jump to navigation

Data Security within Application Design December 12, 2013

Posted by bkrugman in Security.

If you look at a lot of Web Sites that currently exist within the Internet some of them need to have certain levels of security while others do not.  Web Sites that contain credit card information like Amazon, Best Buy, or any other online retailer needs to put a lot of focus customers’ data security and how their system protects the data.  If you look at Mr. Anderson’s article “Why Cryptosystems Fail” [1], you will see that the majority of the security risks do not come from complex attacks, but rather focus on development, implementation or other flaws that were introduced during the design and maintenance.

These are the flaws that while they can be extremely hard to fight, can prove extremely beneficial if some thought is put into the security structure while an application or infrastructure is being designed.  The reason: if you put some focus on implementing security within a design it will be more transparent to the users and can provide some simpler implementations.  If someone designs software, no matter how good it is, if they did not think about any level of data security whether it is how the data is accessed, what data needs to be encrypted, or who can see the data the software will always be partially hindered.  By trying to attach security to an unsecured software design it tends to cause developers and architects to build solutions that have complexity stacked on top of more complexity, making it not only more difficult to develop and test, but also difficult to maintain.  Another point is that when you build something extremely complex there tends to be holes and other areas that can be exploited to reach an end.

Mr. Anderson’s article focused more on Automatic Teller Machines (ATM), but the same train of thought can also be applied to software development.  As he mentioned, there is no silver bullet to the problem of data security, in the case of the article cryptology.  But by designing data security into an application from the start, the development team is better able to ensure that the potential breaches of data are not as accessible as they would be if they build a package and then attached security after the fact.


[1] Why cryptosystems fail, by Ross J. Anderson, November 1994, Communications of the ACM, Volume 37, Issue 11.



No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: