It’s rhetorical, I know. But even so, there is still a lot of people that neglect and continues paying a very high price for missing Software security concepts.

The software architects’ challenge for this generation and the next ones is already written in bold, underlined and capital letters letters: to build secure and resilient software from hackers attack. Hard task, of course. But who wants to be a true professional will always be eager to face the challenges that the career requires.To develop software security is very important to introduce the security concepts at each stage of the development cycle and make all responsible staff understand the real value to apply them. Thus, the chance of achieving the goal increases considerably.

The table below illustrates the essential security concepts for developing software security , especially for the Core, which we will address in our discussion today:

security-concepts

Confidentiality

In information security, confidentiality is the property that information is not available or disclosed to individuals, entities or unauthorized processes. It is related to protection against unauthorized disclosure of information. Since ancient times, humanity is aware that information is power, and in our information age, access to information is more important than ever, and unauthorized access to secret information can have devastating consequences.

 

Integrity

In the software that is reliable there is a concern with the reliability, origin, completeness and accuracy of information and the prevention of unauthorized modification or unauthorized information. So software integrity has two aspects: First, to ensure that the data that is transmitted, processed and stored are as accurate as the creator intended, and secondly, that the software performs as reliable as intended.

 

Availability

Availability is the concept of security that is related to the access of software, data or information it handles. The availability, despite being addressed after confidentiality and integrity, cannot be considered less important. After all, who needs a healthy software and confidential information that is not available? The software should be available only to those who are authorized to use it and only accessible when it is needed.

 

Authentication

It is in the authentication step that the person or the resource must prove who really is. It does not only ensures that an identity of an entity (person or resource) is specified according to the format that the software is expecting, but also validates and verifies the identity information provided.

 

Authorization

The fact that an entity has their credentials validated does not mean that it can gain access to all features of the software. It is in the approval process that the software owner determines the access to an entity based on rights and privileges or according to a policy. The authorization decisions should not precede the authentication, ie, you do not authorize an entity prior to authenticate it.

 

Accountability

Accountability is another important principle of information security as regards the ability to track actions and events back in time to the users, systems, or processes, to establish accountability for actions or omissions. A software cannot be considered safe if it is not “accountable” because it would be impossible to determine who is responsible for what happened or did not happen in the software. This liability is provided mainly by records and the audit trail.

These security concepts should cover the entire software life cycle, and address them from the beginning is not only less expensive, but in terms of resources and schedule, is effective as well.

We always advocate that, more important than knowing a specific technology, is knowing the concepts of software security engineering. The technologies are inevitably replaced by new ones that come with a cooler clothing, but they all end up using the same concepts.

We are talking about the very basic ones, but if you do an analysis of the softwares that you have built, you will realize that many of them have been designed without this concern. Is it a crime? It is not. Really. This is a sin of ignorance. But when you know what should be done and you do not do, it is sin by omission.

Obviously, in most companies it is very difficult to break the barrier of “after we will do it”, of “security is nice, but it’s not our focus right now.” To prove that software security value is a continuous and arduous task, but do not give up. Try to do it as soon as possible not to suffer which the old saying goes, “after broken into the house, lock the door.

You might also like…

Tips on facilitators for developers – Part II

Hello! On the latest post i’ve shown some hints on facilitators for developers. On today’s post ...

What are RAD, Framework and IDE – concepts and applicability

What are RAD, Frameworks and IDE? Understand the difference and how we can use them to optimize the ...

Trends for web development in 2017

In this post you will see some Web Design, Digital Media and Development trends for 2017. Immers...

Comment this post

Get new posts, resources, offers and more each week.