now, the last thing that we want to look at in relation to secure software design is we want to make sure that we're using secure technologies as they're available to us and make sure that we're considering all the elements in which our software could be compromised.
One of the things that we would think about first would be authentication and identity management, and this is very, very
big today, especially because we're because we're looking at sharing this authentication information across boundaries, and we'll talk about a little bit later. We'll talk about Federated Trusts, and service is now when we talk about identification, we've already said that's making a claim. So I claim to be Kelly Hander. Hand
authentication gives me a way of supporting that. Whether it's a password, a smart card, some sort of biometric means, whatever that is.
So when we talk about identity and access management, what we're looking at here, all the service is that policies and procedures of ways that we used to manage a digital identity. So how that account gets created, how that account gets managed, how we allow
elements of that control to being monitored in updated or or that identity.
Then we also have to think about the security controls that we put on Ah, and that we used to manage our digital identities, you know, especially to make sure that we're under legal compliance. You know, Sarbanes Oxley socks, which I mentioned earlier, is very accountability oriented, very heavy on auditing,
so verifying that identity is very, very important in relation to socks.
We think about credential management.
Earlier, we discussed things like cross site scripting and see surf attacks and specifically, the sea surf, which again stands for cross site Request for forgery
takes advantage of my pre established session and the fact that that session information might be stored as a cookie on my system and it might be stored in plain text. So we want to make sure that any credentials that I have in any sort of, whether their passwords or session ideas or
any type of information along those lines, we want to make sure that that information
is protected. We want to make sure that we have proper authorization and the privilege escalation doesn't happen. We want to have good, strong authentication mechanisms in place so that we don't allow unauthorized access.
Uh, in any time we talk about, you know, strong authenticity, we think about multi factor authentication, the use of certificates. We may talk about using bi metrics. We might talk about using smart cards. You need those other elements and then this idea of single sign on,
uh, which is what allows me to log on to the domain with a single set of credentials, my user name and password frequently.
And that allows me access to all Resource is in the domain.
Now, the problem with that is the idea of keys to the kingdom. If I just need one password to access everything in the domain,
all in attacker needs is that one password to access everything in the domain.
And what we're moving towards today is an eye is an idea of super sign on, not just single sign on, but super sign on and what we're seeing more and Maura's. I provide one set of credentials like, for instance, my social media credentials, whether it's Facebook or Twitter, whatever that might be.
And those credentials allow me access to many different resource is whether it's the Washington Post, whether it's Pandora Radio whether or not it's, uh, you know, reading a car through hurts or whatever brands I would use. So the idea is being able to forward this authentication information
across Federated Trust
really expands the idea of identity and access management, but also credential management as well.