Assessing the Security of Software Configurations

Security evaluation is a complex problem. As more and more software systems become available, more diversity and alternatives can be found to accomplish the same tasks. However, there is still a lack of a standard approach that can be used to choose among the available alternatives or evaluate their configuration security. In this chapter, the authors present a methodology to devise security appraisals, which is based on the collection of widespread security knowledge for a specific domain. They demonstrate their methodology by devising two specific appraisals for the domain of transactional systems. The first one can be used to evaluate and assess the configuration of an already deployed database installation, while the target of the second one is to compare the capability of specific database brands concerning security aspects. The authors also present a real demonstration of both appraisals in real scenarios.