Information Security overview
Information security is all about protecting organisation’s information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. In the heart of information security is the term vulnerability - a weakness in a system which can be exploited to breach security.
Vulnerability among other sources may be exposed by the operating systems, middleware, hardware, network, or the application development language, and the developed application - this is the focus of this article. Considering all the sources mentioned above, the application developer can through his or her actions mitigate the risks emanating from all mentioned sources. This will give us the idea of the enormous responsibility assigned to application development; you will agree with me that this calls for vast technology knowledge among application developers – particularly in a rapidly changing world of technology.
We can simplify Information Security by looking at using the CIA (Confidentiality, Integrity & Availability) acronym. Let us consider few scenarios where inadequate information security leads to loss:
· Imagine what will happen if the Coca-cola production formula is leaked to her main competitor
· What happens when the account details information of a bank is not secure – the bank will face enormous legal actions, loss of customers’ goodwill and the resultant business loss.
· What happens when organization's payroll information leaks out – the company will surely have more disgruntled staff and may result in sudden staff resignations
· What happens when hackers explore the vulnerability in your IT infrastructure and undertake activities that can lead to critical service outage?
· What happens when due to poor application architecture or coding, end users start experiencing poor performance with increased customer and transactions volumes
Service outage
The cost due to non availability of service can best be understood by the following example: For Telecommunication Company which had a 400 capacity call centre; and had a 2 hour service downtime of a critical call centre application. Let us also assume that an average call centre agents earns $12/hour.
Some Losses incurred are:
· Customer Goodwill lost from about 24,000 customers (assuming it takes 2 minute
s to handle a customer’s request) over the two hours of outage
· Financially, the total amount from salary of staff who could carry out the job = 400 *12 * 2 = $9,600
· When service is restored, the likely hold of call queue will rise, this is another goodwill and customer retention determinant
Confidentiality
It is the IT security requirement that ensures non disclosure of information to unauthorized individuals or systems. From application development side, the level of information details regarding person or organization should be accessed based on approved access role. For example, the recent PCI DSS (Payment Card Industry Data security standard) regulation requires that such confidential information (Credit/debit card info) should not be available in the raw form to anybody including the database administrator. By PCI regulation requirement, developer must ensure such data is kept in encrypted form. Today, there is commercially available software which you can interface to your application to enforce this regulatory requirement.
Integrity
In information security, integrity means that data cannot be modified without authorization, and the user would not be able to refute access. Without integrity; reliance, trust, and confidence will be lost in the IT system. Imagine a case where a bank teller/cashier sees customer available balance, but is not sure if the balance is correct because there was an occasion he/she had made payment against shown balance but was penalized for granting unapproved overdraft.
This calls for:
· the application development to be based on approved business requirement, policies and processes
· ensuring real time update is triggered once a transaction is consummated by having users screen refreshed occasionally and ensuring key revalidations prior to the actual commit (as changes may have occurred from other users, sources or transaction channels).
Availability
It is all about ensuring that an IT service or system and all its components are available to be used when required. Server / hardware availability is not of interest to the business, rather the business is interested in service availability. If a system is available but users cannot use it to deliver service, it is considered unavailable. Take a case where an application developer, made a field to be unique and auto number, and the field can only accommodate four digits; this means the maximum number will be 9999; after this no transaction can be executed until a remedial action is undertaken – how long will this take???.
One common availability related attack that developers should guard against is Denial-of-service (DOS); the simplest case is where spam mail fills your mail box using up the disk space allocated to you. DOS can also be caused by uncontrolled file upload option on a website; such upload must handle basic security issues dealing with limiting the maximum file size that can be uploaded; filter uploaded file to ensure it does not have malicious embedded codes i.e. executable script, html tags, etc.
Developers should also be guided by the organization’s policies: security policy, access control, business continuity management, regulatory compliance, etc.
System availability can be greatly improved by considering performance from the design stage and not just as a tick in box before go-live; that is why it is important that you design and build systems based on URS of service catalogue. This document will contain the expectations of the business and also the forecast of the expected load to the application.
Performance testing and stress testing should be done before deployment, this is usually done using virtual users whose activities is injected into the application under test; and the performance information e.g. end-to-end response time, number of concurrent users, CPU utilization etc are obtained and compared to business requirement.
Applications should be designed and implemented with high availability in mind, but you should not stop there until your application failover test is successfully achieved.
Authenticity and Non-repudiation
Authenticity and Non-repudiation are vital IT security requirement which cuts across CIA, Authenticity ensures that the system/user is valid and real, while non-repudiation helps to ensure that one party to a transaction can not deny having received a transaction nor can the other party deny having sent a transaction. Both authenticity and non-repudiation can be applied through technology such as digital signatures and encryption. (Digital signatures are equivalent to traditional handwritten signatures in many respects; when properly implemented it is more difficult to forge than the handwritten signature).
Conclusion
Developing the secured application is a conscious, planned and expensive activity. It is a necessity which when properly done will eliminate or reduce vulnerability from other sources. It can be said that if our information asset is confidential, trusted and available then the information asset is safe.
By
Dominic Ogbonna
Dominic Ogbonna, a member of AISA, is the Capacity & Availability coordinator of Phones4u (UK).
He has several years of experience in Information system management, Infrastructure management, Application development, implementation & support across the banking, telecom and retail sectors, with expertise in Application Design & architecture, Information systems security, and Capacity & Availability Management.
http://www.jidaw.com/security/aisa/information_security_application_development.html
