Security vulnerabilities in software result from defects or bugs that occur within the system. These defects lead to failure to meet the operational requirements and errors in the operational requirements. An example of a defect is the coding error. Coding error is attributed to errors in the timing and, errors in validation of input data. Security problems may arise when software requirements are improper.
According to (Hamill, & Goseva, 2009) failures are behaviors of components in the system while faults are conditions in the system. As such, not every fault corresponds to failure. The software may perform as required if the conditions that would breed failures will not be met.
The fact that the component is faulty does not render the results vulnerable. The requirement may not be successful in dealing with some system states and unwanted behavior may show up. This is a problem that has resulted from failure of the system, in the engineering processes which allocate the requirements of the system. As such the vulnerability becomes faulty.
Computer architecture covers all parts of a computer system necessary for it to function, including the operating system, memory chips, circuits, buses, networking components and security components. (Hennessy, & Patterson, 2006) portray that the interrelationships of all of these parts is quite complex, and making them work together in a secure manner is complex. Security architecture differs from computer architecture in its strategies and methodologies.
Security architecture has strategies which are intended to prevent undesired behavior in the system while computer architecture has strategies which are aimed at enabling wanted behavior. Security architecture is a design piece which describes the organization of security controls and its relationship with the entire computer architecture. These controls keep in check aspects that are attributed to system security for instance, confidentiality, integrity and assurance of information.
The fundamental principle of the Bell-lapadula model is to address information confidentiality. Hansche, Berti, & Hare (2003) note that the Bell-Lapadula model is a state machine one applied to put into effect accessibility in State and military applications on classified information. The Bell-Lapadula model is developed upon the idea of a machine with a set of permissible states in the network system whose transitions are defined by transition functions.
This model operates under the phrase; ‘No write down, no read up.’ According to the conceptualization of (Bell & Elliott 2005), at security stand point, users can only have access to information within their ranks or below their ranks. The fundamental principle of the Biba model is to address data integrity. The Biba security model describes the rules for the protection of the integrity of the information. It is a formal state transition system that describes a set of control rules that enhance the integrity of the information. The data and the subjects are grouped into ordered integrity ranks.
In the Biba model, the subjects are set in a manner that will not interfere with objects of a higher rank. Also, the subjects would not be interfered by objects of lower ranks. This model operates on the phrase; ‘No read down, No write up.’ At security stand point users can only produce information at their ranks or below their ranks and users can only access information at their ranks or above their ranks. Sandhu (1994) states that Strong Star Property is when
A S-user cannot write U-data and a U-user cannot write S-data. The strong star property limits each user to writing at their own level. It is motivated by integrity considerations (p. 17).
Password and ID encryption does not protect your website. It protects the passwords only. If the website does not have proper protection the system can be cracked and, the hacker may have access to information and password database. The information may be stored encrypted and, the hacker will not access it.
Password authentication is an example of a challenge-response protocol. The hacker who pries on a password authentication could authenticate itself by responding with the correct password. The solution would be to use passwords which are marked with identifiers. The correct password is needed for the identifier which has been chosen by the verifier.
Cryptographic nonce is used by authentication protocols as the challenge to ensure that every challenge-response sequence is unique. This protects against a replay attack (Stadlober & Zechner 1999).
References
Bell, D. E. (2005, December 7). Looking Back at the Bell-LaPadula Model. Proceedings of the 21st Annual Computer Security Applications Conference. (pp. 337–351). Tucson, Arizona, USA.
Hamill, M. IEEE & Goseva, K. (2009). Common Trends in Software Fault and Failure Data. IEEE Transactions on Software Engineering 35(4), 484-496.
Hansche, S., Berti, J. & Hare, C. (2003). Official (ISC)2 Guide to the CISSP Exam. New York: A CRC Press Company.
Hennessy, J. L. & Patterson, D. (2006). Computer Architecture: A Quantitative Approach. New York: Elsevier.
Sandhu, R. S. (1994). Relational Database Access Controls. In M. Krause, & H. F. Tipton (Eds.) Handbook of Information Security Management (pp. 145–160). New York: CRC Press LLC.
Stadlober, E., & Zechner H. (1999). The patchwork rejection method for sampling from unimodal distributions. ACM Transactions on Modeling and Computer Simulation 9(1), 59-80.