo Park, CA 94025-3493, 2 October 1995. SRI Project 6401, Prepared for the US Department of Defense.Google Scholar
- 12.Christian Payne. Security Through Design as a Paradigm for Systems Development, 1999. Murdoch University, Perth, Western Australia.Google Scholar
- 13.Charles P. Pfleeger. Security in Computing. Prentice-Hall, Upper Saddle River, New Jersey, 1997.Google Scholar
- 14.Deborah Russell and G. T. Gangemi Sr. Computer Security Basics. O'Reilly & Associates, 1992.Google Scholar
- 15.Bruce Schneier. Why cryptography is harder than it looks. Online: http://www.counterpane.com/whycrypto.html, 1997.
- 16.SecurityFocus.Com. BUGTRAQ VulDB Stats. Online: http://www.securityfocus.com/vdb/stats.html, May 2000.
- 17.U. S. Department of Defense, Washington, D. C. Trusted Computer System Evaluation Criteria, 1985. DOD 5200.28-STD.Google Scholar
- 18.Chenxi Wang and William A. Wulf. Towards a framework for security measurement. In Proceedings of the 20th National Information Systems Security Conference, pages 522–533, 1997.Google Scholar
- 19.J. L. Whitten, L. D. Bentley, and V. M. Barlow. Systems Analysis and Design Methods. Irwin, 1994.Google Scholar
- 20.Hans U. Zoebelein. The Internet operating system counter. Online: http://leb.net/hzo/ioscount/, April 1999.