In my information security course in college, one of the first things we learned about was the CIA Triad. CIA stands for Confidentiality, Integrity, and Availability. These are the core principles of information security.
If asked to sum up what these principles mean, I would say:
The principles of information security are about ensuring that the data we are trying to secure is protected from being seen by those who should not see it (confidentiality), from being alter or destroyed by those who should not touch it (integrity), and yet still be accessible to those who need it (availability).
ConfidentialityWhen most people think of information security, they most likely think about how to keep data confidential, about keeping prying eyes out. While it is true that confidentiality is important, it is only the first part of the triad.
That said, for those that may not know, confidentiality in information security is the prevention of the unauthorized release of information. If someone, or something, who is not supposed to access certain data is able to obtain access to the data, then confidentiality has been breached.
IntegrityData integrity is something that many of us deal with as developers who work with data, but have we ever really considered that it is a part of security? It's true, data integrity is not just about making sure that a foreign key constraint keeps a child record from begin created where is should not be, it is also about keeping the integrity of our data safe from hackers. Preventing the unauthorized manipulation or destruction of the data in our systems is protection of its integrity.
Data integrity is not just about the data in our database, it is also about our source code, config files, access controls, and authentication systems. The integrity of all are important.
AvailibilityWhen I learned about the CIA model in my InfoSec class, the biggest "ah-ha" moment for me was the discussion of information availability. The line from the book that was the biggested "eye-opener" for me was something like:
It's easy to secure a computer from attacks on confidentiality and integrity. Simply turn it off, unplug it from the network and lock it in a closet. But what good does the information on it do anyone then?
Confidentiality and integrity are important, but just as important is that certain people still need access to the data that is being protected. And if you make your data "too secure" then you may prevent this important piece of the triad from effectively happening by not allowing your users access to the data they need.
What does this have to do with web application developers?Finding the right mix of confidentiality, integrity, and availability is a delicate balancing act that is also going to have an ever changing landscape. As data changes, so will the need to secure it. As data changes hands, the existing security policies will need to change. And data of different types will need to be secured in different ways.
As web application developers, we are sometimes charged with information security tasks in the form of securing the applications we create from attacks on their confidentiality and integrity, while still enabling access to authorized users. Our involvement in the InfoSec/AppSec portion of development may range from simply implementing an existing security model, to developing a complete security model and implementing it across software and hardware environments.
Regardless of our level of involvement, understanding these basic principles will help us understand the overall goals of InfoSec/AppSec and gives us a good place to start.
ConclusionAs usual, I will remind you that I am still a student of these teaching and I am always interested in learning more and hearing(reading) other perspectives and ideas on these topics. If you'd like to add to this or correct me on anything, please feel free to leave a comment.
In some cases here I am only rehashing things I have read, in other cases I am only just realizing that I have been doing some of these things without realizing that there is a way to articulate them as practices in InfoSec/AppSec.
ReferencesWikipedia: Information Security
Information Warfare and Security by Dorothy E. Denning