​​ By Morten Foged Schmidt, Software Developer at NNIT

The use of IT systems in organizations has changed the last couple of years. Businesses become more globalized and the changing IT landscape forces the organizations to allow access to their network, systems and applications. The globalization and changes will lead to IT security changes as well.

IT security tends to focus on network and servers hosting applications and storing data. It is often about keeping intruders out by using perimeter defenses like firewalls, demilitarized zones and secured servers. This approach is absolutely necessary and critical, but as the boundaries are slowly changing with cloud, mobile and other kinds of solutions, the need for application and software security increases.

The Microsoft Security Intelligence Report 2014 shows that the industrywide vulnerability disclosures are extremely high and increasing for custom and business specific application (Other applications) compared to those from web browsers, core operating systems and applications. The extreme increase in 2H14 is believed to have occurred following research project that uncovered SSL vulnerabilities in a large number of Android apps in the Google Play Store.

Microsoft Security Intelligence Report, Vol. 18 page 19, 2014

A prerequisite for mitigation is that the organization must be aware of and understand the security goals for their applications and software. The security term CIA (Confidentiality, Integrity and Availability) is used  to define such security goals or to clarify the need for specific application and software security.

The relation between Confidentiality, Integrity and Availability

Confidentiality ensures that computer-related assets are only accessed by authorized parties. Being authorized to "access" a particular asset means, viewing, printing or simply knowing about the existence of the asset. Confidentiality is sometimes also known as "secrecy" or "privacy".

Integrity means that only authorized parties can modify, create, delete, change status etc. on computer-related assets. Integrity also refers to the trustworthiness of assets and making sure the origin and credibility that people place in the assets is intact.

Finally, Availability is about having the right access to computer-related assets at the right time.  For example, if someone has a legitimate access to a set of assets, then that access should not be prevented. It refers directly to the aspect of reliability, having a system that is unavailable is just as good as no system at all.

The tricky part is to find the right balance between the security goals. As an example, it would make no sense to preserve a particular computer-asset’s confidentiality by not letting anyone having access to the asset. It would conflict with the availability and proper access goals.

Security interviews with developers and stakeholders are a good information source to find the right security goals, but a more structured approach must also consider data classification, risk assessment (the consequences of data disclosure) and relevant data protection/privacy legislation e.g. the upcoming EU General Data Protection Regulation.

When the security goals have been defined, security design concepts and processes must be considered and implemented to mitigate for the risks and reach the security goals. The Microsoft SDL (Security Development Lifecycle) is one process that bridges the gap between software professionals and security best practices. The SDL ensures that security is built-in throughout the entire application development lifecycle. Implementing such a process could seem like a lot of work and be difficult to manage without being a security expert. But the SDL meets you at your current level of IT security knowledge and helps you improve from there.

As a consequence, the most important part of the SDL and the CIA model is the awareness it generates, that assists developers to become more concrete about application security.

The question is, is your organization on top of its application C.I.A.?

____________________________________________________________________________________

About NNIT Security Insights

NNIT Security Insights is a regular column where prominent NNIT IT security advisors share their thoughts on current and future IT security challenges and how to deal with them.

NNIT has its own Computer Emergency Response Team (CERT). If lightning strikes, we have the necessary competencies in-house to respond and assist. We have also developed a range of services that can help businesses to achieve the right level of security protection to protect the business from financial and reputational damage. 

You are welcome to contact us at itmanagement@nnit.com if you want to know more about how NNIT can help your business increase its information security level.