Eachan's Space

Just another WordPress.com site

Security 101

leave a comment »

Continuing this week’s series about the six principles of webscale software we come to security.  This is a hot one for us as vulnerabilities can cost us serious cash, degrade our customers confidence in our business and irritate [understatement of the year] our regulators.  Simplified user story… familiar format… business value…

So what does our basic user story for security look like?  The sharper amongst us should be spotting a pattern by now:

As the CTO, I want to the peace of mind a highly secure suite of applications delivers, So that we continue to earn and keep our customers trust, As proven by appropriate and justifiable answers to the security questions.

And as the pattern dictates let’s think about what appropriate and justifiable means in the context of security.  Security is one of those things that’s easy to get carried away with as security professionals tend to be particularly good at raising awareness and we’re never short of threats to cringe in fear from (code flaws, viruses, internal fraud) and standards (ISO27001, SOX) to measure up to.  The one thing I’d add to this is to remember security is an investment just like anything else; you wouldn’t spend £20K insuring a £10K car and your products are no different.  Know the value of the asset, the risks it faces and the likelihood of eventuality – then you can make appropriate decisions.  Thinking about things like the industry you’re in (do you have regulatory requirements or other standards to live up to?), the data you keep (how confidential is it?), where the money is (do you keep any?) and how important reputation and those other intrinsic things are will keep you able to justify time spent on testing and securing software.

Some worthwhile things to consider as you code are:

  • How could this component be misused and how have I prevented this?
  • How have I limited this feature’s access to the rest of the system?
  • Does the feature use the smallest possible data range?
  • How might people use this feature other than intended?
  • Is all private customer data securely transmitted?
  • Where is this features use logged and is its activity easy to deduce?
  • How will we be alerted to abuse of this feature?

Thinking about these things will help keep security commensurate with risk as you deliver features – tomorrow is availability day.

Advertisement

Written by Eachan

February 7, 2008 at 6:19 pm

Posted in Technical

Tagged with ,

«
»

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.