public ActionResult AddPermission(int id, Guid userId, string roleId)
{
var permissionCheck = _projectService.GetProject(id, CurrentUserId);
var project = Db.Projects.Where(a => a.Id == id).FirstOrDefault();
var user = Db.Users.Where(a => a.UserId == userId).FirstOrDefault();
var role = Db.ProjectRoles.Where(a => a.Id == roleId).FirstOrDefault();
if (project == null || user == null || role == null) return this.RedirectToAction(a => a.Index());
var worker = new ProjectWorker() {Project = project, Role = role, User = user};
Db.ProjectWorkers.Add(worker);
Db.SaveChanges();
Message = "Permission added to project.";
return this.RedirectToAction(a => a.Permissions(id));
}
/// <summary>
/// Create the project
/// </summary>
/// <param name="name"></param>
/// <param name="description"></param>
/// <param name="login"></param>
/// <returns></returns>
public Project CreateProject(string name, string description, string login)
{
using (var db = new SquareContext())
{
// load objects
var user = db.Users.Where(a => a.Username == login).Single();
var role = db.ProjectRoles.Where(a => a.Id == ProjectRoles.ProjectManager).Single();
var steps = db.Steps;
var squareTypes = db.SquareTypes;
var project = new Project() { Name = name, Description = description };
// create the worker for current user
var worker = new ProjectWorker() { Project = project, Role = role, User = user };
project.ProjectWorkers.Add(worker);
// fill in all the project steps
foreach (var squareTypeId in squareTypes.Select(a => a.Id).ToList())
{
foreach (var step in steps.Where(a => a.SquareType.Id == squareTypeId))
{
var pstep = new ProjectStep() { Project = project, Step = step };
project.ProjectSteps.Add(pstep);
}
}
// save the project
db.Projects.Add(project);
db.SaveChanges();
return project;
}
}
/// <summary>
/// Inserts the values available for the case study
/// </summary>
/// <param name="context"></param>
private static void InsertCaseStudy(SquareContext context)
{
var projectService = new ProjectsService();
var token = CodeFirstMembershipDemoSharp.Code.CodeFirstSecurity.CreateAccount("casestudy", "password", "*****@*****.**");
var user = context.Users.Where(a => a.Username == "casestudy").Single();
// create the project
var steps = context.Steps;
var squareTypes = context.SquareTypes;
var security = squareTypes.Where(a => a.Name == SquareTypes.Security).Single();
var project = new Project() { Name = "Asset Management System", Description = "IT Management system, developed for the Acme Company as part of a case study for the SQUARE process. More details can be obtained at the following addresses. (http://www.sei.cmu.edu/library/abstracts/reports/04sr015.cfm) (http://www.sei.cmu.edu/library/abstracts/reports/05sr005.cfm) (http://www.sei.cmu.edu/library/abstracts/reports/06sr003.cfm)" };
// fill in all the project steps
foreach (var squareTypeId in squareTypes.Select(a => a.Id).ToList())
{
foreach (var step in steps.Where(a => a.SquareType.Id == squareTypeId))
{
var pstep = new ProjectStep() { Project = project, Step = step, Complete = (squareTypeId == security.Id), DateStarted = (squareTypeId == security.Id) ? (DateTime?)DateTime.Now : null, DateCompleted = (squareTypeId == security.Id) ? (DateTime?)DateTime.Now : null };
project.ProjectSteps.Add(pstep);
}
}
// assign the roles
var role = context.ProjectRoles.Where(a => a.Id == ProjectRoles.ProjectManager).Single();
var worker = new ProjectWorker() { Project = project, Role = role, User = user };
project.ProjectWorkers.Add(worker);
// create the terms
#region Project Terms
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "access control", Definition = "Access control ensures that resources are only granted to those users who are entitled to them.", Source = "SANS Institute", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "access control list", Definition = "A table that tells a computer operating system which access rights or explicit denials each user has to a particular system object, such as a file directory or individual file ", Source = "http://watis.techtarget.com", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "antivirus software", Definition = "A program that searches hard drives and floppy disks for any known or potential viruses ", Source = "http://watis.techtarget.com", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "artifact", Definition = "The remnants of an intruder attack or incident activity. These could be software used by intruder(s), a collection of tools, malicious code, logs, files, output from tools, or the status of a system after an attack or intrusion ", Source = "Handbook for Computer Security Incident Response Teams", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "asset", Definition = "A critical valuable that a company owns and wants to secure.", Source = "SQUARE Case Study", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "attack", Definition = "An action conducted by an adversary, the attacker, on a potential victim. A set of events that an observer believes to have information assurance consequences on some entity, the target of the attack ", Source = "A Trustworthy Refinement Through Intrusion-Aware Design", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "auditing", Definition = "The information gathering and analysis of assets to ensure such things as policy com- pliance and security from vulnerabilities ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "authentication", Definition = "The process of determining whether someone or something is, in fact, who or what it is declared to be ", Source = "http://watis.techtarget.com", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "availability", Definition = "The property of a system or a system resource being accessible and usable upon de- mand by an authorized system entity, according to performance specifications for the system; i.e., a system is available if it provides services according to the system de- sign whenever users request them ", Source = "http://www.sei.cmu.edu/publications/documents/99.reports/99tr028/99tr028abstract.html", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "back door", Definition = "An element in a system that allows access by bypassing access controls ", Source = "http://www.cert.org/research/JHThesis/Start.html", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "breach", Definition = "Any intentional event in which an intruder gains access that compromises the confi- dentiality, integrity, or availability of computers, networks, or the data residing on them ", Source = "http://www.cert.org/security-improvement/modules/m06.html", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "brute force", Definition = "A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries all possibilities, one by one ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "buffer overflow", Definition = "A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information— which has to go somewhere—can overflow into adjacent buffers, corrupting or overwriting the valid data held in them ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "cache cramming", Definition = "The technique of tricking a browser to run cached Java code from the local disk in- stead of the Internet zone, so it runs with less restrictive permissions ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "cache poisoning", Definition = "Malicious or misleading data from a remote name server is saved ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "confidentiality", Definition = "The property that information is not made available or disclosed to unauthorized individuals, entities, or processes (i.e., to any unauthorized system entity) ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "control", Definition = "An action, device, procedure, or technique that removes or reduces a vulnerability", Source = "SQUARE Case Study", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "corruption", Definition = "A threat action that undesirably alters system operation by adversely modifying sys- tem functions or data ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "cracker", Definition = "Someone who breaks into someone else’s computer system, often on a network; by- passes passwords or licenses in computer programs; or in other ways intentionally breaches computer security ", Source = "http://watis.techtarget.com", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "denial-of-service (DoS) attack", Definition = "A form of attacking another computer or company by sending millions of requests every second, causing the network to slow down, cause errors, or shut down.", Source = "Computer Hope", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "disaster recovery plan", Definition = "A disaster recovery plan (DRP)—sometimes referred to as a business continuity plan (BCP) or business process contingency plan (BPCP)—describes how an organization is to deal with potential disasters ", Source = "http://watis.techtarget.com", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "disclosure", Definition = "The dissemination of information to anyone who is not authorized to access that in- formation ", Source = "http://www.cert.org/archive/pdf/OCTAVEthreatProfiles.pdf", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "disgruntled employee", Definition = "A person in an organization who deliberately abuses or misuses computer systems and their information ", Source = "http://www.cert.org/archive/pdf/OCTAVEthreatProfiles.pdf", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "downtime", Definition = "The amount of time a system is down in a given period. This will include crashes and system problems as well as scheduled maintenance work ", Source = "http://www.yourwindow.to/information-security", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "disruption", Definition = "A circumstance or event that interrupts or prevents the correct operation of system services and functions ", Source = "http://www.cert.org/archive/pdf/OCTAVEthreatProfiles.pdf", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "encryption", Definition = "Cryptographic transformation of data (called “plaintext”) into a form (called “cipher text”) that conceals the data’s original meaning to prevent it from being known or used ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "espionage", Definition = "The act or practice of spying or of using spies to obtain secret information about another government or a business competitor ", Source = "http://dictionary.reference.com", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "essential services", Definition = "Services to users of a system that must be provi ded even in the presence of intrusion, failure, or accident ", Source = "http://www.sei.cmu.edu/publications/documents/97.reports/97tr013/97tr013abstract.html", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "exposure", Definition = "The dissemination of information to anyone who is not authorized to access that in- formation ", Source = "http://www.cert.org/archive/pdf/OCTAVEthreatProfiles.pdf", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "fabrication", Definition = "Aims to fool other machines on the network into accepting the imposter as an origi- nal, either to lure the other machines into sending it data or to allow it to alter data ", Source = "http://www.cert.org/research/taxonomy_988667.pdf", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "fault line attacks", Definition = "Fault line attacks use weaknesses between interfaces of systems to exploit gaps in coverage ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "fault tolerance", Definition = "Describes a computer system or component designed so that, in the event that a com- ponent fails, a backup component or procedure can immediately take its place with no loss of service. Fault tolerance can be provided with software, or embedded in hardware, or provided by some combination ", Source = "http://watis.techtarget.com", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "firewall", Definition = "A system designed to prevent unauthorized access to or from a private network. Fire- walls can be implemented in both hardware and software, or a combination of both ", Source = "http://www.webopedia.com", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "hacker", Definition = "An individual who breaks into computers primarily for the challenge and status of obtaining access ", Source = "http://www.cert.org/research/JHThesis/Start.html", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "honey pot", Definition = "Programs that simulate one or more network services designated on a computer’s ports. An attacker assumes that vulnerable services that can be used to break into the machine are being run. A honey pot can be used to log access attempts to those ports, including the attacker’s keystrokes. This can provide advanced warning of a more concerted attack ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "HTTP header manipulation", Definition = "HTTP requests and responses send information in the HTTP headers. HTTP headers are a series of lines containing a name/value pair used to pass information such as the host, referrer, user agent, etc. HTTP headers can be manipulated to cause SQL injec- tion or cross-site scripting errors.", Source = "ASI", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "impact", Definition = "The negative effect of an attack on a victim system by an attacker ", Source = "http://www.sei.cmu.edu/publications/documents/99.reports/99tr028/99tr028abstract.html", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "incident", Definition = "An adverse network event in an information system or network or the threat of the occurrence of such an event ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "incident handling", Definition = "An action plan for dealing with intrusions, cyber theft, denial of service, fire, floods, and other security-related events ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "insider threat", Definition = "The threat that authorized personnel of an organization will act counter to the organi- zation’s security and interest, especially for the purposes of sabotage and espionage ", Source = "http://www.hpcc-usa.org/pics/02-pres/wright.ppt", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "integrity", Definition = "For systems, the quality that a system has when it can perform its intended function in a unimpaired manner, free from deliberate or inadvertent unauthorized manipula- tion. For data, the property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner ", Source = "http://www.sei.cmu.edu/publications/documents/99.reports/99tr028/99tr028abstract.html", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "interception", Definition = "Access to an asset gained by an unauthorized party ", Source = "Security in Computing", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "intrusion", Definition = "An attack on a network for the purpose of gaining access to or destroying privileged information or disrupting services to legitimate users ", Source = "A Trustworthy Refinement Through Intrusion-Aware Design", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "intrusion detection system", Definition = "A combination of hardware and software that monitors and collects system and net- work information and analyzes it to determine if an attack or an intrusion has oc- curred. Some ID systems can automatically respond to an intrusion ", Source = "http://www.sei.cmu.edu/publications/documents/99.reports/99tr028/99tr028abstract.html", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "intrusion prevention system", Definition = "A system used to actively drop packets of data or disconnect connections that contain unauthorized data. Intrusion prevention technology is also commonly an extension of intrusion detection technology ", Source = "www.wikipedia.org", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "liability", Definition = "The responsibility of someone for damage or loss ", Source = "http://www.sei.cmu.edu/publications/documents/03.reports/03hb002.html", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "luring attack", Definition = "A type of elevation of privilege attack where the attacker “lures” a more highly privi- leged component to do something on his or her behalf. The most straightforward technique is to convince the target to run the attacker’s code in a more privileged security context ", Source = "“Item 7: What is a Luring Attack?” The .NET Developer’s Guide to Windows Security", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "malware", Definition = "Programming or files that are developed for the purpose of doing harm. Thus, mal- ware includes computer viruses, worms, and Trojan horses ", Source = "http://www.webopedia.com", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "man-in-the-middle attack", Definition = "An attack in which the attacker is able to read, and possibly modify at will, messages between two parties without letting either party know that they have been attacked. The attacker must be able to observe and intercept messages going between the two victims ", Source = "http://encyclopedia.thefreedictionary.com/man%20in%20the%20middle%20attack", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "masquerade", Definition = "Aims to fool other machines on the network into accepting the imposter as an origi- nal, either to lure the other machines into sending it data or to allow it to alter data ", Source = "http://www.cert.org/research/taxonomy_988667.pdf", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "modification", Definition = "Situation in which an unauthorized party not only gains access to, but tampers with an asset ", Source = "http://www.cert.org/research/JHThesis/Start.html", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "non-essential services", Definition = "Services to users of a system that can be temporarily suspended to permit delivery of essential services while the system is dealing with intrusions and compromises ", Source = "http://www.sei.cmu.edu/publications/documents/97.reports/97tr013/97tr013abstract.html", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "non-repudiation", Definition = "The goal of non-repudiation is to prove that a message has been sent and received ", Source = "http://www.ssimail.com/Glossary.htm#N", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "patch", Definition = "A small update released by a software manufacturer to fix bugs in an existing pro- gram ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "patching", Definition = "The process of updating software to a new version that fixes bugs in a previous ver- sion ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "penetration", Definition = "Intrusion, trespassing, or unauthorized entry into a system ", Source = "http://www.yourwindow.to/information-security", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "penetration testing", Definition = "The execution of a testing plan, the sole purpose of which is to attempt to hack into a system using known tools and techniques ", Source = "http://www.yourwindow.to/information-security", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "physical security", Definition = "Security measures taken to protect systems, buildings, and related supporting infra- structure against threats associated with their physical environment ", Source = "http://encyclopedia.thefreedictionary.com/man%20in%20the%20middle%20attack", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "port scanning", Definition = "The act of systematically scanning a computer’s ports ", Source = "http://www.webopedia.com", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "privacy", Definition = "The quality or condition of being secluded from the presence or view of others ", Source = "http://dictionary.reference.com", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "procedure", Definition = "The implementation of a policy in the forms of workflows, orders, or mechanisms ", Source = "http://www.sei.cmu.edu/publications/documents/03.reports/03hb002.html", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "recognition", Definition = "The capability of a system to recognize attacks or the probing that precedes attacks ", Source = "A Trustworthy Refinement Through Intrusion-Aware Design", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "recovery", Definition = "A system’s ability to restore services after an intrusion has occurred. Recovery also contributes to a system’s ability to maintain essential services during intrusion ", Source = "A Trustworthy Refinement Through Intrusion-Aware Design", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "replay attack", Definition = "The interception of communications, such as an authentication communication, and subsequent impersonation of the sender by retransmitting the intercepted communi- cation ", Source = "http://www.ffiec.gov/ffiecinfobase/booklets/information_security/08_glossary.html", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "resilience", Definition = "The ability of a computer or system to both withstand a range of load fluctuations and also remain stable under continuous and/or adverse conditions ", Source = "http://www.yourwindow.to/information-security", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "resistance", Definition = "Capability of a system to resist attacks ", Source = "A Trustworthy Refinement Through Intrusion-Aware Design", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "risk", Definition = "The product of the level of threat with the level of vulnerability. It establishes the likelihood of a successful attack ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "risk assessment", Definition = "The process by which risks are identified and the impact of those risks determined ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "security policy", Definition = "A policy that addresses security issues ", Source = "http://www.sei.cmu.edu/publications/documents/03.reports/03hb002.html", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "script kiddies", Definition = "The more immature but unfortunately often just as dangerous exploiter of security lapses on the Internet. The typical script kiddy uses existing and frequently well known and easy-to-find techniques and programs or scripts to search for and exploit weaknesses in other computers on the Internet—often randomly and with little regard or perhaps even understanding of the potentially harmful consequences ", Source = "http://watis.techtarget.com", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "spoof", Definition = "The term is used to describe a variety of ways in which hardware and software can be fooled. IP spoofing, for example, involves trickery that makes a message appear as if it came from an authorized IP address ", Source = "http://www.webopedia.com", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "SQL injection", Definition = "A type of input validation attack specific to database-driven applications where SQL code is inserted into application queries to manipulate the database ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "stakeholder", Definition = "Anyone who is a direct user, indirect user, manager of users, senior manager, opera- tions staff member, support (help desk) staff member, developer working on other systems that integrate or interact with the one under development, or maintenance professionals potentially affected by the development and/or deployment of a soft- ware project ", Source = "http://www.agilemodeling.com/essays/activeStakeholderParticipation.htm", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "stealthing", Definition = "A term that refers to approaches used by malicious code to conceal its presence on an infected system ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "survivability", Definition = "The capability of a system to complete its mission in a timely manner, even if sig- nificant portions are compromised by attack or accident. The system should provide essential services in the presence of successful intrusion and recover compromised services in a timely manner after intrusion occurs ", Source = "http://www.sei.cmu.edu/publications/documents/03.reports/03tn013.html", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "target", Definition = "The object of an attack, especially host, computer, network, system, site, person, organization, nation, company, government, or other group ", Source = "http://www.sei.cmu.edu/publications/documents/99.reports/99tr028/99tr028abstract.html", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "threat", Definition = "A potential for violation of security, which exists when there is a circumstance, capa- bility, action, or event that could breach security and cause harm ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "threat assessment", Definition = "The identification of the types of threats that an organization might be exposed to ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "threat model", Definition = "Used to describe a given threat and the harm it could to do a system if it has a vulner- ability ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "toolkits", Definition = "A collection of tools with related purposes or functions, e.g., antivirus toolkit, disk toolkit ", Source = "http://www.yourwindow.to/information-security", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "Trojan", Definition = "A program in which malicious or harmful code is contained inside apparently harm- less programming or data in such a way that it can get control and do its chosen form of damage, such as ruining the file allocation table on a hard disk ", Source = "http://watis.techtarget.com", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "trust", Definition = "Determines which permissions other systems or users have and what actions they can perform on remote machines ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "uptime", Definition = "The property of a system or a system resource being accessible and usable upon de- mand by an authorized system entity, according to performance specifications for the system; i.e., a system is available if it provides services according to the system de- sign whenever users request them ", Source = "http://www.sei.cmu.edu/publications/documents/99.reports/99tr028/99tr028abstract.html", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "victim", Definition = "That which is the target of an attack. An entity may be a victim of either a successful or unsuccessful attack ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "virus", Definition = "A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting—i.e., inserting a copy of itself into and becoming part of— another program. A virus cannot run by itself; it requires that its host program be run to make it active ", Source = "http://www.sans.org/resources/glossary.php", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "vulnerability", Definition = "A condition or weakness in (or absence of) security procedures, technical controls, physical controls, or other controls that could be exploited by a threat ", Source = "http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf", SquareType = security });
project.ProjectTerms.Add(new ProjectTerm() { Project = project, Term = "worm", Definition = "A self-replicating virus that does not alter files but resides in active memory and duplicates itself. Worms use parts of an operating system that are automatic and usu- ally invisible to the user. It is common for worms to be noticed only when their un- controlled replication consumes system resources, slowing or halting other tasks ", Source = "http://watis.techtarget.com", SquareType = security });
#endregion
// create the business/security goals
var business = context.GoalTypes.Where(a => a.Id == GoalTypes.Business).Single();
project.Goals.Add(new Goal(){Project = project, Description = "This tool is not intended to provide canned responses to every possible scenario, but instead provides the means to make informative decisions based on available sources.", Name="Business goal", GoalType = business, SquareType = security});
var sgoals = context.GoalTypes.Where(a => a.Id == GoalTypes.Security).Single();
project.Goals.Add(new Goal() { Project = project, Description = "Insure that information and resources are accessed only by those who are authorized to use them", Name = "Confidentiality", GoalType = sgoals, SquareType = security });
project.Goals.Add(new Goal() { Project = project, Description = "Ensure that the Asset Management System is functional and available at all times. This includes the core facility management services, Sybase databases, etc.", Name = "Availability", GoalType = sgoals, SquareType = security });
project.Goals.Add(new Goal() { Project = project, Description = "Integrity of data is absolutely critical in the Asset Management System package. Data backups and checksum integrity verification are of the utmost importance", Name = "Data Integrity", GoalType = sgoals, SquareType = security });
project.Goals.Add(new Goal() { Project = project, Description = "Preserve or enhance the ability to accurately record the activities that take place.", Name = "Monitoring", GoalType = sgoals, SquareType = security });
project.Goals.Add(new Goal() { Project = project, Description = "Only authorized users of the Asset Management System have access to their specified and permissible resources", Name = "Access Control", GoalType = sgoals, SquareType = security });
project.Goals.Add(new Goal() { Project = project, Description = "The most important goal is the ability to deliver essential services in the face of attack, failure, or accident.", Name = "Maintaining Mission Critical Services", GoalType = sgoals, SquareType = security });
project.Goals.Add(new Goal() { Project = project, Description = "Have a current disaster recovery plan in the event of an emergency or service disruption.", Name = "Disaster Recovery", GoalType = sgoals, SquareType = security });
project.Goals.Add(new Goal() { Project = project, Description = "Periodic code review should be performed to ensure script and code confidentiality and integrity", Name = "Code Review", GoalType = sgoals, SquareType = security });
// select the elicitation and risk assessment types
var elicitation = context.ElicitationTypes.Where(a => a.Name == "Not Listed" && a.SquareType.Id == security.Id).Single();
project.SecurityElicitationType = elicitation;
project.SecurityElicitationRationale = "This was the selected method used by the project team.";
// insert the categories
project.Categories.Add(new Category() { Name = "Disaster Control", Project = project, SquareType = security });
project.Categories.Add(new Category() { Name = "Authentication", Project = project, SquareType = security });
project.Categories.Add(new Category() { Name = "Unauthorized Attacks", Project = project, SquareType = security });
project.Categories.Add(new Category() { Name = "Disaster Recovery", Project = project, SquareType = security });
project.Categories.Add(new Category() { Name = "Encryption", Project = project, SquareType = security });
project.Categories.Add(new Category() { Name = "Auditing", Project = project, SquareType = security });
project.Categories.Add(new Category() { Name = "Privacy", Project = project, SquareType = security });
project.Categories.Add(new Category() { Name = "Survivability", Project = project, SquareType = security });
project.Categories.Add(new Category() { Name = "Access Control", Project = project, SquareType = security });
// insert the requirements
project.Requirements.Add(new Requirement() { RequirementId = "SU-3", RequirementText = "Only System Administrators are permitted to install any software and/or hardware", Name = "Administrators Install Software", Source = "PR-01, PR-12, MC 13, MC-15", Priority = 2, Order = 2, Project = project, Category = project.Categories.Where(a => a.Name == "Survivability").Single(), SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "SU-4", RequirementText = "The operating system, applications, firewalls, and IDS must be patched routinely.", Name = "Patching", Source = "PR-02, PR-08, MC-01, MC-03, MC-13, MC-15, MC-16, MC-17, MC-18, MC-19, MC-20 MC- 21, MC-22", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Survivability").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "UA-9", RequirementText = "Follow the principle of lest privilege and use least privileged service account to run processes and access resources.", Name = "Prevent Input Validation Attack", Source = "PR-09, MC-08, MC-09, MC-11, MC-17, MC-20, MC-22", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Unauthorized Attacks").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "AU-5", RequirementText = "User activities must be periodically reviewed.", Name = "Activity Review", Source = "PR-04, PR-14, PR-21, MC-01, MC02, MC03, MC-04, MC-05, MC-06, MC-07, MC-08, MC-09, MC-10, MC-14, MC-15, MC-16, MC-17, MC-18, MC-20, MC-22", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Auditing").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "AU-1", RequirementText = "The system shall audit systems on network and user logging information. This shall be put into practice monthly.", Name = "Audit User Information", Source = "AR-03, MC-01, MC-02, MC-03, MC-04, MC-05, MC-06, MC-07", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Auditing").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "PV-6", RequirementText = "Require users to change their passwords periodically.", Name = "Change Passwords", Source = "PR-16, PR-24, MC-01, MC-03, MC-10, MC-20", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Privacy").Single(), SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "UA-6", RequirementText = "The system shall enforce the use of firewall technology.", Name = "Firewall", Source = "AR-26, MC-17, MC-18", Priority = 2, Order = 2, Project = project, Category = project.Categories.Where(a => a.Name == "Unauthorized Attacks").Single(), SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "AC-5", RequirementText = "Users should not have rights or access levels beyond those which are prescribed by their job responsibilities.", Name = "Rights by Job", Source = "PR-23, MC-01, MC-02, MC03, MC-06, MC-08, MC-09, MC-10", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Access Control").Single(), SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "AC-2", RequirementText = "The system shall not grant any client application access to one or more system", Name = "Client Application Access", Source = "AR-08, MC-08", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Access Control").Single(), SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "AN-2", RequirementText = "Authentication control mechanism shall be enforced in production environment. Authentication control will be done on the network level.", Name = "Network Authentication", Source = "AR-04, AR-09, MC-17, MC-19", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Authentication").Single(), SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "EN-3", RequirementText = "A secure communication channel shall be used to secure Web data transfer.", Name = "Secure Data Transfer.", Source = "AR-32, MC-12, MC-13,MC-19", Priority = 2, Order = 2, Project = project, Category = project.Categories.Where(a => a.Name == "Encryption").Single(), SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "AU-7", RequirementText = "A DBA and/or manager performs information integrity checks on a routine basis.", Name = "Integrity Checks", Source = "PR-04, PR-14, PR-21, MC-01, MC02, MC03, MC-04, MC-05, MC-06, MC-07, MC-08, MC-09, MC-10, MC-14, MC-15, MC-16, MC-17, MC-18, MC-20, MC-22", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Auditing").Single(), SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "PV-1", RequirementText = "The system shall not permit any user login data to be retrieved by an attacker.", Name = "Protect login data", Source = "AR-10, AR-17, MC-20", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Privacy").Single(), SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "SU-6", RequirementText = "Do not set up shared files/folders/drives on the network.", Name = "No shared files/folders/drives", Source = "PR-06, MC-08, MC-10, MC-11, MC-14", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Survivability").Single(), SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "SU-5", RequirementText = "New systems on the network should be evaluated prior to deployment.", Name = "New System Evaluation", Source = "PR-11, MC-17", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Survivability").Single(), SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "AC-1", RequirementText = "The system shall not grant any user access to one or more system services and data during a secure session without first identifying the user.", Name = "User Access", Source = "AR-08, MC-08", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Access Control").Single(), SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "AN-1", RequirementText = "Authentication control mechanism shall be enforced in production environment. Authentication control will be done on user name and password or other user credentials.", Name = "Authentication Controls", Source = "AR-01, MC-01", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Authentication").Single(), SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "PV-3", RequirementText = "Password-protect any necessary shared documentation", Name = "Password Shared Documentation", Source = "PR-07, PR-13, PR-22, MC-01, MC-03, MC-06, MC-08, MC-09, MC-10, MC-11, MC-13, MC-14, MC- 20", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Privacy").Single(), SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "SU-2", RequirementText = "All installation must be approved and reviewed by managers. ", Name = "Managers Review Installation", Source = "PR-01, PR-12, MC-13, MC-15", Priority = 2, Order = 2, Project = project, Category = project.Categories.Where(a => a.Name == "Survivability").Single(), SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "PV-5", RequirementText = "Users should not reveal their account names and passwords in any situation", Name = "Credentials Protection", Source = "PR-16, PR-24, MC-01, MC-03, MC-10, MC-20", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Privacy").Single(), SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "AC-4", RequirementText = "Set clear and defined user access control for all users (Low, Medium, High, System Admin).", Name = "User access levels", Source = "PR-19, MC,01, MC-08, MC-10, MC-11, MC-20", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Access Control").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "EN-2", RequirementText = "Secure technologies shall be used to provide secure communications channels.", Name = "Secure Communication Channels", Source = "AR-25, MC-13, MC-19", Priority = 2, Order = 2, Project = project, Category = project.Categories.Where(a => a.Name == "Encryption").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "UA-10", RequirementText = "Perform routine code review", Name = "Code Reviews", Source = "PR-15, MC-16", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Unauthorized Attacks").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "SU-1", RequirementText = "The system shall continue to fulfill its mission in the presence of an attack (possibly in minim and safe mode).", Name = "Survive Attack", Source = "AR-21, AR-22, MC-21", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Survivability").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "UA-2", RequirementText = "The system shall be able to determine when a buffer overflow attack has occurred. If attack takes place, system should shut down and system administrator should be notified within a reasonable time.", Name = "Buffer Overflow", Source = "AR-05, MC-16", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Unauthorized Attacks").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "AU-6", RequirementText = "Configuration changes are stored and cross-reviewed.", Name = "Configuration Review", Source = "PR-04, PR-14, PR-21, MC-01, MC02, MC03, MC-04, MC-05, MC-06, MC-07, MC-08, MC-09, MC-10, MC-14, MC-15, MC-16, MC-17, MC-18, MC-20, MC-22", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Auditing").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "UA-1", RequirementText = "The system shall protect itself from viruses by using virus detection software with updated signatures. The virus detection software should also be run weekly.", Name = "Virus Protection", Source = "AR-02, MC-17", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Unauthorized Attacks").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "UA-5", RequirementText = "The system shall protect itself from input validation attack.", Name = "Input Validation", Source = "AR-16, MC-16", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Unauthorized Attacks").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "UA-7", RequirementText = "A form of intrusion detection shall be implemented in the system. If the system detects any corruption of data or messages, then the system shall record the security event; notify the system administrator in a timely manner.", Name = "Intrusion Detection", Source = "AR-27, MC-21, MC-18", Priority = 2, Order = 2, Project = project, Category = project.Categories.Where(a => a.Name == "Unauthorized Attacks").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "AU-3", RequirementText = "Log all incoming and outgoing traffic.", Name = "Log Traffic", Source = "PR-03, PR-10, MC-01, MC-02, MC-03, MC-04, MC-05, MC-06, MC-07, MC-08, MC-09, MC- 10, MC-11, MC-12, MC-13, MC-16, MC-17, MC-18, MC-19, MC-22", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Auditing").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "UA-4", RequirementText = "The system shall protect itself from attacks due to weak server configuration.", Name = "Server Configuration", Source = "AR-15, MC-17", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Unauthorized Attacks").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "DR-1", RequirementText = "Develop disaster recovery and contingency plan. DR-2) Perform routine system and data backup.", Name = "Recovery", Source = "PR-05, PR-20, MC-01, MC-02, MC-03, MC-04, MC-05, MC-06, MC-07, MC-08, MC-09, MC- 10, MC-14, MC-15, MC-16, MC-17, MC-18, MC 21, MC-22", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Disaster Recovery").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "AU-4", RequirementText = "Separate personnel review system administrator activities", Name = "Admin Review", Source = "PR-18, MC-02, MC-04, MC-05", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Auditing").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "UA-3", RequirementText = "The system shall protect itself from malicious encoding mechanisms.", Name = "Protect Malicious Encoding", Source = "AR-13, AR-14, AR-23, AR-24, AR-30, AR-31, MC22", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Unauthorized Attacks").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "AC-3", RequirementText = "If no identification is provided, the system shall record the security event and notify the operator within a reasonable time", Name = "No Identification", Source = "AR-08, MC-08", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Access Control").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "EN-1", RequirementText = "The system’s data and communication shall be encrypted.", Name = "Encrypt Communications", Source = "AR-12, MC-10", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Encryption").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "PV-4", RequirementText = "Users should log out of AMS system or close browser as soon as their activities are done", Name = "Logout Rule", Source = "PR-07, PR-13, PR-22, MC-01, MC-03, MC-06, MC-08, MC-09, MC-10, MC-11, MC-13, MC-14, MC- 20", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Privacy").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "AU-2", RequirementText = "Audit information must be reviewed routinely. ", Name = "Audit Logging", Source = "PR-03, PR-10, MC-01, MC-02, MC-03, MC-04, MC-05, MC-06, MC-07, MC-08, MC-09, MC- 10, MC-11, MC-12, MC-13, MC-16, MC-17, MC-18, MC-19, MC-22", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Auditing").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "PV-2", RequirementText = "Enforce strong password policies. ", Name = "Password Policies", Source = "PR-07, PR-13, PR-22, MC-01, MC-03, MC-06, MC-08, MC-09, MC-10, MC-11, MC-13, MC-14, MC- 20", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Privacy").Single() , SquareType = security });
project.Requirements.Add(new Requirement() { RequirementId = "UA-8", RequirementText = "The system shall protect itself from input validation attack by assuring file names are well formed.", Name = "File name format", Source = "AR-35, AR-36, MC-16, MC-22", Priority = 3, Order = 1, Project = project, Category = project.Categories.Where(a => a.Name == "Unauthorized Attacks").Single() , SquareType = security });
// save
// save the project
context.Projects.Add(project);
try
{
context.SaveChanges();
}
catch (DbEntityValidationException dbEx)
{
throw;
}
}
