Security engineering is a sub-field of the broader field of computer security. It encompasses tools, techniques and methods to support the development and maintenance of systems that can resist malicious attacks that are intended to damage a computer-based system or its data.
Dimensions of security:
• Confidentiality Information in a system may be disclosed or made accessible to people or programs that are not authorized to have access to that information.
• Integrity Information in a system may be damaged or corrupted making it unusual or unreliable.
• Availability Access to a system or its data that is normally available may not be possible.
Three levels of security:
• Infrastructure security is concerned with maintaining the security of all systems and networks that provide an infrastructure and a set of shared services to the organization.
• Application security is concerned with the security of individual application systems or related groups of systems.
• Operational security is concerned with the secure operation and use of the organization's systems.
Application security is a software engineering problem where the system is designed to resist attacks. Infrastructure security is a systems management problem where the infrastructure is configured to resist attacks.
System security management involves user and permission management (adding and removing users from the system and setting up appropriate permissions for users), software deployment and maintenance (installing application software and middleware and configuring these systems so that vulnerabilities are avoided), attack monitoring, detection and recovery (monitoring the system for unauthorized access, design strategies for resisting attacks and develop backup and recovery strategies).
Operational security is primarily a human and social issue, which is concerned with ensuring the people do not take actions that may compromise system security. Users sometimes take insecure actions to make it easier for them to do their jobs. There is therefore a trade-off between system security and system effectiveness.
