Saturday, April 18, 2009

Security Ingredients in Software Development

Security is a basic requirement in every software development. However, most of the system analysts missed this fundamental requirement. This is because when the system analysts started the requirement engineering process, they are focus on the business requirements and the end users are not able to provide insight on information security.

The “Security” term used here essentially refers to the CIA Triad, which contains Confidentiality, Integrity and Availability. That means apart from the business requirements to solve real world business problems, the target application must also solve the information security requirements at the same time.

Confidentiality ensuring that information is accessible only to those authorized to have access. This typically refers to authentication and authorization. That is to confirm one’s identity and to allow if the specific individual access based on access control technique. In the past, this means username and password combination for authentication and access control list for authorization. There are other techniques nowadays. The system should check against the individual’s access rights to allow or deny the individual’s access to specific resources. Security features should also protect unauthorized access. For example, if the application has already included authentication and authorization. However the related data travel on the network and stored on the database without appropriate protection will still make confidentiality to fail. Data in transit protection and data at rest protection should also be considered, typically using encryption if local laws allows.

Integrity refers to the consistency and accuracy of the data. This extended into who had accessed and modified the data. Accessed and/or modified the data through the developing application should be logged to provide audit trail. Moreover, additional controls should be applied to make sure data in transit and data at rest are protected. This means if the data is being modified unexpected, the developing application should have ability to detect the situation. Typical technique to ensure integrity is combination of hashing, digital signing and encryption.

Availability guarantee the developing system’s features are available when needed. This includes not only the security features, but also other systems features. In terms of security, the developing system should have ability to against deny of service attack. High availability configuration, tarpit applied on failed authentication and other redundant arrangements are mainstream practices for availability.

To sum up, the following are typical security ingredients:

  • Authentication
  • Authorization
  • Critical data item storage encryption
  • Digital signature
  • Hashing
  • High availability and other redundant arrangements
  • Tarpit
  • Transport layer encryption

The author hopes this article reminds the system analysts that they should include these considerations into their requirements engineering process, making resulting application more secure and hence making the world more secure.

No comments: