Computer Security: Art and Science

18.6 Exercises

1:
Definition 18�2 defines assurance in terms of "confidence." A vendor advertises that its system was connected to the Internet for three months, and no one was able to break into it. It claims that this means that the system cannot be broken into from any network.

Do you share the vendor's confidence? Why or why not?
If a commercial evaluation service had monitored the testing of this system and confirmed that, despite numerous attempts, no attacker had succeeded in breaking into it, would your confidence in the vendor's claim be increased, decreased, or left unchanged? Justify your answer.
2:
A computer security expert contends that most break-ins to computer systems today are attributable to flawed programming or incorrect configuration of systems and products. If this claim is true, do you think design assurance is as important as implementation and operational assurance? Why or why not?
3:
Suppose you are the developer of a computer product that can process critical data and will likely run in a hostile environment. You have an outstanding design and development team, and you are very confident in the quality of their work.

Explain why you would add assurance steps to your development environment.
What additional information (if any) would you need in order to decide whether or not the product should be formally evaluated?
4:
Requirements are often difficult to derive, especially when the environment in which the system will function, and the specific tasks it will perform, are unknown. Explain the problems that this causes during development of assurance.
5:
Why is the waterfall model of software engineering the most commonly used method for development of trusted systems?
6:
The goal of a researcher is to develop new ideas and then test them to see if they are feasible. Software developed to test a new idea is usually similar to software developed for proof of concept (see Definition 18�9). A commercial firm trying to market software that uses a new idea decides to use the software that the researchers developed.

What are the problems with this decision from an assurance point of view?
What should the company do to improve the software (and save its reputation)?
7:
A company develops a new security product using the extreme programming software development methodology. Programmers code, then test, then add more code, then test, and continue this iteration. Every day, they test the code base as a whole. The programmers work in pairs when writing code to ensure that at least two people review the code. The company does not adduce any additional evidence of assurance. How would you explain to the management of this company why their software is in fact not "high-assurance" software?

Top

1:	Definition 18�2 defines assurance in terms of "confidence." A vendor advertises that its system was connected to the Internet for three months, and no one was able to break into it. It claims that this means that the system cannot be broken into from any network. Do you share the vendor's confidence? Why or why not? If a commercial evaluation service had monitored the testing of this system and confirmed that, despite numerous attempts, no attacker had succeeded in breaking into it, would your confidence in the vendor's claim be increased, decreased, or left unchanged? Justify your answer.
2:	A computer security expert contends that most break-ins to computer systems today are attributable to flawed programming or incorrect configuration of systems and products. If this claim is true, do you think design assurance is as important as implementation and operational assurance? Why or why not?
3:	Suppose you are the developer of a computer product that can process critical data and will likely run in a hostile environment. You have an outstanding design and development team, and you are very confident in the quality of their work. Explain why you would add assurance steps to your development environment. What additional information (if any) would you need in order to decide whether or not the product should be formally evaluated?
4:	Requirements are often difficult to derive, especially when the environment in which the system will function, and the specific tasks it will perform, are unknown. Explain the problems that this causes during development of assurance.
5:	Why is the waterfall model of software engineering the most commonly used method for development of trusted systems?
6:	The goal of a researcher is to develop new ideas and then test them to see if they are feasible. Software developed to test a new idea is usually similar to software developed for proof of concept (see Definition 18�9). A commercial firm trying to market software that uses a new idea decides to use the software that the researchers developed. What are the problems with this decision from an assurance point of view? What should the company do to improve the software (and save its reputation)?
7:	A company develops a new security product using the extreme programming software development methodology. Programmers code, then test, then add more code, then test, and continue this iteration. Every day, they test the code base as a whole. The programmers work in pairs when writing code to ensure that at least two people review the code. The company does not adduce any additional evidence of assurance. How would you explain to the management of this company why their software is in fact not "high-assurance" software?