合肥等保技术大会.ppt

1、从工程到科学 信息安全知识体系与学科发展From Engineering up to SciencesInformation Security BoK and Discipline Development陈钟 教授、主任北京大学网络和软件安全保障教育部重点实验室信息科学技术学院计算机科学与技术系2013年 6月 21日安徽 合肥第二届全国信息安全等级保护技术大会内容提要u现状与回顾u安全：从工程到科学的挑战学科性质人的因素开放系统u安全：从工程到科学的途径核心论规范论u启示u结束语2现状：从知识结构来看技能列表 +WWHWuCan implement solid security practi

2、cesuCan perform in depth risk analysisuCan configure proper access rights and permissionsuCan implement access controluCan secure data as it crosses the networkuCan implement proper change controluUnderstand methods used to attack resourcesuUnderstand the system development life cycleuCan perform se

3、curity auditsuCan develop a business continuity planuUnderstands laws on and about computer crimeAbility to know What、 Why、 How and know WHO! Individual control of personal data Products, online services adhere to fair information principles Protects individuals right to be left alone Resilient agai

4、nstattack Protects confidentiality, integrity, availability of data and systems Engineering Excellence Dependable, performs at expected levels Available when needed Open, transparent interaction with customers Address issues with products and services Help customers find appropriate solutions现状：业界十年

5、的实践Secure by DeploymentNew patch management tools 7 Microsoft Official Curriculum courses available at launchOfficial security configuration guidesIntegrated security toolsSecure by DesignMandatory training Built threat modelsConducted code reviews and penetration testingUsed automated code toolsDes

6、ign: Least PrivilegeSecure by Default60% less attack surface area by default compared to Windows NT 4.0 SP320+ services changed to be off by defaultService install in a secure state (IIS 6.0 Lockdown Tool)安全框架 : SD3+C CommunicationsWriting Secure Code 2.0Patch Management White PapersSecurity Develop

7、ment LifecycleuSDL mapped against Traditional Software Development Lifecycle安全软件工程需要适应软件即服务的环境和流程安全软件工程需要安全架构师全过程开发与跟踪！另一个例子： SEMATuSEMAT： Software Engineering Method and Theory2009年，由 Ivar Jacobson 等三人发起 寻找软件工程方法和理论的本质， SEMAT三年愿景：行动计划倡议书 中国七所软件工程学科领先的大学（北大、清华、北航、南大、复旦、武大、上海）为 SEMAT的支持单位，并作为 SEMAT China Chapter骨干成员，参与了相关的工作和活动u最新进展： OMG新标准 软件工程的本质：内核及语言（ 2013年 3月 20日获得投票通过）从工程到科学u现状u目标u挑战u方法学人度量概念形成