Log in Subscribe

Primary Security Principles and Concepts

Mcconnell Mcintyre
· 12 min read
Primary Security Principles and Concepts

# Chapter 3: Core Security Principles and Concepts

Before diving further in to threats and protection, it's essential in order to establish the fundamental principles that underlie application security. These core concepts will be the compass with which security professionals navigate decisions and trade-offs. They help reply why certain adjustments are necessary and what goals all of us are trying in order to achieve. Several foundational models and guidelines guide the design and even evaluation of secure systems, the almost all famous being the particular CIA triad plus associated security guidelines.

## The CIA Triad – Privacy, Integrity, Availability

In the middle of information safety measures (including application security) are three major goals:

1. **Confidentiality** – Preventing unapproved use of information. Inside simple terms, trying to keep secrets secret. Only those who happen to be authorized (have the right credentials or even permissions) should end up being able to view or use very sensitive data. According in order to NIST, confidentiality implies "preserving authorized restrictions on access and even disclosure, including method for protecting personal privacy and amazing information"​
PTGMEDIA. PEARSONCMG. COM
. Breaches involving confidentiality include trends like data leakages, password disclosure, or even an attacker looking at someone else's e-mail. A real-world illustration is an SQL injection attack of which dumps all customer records from a new database: data of which should happen to be secret is subjected to the attacker. The other regarding confidentiality is disclosure​
PTGMEDIA. PEARSONCMG. APRESENTANDO
– when info is revealed to those not authorized to be able to see it.

a couple of. **Integrity** – Guarding data and devices from unauthorized changes. Integrity means of which information remains correct and trustworthy, and even that system capabilities are not interfered with. For illustration, when a banking application displays your account balance, integrity actions ensure that a great attacker hasn't illicitly altered that stability either in transit or in the particular database. Integrity can certainly be compromised simply by attacks like tampering (e. g., modifying values in a LINK to access somebody else's data) or by faulty computer code that corrupts files. A classic device to ensure integrity is usually the using cryptographic hashes or validations – when a record or message will be altered, its personal will no longer verify. The reverse of integrity is often termed alteration – data becoming modified or dangerous without authorization​
PTGMEDIA. PEARSONCMG. COM
.

3 or more. **Availability** – Ensuring systems and info are accessible when needed. Even if information is kept key and unmodified, it's of little use in case the application will be down or unreachable. Availability means of which authorized users can certainly reliably access the particular application and it is functions in a new timely manner. Risks to availability consist of DoS (Denial regarding Service) attacks, wherever attackers flood a new server with site visitors or exploit the vulnerability to collision the system, making this unavailable to legit users. Hardware problems, network outages, or even even design problems that can't handle summit loads are also availability risks. The opposite of availability is often identified as destruction or refusal – data or even services are damaged or withheld​
PTGMEDIA. PEARSONCMG. COM
. The particular Morris Worm's influence in 1988 has been a stark tip of the need for availability: it didn't steal or change data, but by causing systems crash or slow (denying service), it caused significant damage​
CCOE. DSCI. IN
.

These a few – confidentiality, honesty, and availability – are sometimes called the "CIA triad" and are considered the three pillars involving security. Depending about the context, the application might prioritize one over the particular others (for example of this, a public reports website primarily loves you that it's available and its particular content honesty is maintained, discretion is less of an issue since the articles is public; alternatively, a messaging app might put discretion at the top rated of its list). But a protected application ideally ought to enforce all three to be able to an appropriate diploma. Many security settings can be comprehended as addressing one particular or more of those pillars: encryption supports confidentiality (by scrambling data so just authorized can examine it), checksums plus audit logs help integrity, and redundancy or failover systems support availability.

## The DAD Triad (Opposites of CIA)

Sometimes it's useful to remember the particular flip side of the CIA triad, often called DAD:

- **Disclosure** – Unauthorized access to be able to information (breach involving confidentiality).
- **Alteration** – Unauthorized alter details (breach involving integrity).
- **Destruction/Denial** – Unauthorized devastation info or refusal of service (breach of availability).

Safety efforts aim to prevent DAD final results and uphold CIA. A single assault can involve multiple of these aspects. One example is, a ransomware attack might both disclose data (if the attacker steals a copy) and even deny availability (by encrypting the victim's copy, locking these people out). A website exploit might modify data in a databases and thereby breach integrity, etc.

## Authentication, Authorization, and even Accountability (AAA)

In securing applications, specifically multi-user systems, many of us rely on further fundamental concepts also known as AAA:

1. **Authentication** – Verifying the particular identity of a good user or program. Once you log in with an account information (or more safely with multi-factor authentication), the system is authenticating you – ensuring you usually are who you lay claim to be. Authentication answers the issue: Who are you? Frequent methods include accounts, biometric scans, cryptographic keys, or bridal party. A core rule is the fact that authentication should be strong enough to thwart impersonation. Weak authentication (like very easily guessable passwords or no authentication where there should be) is a frequent cause associated with breaches.

2. **Authorization** – Once identity is established, authorization adjustments what actions or data the authenticated entity is allowed to access. That answers: Exactly what you allowed to carry out? For example, right after you log in, a great online banking app will authorize that you see your very own account details but not someone else's. Authorization typically entails defining roles or permissions. A typical weakness, Broken Access Handle, occurs when these kinds of checks fail – say, an attacker finds that by changing a list USERNAME in an WEB ADDRESS they can see another user's info because the application isn't properly verifying their particular authorization. In fact, Broken Access Handle was identified as the particular number one internet application risk inside the 2021 OWASP Top 10, found in 94% of applications tested​
IMPERVA. POSSUINDO
, illustrating how predominanent and important appropriate authorization is.

a few. **Accountability** (and Auditing) – This appertains to the ability to find actions in the system for the dependable entity, which will signifies having proper logging and audit hiking trails. If something will go wrong or suspect activity is recognized, we need to be able to know who did what. Accountability is definitely achieved through logging of user actions, and by getting tamper-evident records. It works hand-in-hand with authentication (you can simply hold someone dependable knowing which account was performing the action) and along with integrity (logs them selves must be shielded from alteration). Inside application security, preparing good logging in addition to monitoring is crucial for both uncovering incidents and undertaking forensic analysis right after an incident. While we'll discuss inside a later chapter, insufficient logging in addition to monitoring enables breaches to go undiscovered – OWASP lists this as an additional top 10 issue, writing that without proper logs, organizations may fail to see an attack till it's far too late​
IMPERVA. POSSUINDO

IMPERVA. APRESENTANDO
.

Sometimes you'll see an expanded acronym like IAAA (Identification, Authentication, Authorization, Accountability) which just breaks or cracks out identification (the claim of personality, e. g. coming into username, before actual authentication via password) as an independent step. But the particular core ideas continue to be the same. A safe application typically enforces strong authentication, tight authorization checks with regard to every request, in addition to maintains logs intended for accountability.

## Rule of Least Freedom

One of typically the most important style principles in safety measures is to provide each user or even component the minimum privileges necessary in order to perform its operate, and no more. This specific is called the rule of least privilege. In practice, it means if an app has multiple roles (say admin versus regular user), typically the regular user records should have not any capacity to perform admin-only actions. If a new web application requirements to access a new database, the repository account it employs should have permissions just for the actual furniture and operations necessary – by way of example, in case the app by no means needs to remove data, the DB account shouldn't still have the DELETE privilege. By restricting privileges, even when an attacker compromises an user account or perhaps a component, destruction is contained.

A stark example of not following least freedom was the Capital One breach of 2019: a misconfigured cloud permission allowed a compromised component (a web software firewall) to retrieve all data coming from an S3 storage area bucket, whereas when that component experienced been limited to only a few data, typically the breach impact would have been a long way smaller​
KREBSONSECURITY. COM

KREBSONSECURITY. APRESENTANDO
. Least privilege likewise applies at the code level: in case a module or microservice doesn't need certain gain access to, it shouldn't need it. Modern box orchestration and cloud IAM systems ensure it is easier to employ granular privileges, nevertheless it requires considerate design.

## Protection in Depth

This kind of principle suggests that will security should end up being implemented in overlapping layers, in order that if one layer does not work out, others still provide protection. Basically, don't rely on virtually any single security manage; assume it may be bypassed, and even have additional mitigations in place. For an application, defense in depth might mean: you validate inputs on the particular client side regarding usability, but a person also validate them on the server based (in case the attacker bypasses your customer check). You secure the database right behind an internal fire wall, and you also write code that inspections user permissions prior to queries (assuming an attacker might break the network). In case using encryption, you might encrypt sensitive data in the databases, but also enforce access controls with the application layer plus monitor for unusual query patterns. Defense in depth is definitely like the sheets of an onion – an assailant who gets through one layer should immediately face one other. This approach surfaces the reality that no single defense is foolproof.

For example, imagine an application depends on an internet application firewall (WAF) to block SQL injection attempts. Protection thorough would dispute the application form should nonetheless use safe code practices (like parameterized queries) to sanitize inputs, in situation the WAF longs fo a novel harm. A real situation highlighting this has been the situation of specific web shells or injection attacks that were not known by security filter systems – the inside application controls and then served as the particular final backstop.

## Secure by Design and Secure simply by Default

These connected principles emphasize making security a basic consideration from typically the start of design and style, and choosing safe defaults. "Secure by simply design" means you want the system structures with security inside of mind – regarding instance, segregating sensitive components, using proven frameworks, and contemplating how each design decision could bring in risk. "Secure simply by default" means once the system is used, it should default in order to the most dependable adjustments, requiring deliberate action to make it less secure (rather compared to the other method around).

An instance is default account policy: a firmly designed application might ship with no predetermined admin password (forcing the installer in order to set a sturdy one) – since opposed to creating a well-known default username and password that users might forget to modify. Historically, many software program packages are not safeguarded by default; they'd install with available permissions or test databases or debug modes active, in case an admin chosen not to lock them straight down, it left gaps for attackers. Over time, vendors learned to be able to invert this: at this point, databases and systems often come using secure configurations out there of the field (e. g., remote access disabled, sample users removed), in addition to it's up in order to the admin to loosen if absolutely needed.

For designers, secure defaults mean choosing safe library functions by standard (e. g., arrears to parameterized questions, default to end result encoding for internet templates, etc. ). It also indicates fail safe – if a part fails, it ought to fail within a safe closed state somewhat than an unsafe open state. As an example, if an authentication service times out there, a secure-by-default tackle would deny entry (fail closed) rather than allow this.

## Privacy by Design

This concept, tightly related to safety by design, offers gained prominence particularly with laws like GDPR. It means of which applications should be designed not only to be secure, but to respect users' privacy coming from the ground upward. Used, this may possibly involve data minimization (collecting only just what is necessary), openness (users know just what data is collected), and giving consumers control over their data. While privacy is definitely a distinct site, it overlaps seriously with security: a person can't have privacy if you can't secure the personal data you're liable for. Many of the most severe data breaches (like those at credit bureaus, health insurance providers, etc. ) will be devastating not just because of security disappointment but because they violate the level of privacy of a lot of men and women. Thus, modern app security often works hand in hand with privacy factors.

## Threat Modeling

The practice inside secure design is definitely threat modeling – thinking like a good attacker to foresee what could get it wrong. During threat modeling, architects and programmers systematically go all the way through the type of an application to identify potential threats plus vulnerabilities. They inquire questions like: What are we building? What can move wrong? What is going to we all do about it? One particular well-known methodology regarding threat modeling is STRIDE, developed at Microsoft, which holders for six kinds of threats: Spoofing identity, Tampering with information, Repudiation (deniability of actions), Information disclosure, Denial of service, and Elevation regarding privilege.

By strolling through each component of a system plus considering STRIDE hazards, teams can discover dangers that might not be clear at first glimpse. For example, think about a simple online payroll application. Threat recreating might reveal that: an attacker can spoof an employee's identity by questioning the session token (so we want strong randomness), may tamper with salary values via a new vulnerable parameter (so we need input validation and server-side checks), could carry out actions and later deny them (so we want good review logs to prevent repudiation), could exploit an information disclosure bug in the error message in order to glean sensitive info (so we need user-friendly but hazy errors), might attempt denial of support by submitting a new huge file or heavy query (so we need rate limiting and reference quotas), or attempt to elevate freedom by accessing administrator functionality (so we need robust access control checks). By way of this process, security requirements and countermeasures become much clearer.

Threat modeling is ideally done earlier in development (during the design phase) as a result that security is definitely built in from the start, aligning with typically the "secure by design" philosophy. It's a good evolving practice – modern threat modeling may additionally consider mistreatment cases (how can the system end up being misused beyond typically the intended threat model) and involve adversarial thinking exercises. We'll see its significance again when discussing specific vulnerabilities in addition to how developers will foresee and stop them.

## Chance Management

Not every safety measures issue is both equally critical, and sources are always partial. So another concept that permeates application security is risikomanagement. This involves evaluating the likelihood of a risk plus the impact were it to occur. Risk is often in private considered as an event of these a couple of: a vulnerability that's simple to exploit plus would cause serious damage is substantial risk; one that's theoretical or would have minimal influence might be reduced risk. Organizations often perform risk assessments to prioritize their very own security efforts. For example, an on-line retailer might determine how the risk involving credit card robbery (through SQL treatment or XSS bringing about session hijacking) is very high, and as a result invest heavily inside of preventing those, whilst the risk of someone leading to minor defacement on a less-used site might be acknowledged or handled using lower priority.

Frameworks like NIST's or perhaps ISO 27001's risikomanagement guidelines help inside systematically evaluating and even treating risks – whether by excuse them, accepting all of them, transferring them (insurance), or avoiding these people by changing enterprise practices.

One concrete response to risk supervision in application protection is the development of a menace matrix or risk register where possible threats are detailed along with their severity. This particular helps drive judgements like which pests to fix very first or where to allocate more assessment effort. It's also reflected in repair management: if a new vulnerability is usually announced, teams can assess the risk to their application – is this exposed to that will vulnerability, how serious is it – to decide how urgently to make use of the spot or workaround.

## Security vs. Simplicity vs. Cost

Some sort of discussion of rules wouldn't be full without acknowledging the real-world balancing action. Security measures can introduce friction or cost. Strong authentication might mean even more steps to have a consumer (like 2FA codes); encryption might decrease down performance somewhat; extensive logging may raise storage fees. A principle to ad here  to is to seek balance and proportionality – security should end up being commensurate with the particular value of what's being protected. Extremely burdensome security that will frustrates users may be counterproductive (users might find unsafe workarounds, regarding instance). The art of application security is finding alternatives that mitigate risks while preserving the good user encounter and reasonable cost. Fortunately, with modern techniques, many security measures can end up being made quite unlined – for instance, single sign-on options can improve the two security (fewer passwords) and usability, plus efficient cryptographic your local library make encryption barely noticeable regarding functionality.

In summary, these fundamental principles – CIA, AAA, minimum privilege, defense in depth, secure by design/default, privacy considerations, danger modeling, and risk management – form typically the mental framework regarding any security-conscious medical specialist. They will show up repeatedly throughout information as we take a look at specific technologies and even scenarios. Whenever an individual are unsure about a security choice, coming back to these basics (e. g., "Am We protecting confidentiality? Are generally we validating integrity? Are we reducing privileges? Do we have got multiple layers associated with defense? ") can easily guide you to some more secure result.

With one of these principles on mind, we could today explore the specific hazards and vulnerabilities of which plague applications, and how to defend against them.