As a developer, when you think of security, what comes to mind? Is it clear what are different aspects that need to be handled to make a software secure? And why you need to do that?
The objective of this article is to provide that view and articulate what controls should be in place and how. Details of how to apply those controls are not covered as they would require separate articles - and lot of content is available on the web anyway.
What is Software Security?
Security implementation of a software application can be classified in two parts:
- Pre-deployment - building a secure software
- Post-deployment - security of the environment where the software is running
Software Security is pre-deployment. It is the process of identifying risks and building controls (or Countermeasures as it is called in security terminology) in the software itself while it is being built.
Software Security is the focus of this post. We will see controls commonly used and what risks they mitigate.
For more details, see What is Software Security by Gary McGraw
Nature of security
A software application would generally have two aspects:
a. Services that provide some functionality
b. Data generated and consumed by the services
Security can be defined as defending the services and the data from unauthorized and malicious usage at all times.
Defending is the key word here. Defense literally means an act of resisting an attack. That means attacks can happen anytime and any number of times, and we need to keep protecting the system from these attacks.
That’s what makes security of a software application very difficult because it is not easy to get it right all the time.
Also, there is no room for error. One incident may be enough to destroy the reputation and business built over the years.
#security #programming #software-engineering #web-development #software-architecture #web-security #cyber-security #software-development
