Friday, August 15, 2014

Things to remember about information security

As more businesses look to cloud application providers for solution, the need for developers to understand secure coding practices is becoming much more important. Gone are the days when a developer would write an application that only ran in a secure environment and now it is possible for applications to be moved to locations where previously well managed security gaps now are exposed to the internet at large. Developers now more than ever need to understand basic security principles and follow practices to keep their applications and data safe from attackers.

To make things more secure, a developer needs to first understand and believe the following statements:

  • You don't know how to do it properly
  • Nothing is completely secure
  • Obscurity doesn't equal security
  • Security is a continuum

You don't know how to do it properly

If I had a nickel for every developer who though they invented the newest, greatest, cleverest encryption/hashing routine, I'd be a millionaire. Trust me, if you aren't working for the NSA or doing a doctorate on the subject, there are thousands of people who can defeat your clever approach...worse yet, even if you ARE in the aforementioned groups there are still SOME folks who can defeat your approach. Which means:

Nothing is completely secure

The only way to completely secure a system or data is to completely destroy it. This is a mathematical fact, don't argue, just trust me on this. If ONE person can access the information, someone else can. MAYBE if it's in your head and your head alone it is pretty secure, but there are ways of getting that information too...some of which can be unpleasant. So these two things having been said, I want to add the clarifying statement that:

Obscurity doesn't equal security

As someone who has witnessed back doors get exploited numerous times, thinking you can just "hide the key under the rock" and hope for the best is not a sound policy. Don't get me wrong, making targets less obvious is great... please do it... but be wary of relying on this as your sole security measure, it will be discovered. Which leads to my final point:

Security is a continuum

Remember how security isn't absolute? Well this is the reassertion of that statement. When having discussions, the question isn't "is it secure (yes/no)?" it should be "is it secure enough (yes/no)?" and "what are our threat vectors?". Subtly changing the question from being absolutely yes or no can open up a discussion and let you objectively begin to measure your risk.

No comments: