Appraisals Based on Security Best Practices for Software Configurations

Protecting systems and data from malicious access and corruption requires the existence of effective security mechanisms and the correct configuration of those mechanisms. Configuring large software systems for security is a complex task, entailing a lot of expertise that many administrators do not have. This paper proposes a generic methodology to condense widespread information about security best practices into easy-to-use appraisals for three scenarios: 1) to assess how effective software configurations are in terms of fulfilling best practices; 2) to understand the set of best practices that can be implemented when using a given software product; and 3) to evaluate how well a system administrator knows existing security best practices. Following this methodology we defined an appraisal for database systems configurations, which was used to evaluate four real installations. Experimental results show the usefulness of this kind of security appraisals.

[1]  Marco Vieira,et al.  Towards assessing the security of DBMS configurations , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[2]  John Braun,et al.  Internet security , 2001 .

[3]  Elisa Bertino,et al.  Database Security: Research and Practice , 1995, Inf. Syst..

[4]  Radia J. Perlman,et al.  Network security - private communication in a public world , 2002, Prentice Hall series in computer networking and distributed systems.

[5]  Elena Ferrari,et al.  Database Security , 2009, Encyclopedia of Database Systems.

[6]  Günther Pernul,et al.  Bibliography on database security , 1992, SGMD.

[7]  Marco Vieira,et al.  An Appraisal to Assess the Security of Database Configurations , 2009, 2009 Second International Conference on Dependability.

[8]  Marco Vieira,et al.  Mapping software faults with web security vulnerabilities , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[9]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.