The variety of modern software makes it and its developers even more subjected to different challenges. Many programs are used by financial organizations and authorities, so the information contained there must be reliably protected. Even ordinary people would like to save the confidentiality of their personal information and images and they hope that software developers have taken this into account. All this is called “information security” and our task is to realize what role it plays in web development.
What is information security?
According to information security definition, it is a kind of practice that involves defending of information from disruption, unauthorized access, disclosure, modification, destruction, inspection etc. It is most often applied to technology and it helps to avoid or prevent computer system threats like thefts, software attacks, sabotage, information extortion etc.
Objectives of information security
Most of the information security articles define three main objectives of security: maintenance of confidentiality, availability, and integrity.
Data confidentiality is a kind of protection that allows only authorized people to have access to vital data. In the world of developers, such a loss of confidentiality is called breach and is impossible to be remedied.
Availability involves the accessibility of information only to authorized users, who have right for that.
Integrity is a term that characterizes the authenticity of information. Attackers may change important issues and the received data can be not truthful, so integrity is very important.
Dependence of security on software development life cycles
The key problem of modern software developers is a proper implementation of all information technology security constituents during the phase of development. It means that any mistake or skipping of the process may result in problems with functioning and unexpected disruptive events. Consequently, it is of great importance to include the development of InfoSec into the stages performed during software development.
A typical waterfall model involves such stages in the web development:
- The conceptual definition takes the first stage when a basic description of the future product is developed. At this stage, it is also necessary to develop the main principles and strategies of InfoSec.
- Requirements contain a detailed list of both functional and technical requirements and other important specifications. InfoSec requirements must be formulated during this phase too. A popular practice of developers is abuse cases when they deliberately consider possible misuses and ponders of the future software and depict how it will respond to them.
- The third phase is the development of formal product design and analysis of possible risks connected with the future product. Protection measures involve both business and architectural risk analyses. A team should consider every module, interaction, interface etc. against popular attack methodologies and the likelihood of their success as well as questions of the cost of the project.
- Coding is the actual process of software creation that also involves the development of InfoSec standards, libraries, practices, and examples.
- Testing is one of the most important phases that include verification of each security requirement. There are usually two types of testing: security functional and risk-driven ones. The first one involves tests connected with checking such features as user identification, encryption, logging, authentication, confidentiality etc. The second type is based on assessing and prioritizing architectural risks and abuse cases to learn how the attacker can exploit the software.
- The last stage is implementation – installation of software into production. This stage is meant not only for integration of existing controls but also for correcting possible bugs and mistakes. Overlooked implementation bugs should be checked with the help of code review processes and penetration testing to avoid any risks of software failure.
Failures in information security: possible consequences
Some organizations intentionally do not involve information systems security, while the others suffer from mistakes made by web developers. All problems that appear as a result are costly and problematic to solve. These are only some of the examples that may be experienced because of IS failures:
- Defaced Web sites;
- Hacker attacks;
- Dysfunction of software;
- Fraudulent transactions;
- Spreading of personal or confidential information etc.
Protection measures or types of security control
All the sensitive data requires reliable protection and for this purpose, such term as security control was invented. It focuses on two basic principles, according to which it is important to determine any vulnerability of the system and remove it as well as provide users only with required functionality not to interfere with functions that are not presupposed.
There are three main types of security control such as:
- Management controls focusing on risks and information system security;
- Operational controls primarily implemented and used by people;
- Technical controls implemented by the developers and executed by the system through its software, hardware, and firmware.
Nowadays InfoSec has become a very popular field for research as no one has invented a system that is 100% protected yet. Most of the information security news state that scientists have found a new way to protect software, but unfortunately these means are not universal and cannot be applied to every innovative product. But in fact, information security is an indispensable part of software development and it must be paid much attention if a developer wishes that his/her product could function for a long period of time.