Software Security is very big topic and you will be easily get lost in it. There are lots of information about security. Starting from highly successful startups to terrible news on shocking security breaches. Lets discuss some basic concepts and terminology.
What is Software Security?
Lets have some common answers from IT folks.
- Protect system from someone logs in to the system with fake identity.
- Protect attacks like DDOS.
- Find out if someone’s identity was stolen.
These are kind of true but do not capture the essence.
What do we want to protect using the software security? Using software security we protect against,
- Data Loss
- Disruption of Service
- Data Leak
- Data Inconsistency
This basically means that sensitive data is lost due to security breach. In other words due to a vulnerability in the system someone cracked the system and made an important data disappeared.
A common example is attacker gains access to the main Database and deletes records.
Disruption of Service
This is when the system activity is disrupted due to attackers actions. In this case it may be nothing to do with system data but system go down. The bottom line is the attacker wants the system to stop working. The common example for this is executing a denial of service attack which overloads the system makes it go down. In other means group of attackers can orchestrate huge load of traffic to the system makes its infrastructure overloaded and in turn makes it go down.
This occurs when the sensitive data is stolen and made it available to unauthorized recipients such as credit card information, contact details. Imagine your own credit card details are in the hands of some hackers.
This occurs when data is manipulated by unauthorized attackers and become inconsistent. Attackers can impersonate as someone else and perform unauthorized actions.
Software Security Terminology
There are few common terminologies we must be familiar with.
- Threat -An event if happens, will lead to a security incident that we discussed earlier. e.g SQL injection.
- Attack -An actual execution of threat by an attacker(s). e.g execution of SQL Injection, DDOS attack.
- Vulnerability -A problem in the system that can be used by attacker to execute an attack and make the system compromised. e.g error in firewall configurations that exposes internal service to the public.
- Authentication -Establishing the identity of a user. Determining who you are whether a human or a machine but need to establish the identity before accessing the system. e.g Username and password, Face id, Fingerprint.
- Authorization -Establishing what a given user is allowed to do in the system. e.g Particular user can create a record but can not delete.
There are many more terms in this domain, but above most basic few terminologies that we should know.
Who is responsible for the Security?
Is there a specific role that is the sole owner of the security aspect of the system? Lets look at a typical organizational chart.
- CIO (or CTO)-We have CIO who is responsible for all the IT aspect of the company. Makes sure everyone is aware of security. If CIO not highlighting it, no one will invest time on it.
- CISO -A new role in modern era. The chief information security officer is responsible for setting the security strategy in the company’s IT. If there is not CISO, others should collectively fill the role. Basically he should define the strategy and what should be done overall.
- IT Services -They are typically responsible for the server starting from installing operating systems, upgrading them (Patch operating systems vulnerabilities), setting up the network, set up firewalls etc.
- Architect -Design secure architecture. Architecture should be secure in the first place.
- Project Manager -May not be a technical role, but should make sure these aspects are part of the work plan and actually implemented.
- Development Manager/ Engineering Manager -He/She is responsible for training the developers. As the most senior developer around should have rich experience developing secure systems and to provide guidance to the junior developers.
- Developer -They must develop secure code.
- QA -They should conduct security related testing.
So each and every one has a role regarding security. Bottom line is when it come to Software Security, Everyone Is Responsible.