Security Principles

1.2. Security Principles#

When creating software, developers need to consider several key security principles.

1.2.1. 1. Confidentiality#

Confidentiality ensures that sensitive information remains accessible only to authorised individuals or processes. In other words, no one else should be able to see or intercept the data.

  • Why It’s Important: Without confidentiality, personal details, trade secrets, or financial data could be exposed or stolen. This can lead to identity theft, loss of competitive advantage, or severe legal consequences.

  • Example of How to Ensure It:

    • Encryption for both data being transmitted and stored on disk (at rest).

1.2.2. 2. Integrity#

Integrity means keeping data accurate and unaltered. This is a concern during storage, transmission, or processing.

  • Why It’s Important: If data can be modified without detection, decisions made using that data become unreliable. This can lead to system malfunctions, incorrect data, or misleading results.

  • Example of How to Ensure It:

    • Hashes to verify that no changes have been made.

    • Checksums to verify that transmitted data is correct.

1.2.3. 3. Availability#

Availability ensures that software and services are up and running whenever users need them. An outage is an event when a service or software is unavailable. There can also be planned outages, usually for maintenance such as updating systems or making changes.

  • Why It’s Important: An outage can disrupt essential operations like healthcare systems, e-commerce websites, or internal organisation services causing significant financial and reputational damage.

  • Examples of How to Manage It:

    • Redundancy and Failover Systems having backup servers or sites.

    • Load Balancing to distribute traffic across multiple systems to lower load.

    • Planning and announcing outages ahead of time to minimise impact.

1.2.4. 4. Authentication#

Authentication confirms the identity of a user or system, typically via passwords, tokens and even biometrics.

  • Why It’s Important: Strong authentication methods prevent unauthorised access, reducing the risk of impersonation or brute force attacks.

  • Examples of How to Ensure It:

    • Multi-Factor Authentication (MFA) combining passwords with codes, biometrics, etc.

    • Encrypt passwords in transit so that they cannot be intercepted.

1.2.5. 5. Authorisation#

Authorisation dictates what actions an authenticated user or system can perform once identity is verified. It ensures users only access and modify resources they have permission to use.

  • Why It’s Important: Even valid users can pose a risk if they have excessive permissions. Tight control reduces the chance of accidental or malicious data breaches.

  • Examples of How to Ensure It:

    • Role-Based Access Control (RBAC) that assign privileges according to roles.

    • Principle of Least Privilege i.e. giving users the minimum access needed to perform their tasks.

1.2.6. 6. Accountability#

Accountability links actions or events in the system to specific users or processes. Through logs and audit trails, it’s possible to see who did what and when.

  • Why It’s Important: Tracing events back to responsible parties aids in resolving issues, conducting investigations, and ensuring compliance with legal or regulatory requirements. It also discourages misuse.

  • Examples of How to Ensure It:

    • Robust Logging of user actions, system changes, and security events.

    • Auditing Procedures such as periodic reviews of logs and automated alerts for suspicious behaviour.