It’s rhetorical, I know. But even so, there is still a lot of people that neglect and continues paying a very high price for missing Software security concepts.
The software architects’ challenge for this generation and the next ones is already written in bold, underlined and capital letters letters: to build secure and resilient software from hackers attack. Hard task, of course. But who wants to be a true professional will always be eager to face the challenges that the career requires.To develop software security is very important to introduce the security concepts at each stage of the development cycle and make all responsible staff understand the real value to apply them. Thus, the chance of achieving the goal increases considerably.
The table below illustrates the essential security concepts for developing software security , especially for the Core, which we will address in our discussion today:
In information security, confidentiality is the property that information is not available or disclosed to individuals, entities or unauthorized processes. It is related to protection against unauthorized disclosure of information. Since ancient times, humanity is aware that information is power, and in our information age, access to information is more important than ever, and unauthorized access to secret information can have devastating consequences.
In the software that is reliable there is a concern with the reliability, origin, completeness and accuracy of information and the prevention of unauthorized modification or unauthorized information. So software integrity has two aspects: First, to ensure that the data that is transmitted, processed and stored are as accurate as the creator intended, and secondly, that the software performs as reliable as intended.
Availability is the concept of security that is related to the access of software, data or information it handles. The availability, despite being addressed after confidentiality and integrity, cannot be considered less important. After all, who needs a healthy software and confidential information that is not available? The software should be available only to those who are authorized to use it and only accessible when it is needed.
It is in the authentication step that the person or the resource must prove who really is. It does not only ensures that an identity of an entity (person or resource) is specified according to the format that the software is expecting, but also validates and verifies the identity information provided.
The fact that an entity has their credentials validated does not mean that it can gain access to all features of the software. It is in the approval process that the software owner determines the access to an entity based on rights and privileges or according to a policy. The authorization decisions should not precede the authentication, ie, you do not authorize an entity prior to authenticate it.
Accountability is another important principle of information security as regards the ability to track actions and events back in time to the users, systems, or processes, to establish accountability for actions or omissions. A software cannot be considered safe if it is not “accountable” because it would be impossible to determine who is responsible for what happened or did not happen in the software. This liability is provided mainly by records and the audit trail.
These security concepts should cover the entire software life cycle, and address them from the beginning is not only less expensive, but in terms of resources and schedule, is effective as well.
We always advocate that, more important than knowing a specific technology, is knowing the concepts of software security engineering. The technologies are inevitably replaced by new ones that come with a cooler clothing, but they all end up using the same concepts.
We are talking about the very basic ones, but if you do an analysis of the softwares that you have built, you will realize that many of them have been designed without this concern. Is it a crime? It is not. Really. This is a sin of ignorance. But when you know what should be done and you do not do, it is sin by omission.
Obviously, in most companies it is very difficult to break the barrier of “after we will do it”, of “security is nice, but it’s not our focus right now.” To prove that software security value is a continuous and arduous task, but do not give up. Try to do it as soon as possible not to suffer which the old saying goes, “after broken into the house, lock the door.