jump to navigation

Design with Security in Mind December 13, 2013

Posted by brltkd in Security.

People are using computers and the Internet for exchanging increasingly sensitive data. Many people are conducting financial transactions, such as banking and investment transactions, online. Additionally, there are government mandates to implement electronic medical record systems with the ability to exchange information between them electronically. It is important to address data protection and security considerations during the development of these types of systems.

Addressing potential security issues during system development is important because it easier to implement them during the initial design as opposed to trying to integrate them after development. Additionally, it they will generally be more effective when they are part of the initial design because they can be implemented at a core level of the system. For example, it is difficult to change underlying data structures to incorporate security requirements after application development is completed.

Another reason to incorporate security concerns into the development process is that most technological breaches come from simple failures in the software design [1]. Security personnel should be involved in the design process to help determine where risks may arise. They may see things other than technical aspects that must be considered. For example, changing an address may seem benign to the developers, but a security professional may point out that this could be used to redirect correspondence of potentially sensitive information [2]. Processing of this action may occur differently in light of that consideration.

Authentication and authorization are the two aspects that are commonly considered when designing a system. However, there is a concern that has appropriate access and is authorized to perform certain functions could perform actions maliciously. I work in the healthcare industry and I appropriately have the ability to view patient’s medical records. However, while I am able to, it is against company policy for me to view records that do not pertain to my work. Depending on the situation, this may also be a violation of state and federal laws. Therefore, it is important to have a mechanism in the system to audit user actions so it can be determined if their access was used inappropriately.

Designing and building the audit functionality is a core aspect of the system and needs to occur during the initial system design. Besides simply capturing the audit information, it necessary to consider where the information is stored. It would not be very effective if I were able to modify the audit information directly to remove traces of inappropriate activity. These types of factors must be considered and addresses during system design to create a secure system.

[1] A. Hern, “‘Most cyberattacks come through simple failures’ – security specialist,” The Guardian, 6 November 2013. [Online]. Available: http://www.theguardian.com/technology/2013/nov/06/most-cyberattacks-come-through-simple-failures-security-specialist.
[2] R. J. Anderson, “Why Cryptosystems Fail,” Communications of the ACM, vol. 37, no. 11, pp. 32-40, November 1994.


No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: