Confidentiality

Confidentiality ensures that only the subjects authorized to access to and use the contents of a message, a transaction, or any other data stored in the system have access to those contents. In other words, confidentiality is closely linked to privacy.

This is, for example, the case of any mailing service you use: the emails you receive need to be visible only to you, the receiver.

Some of the threats to the confidentiality of an information system are due to, for example, intruders, malware, or social engineering attacks.

To keep data and its existence secret is a problem that many organizations face, and they put a significant amount of time and money into it. This is because unauthorized access to confidential data could have a severe impact on the business, not only for critical applications. To this end, it is important to identify and classify data based on the required confidentiality in order to ensure that top priority security assets are adequately protected over time.

Even if different security mechanisms can provide different degrees of confidentiality (availability and integrity), the main prerequisite is to protect confidentiality via cryptography, by encrypting data both at rest and in transit (i.e., moving from one system to another), and access control mechanisms. These activities need to be tracked, audited, and monitored over time.

Integrity

Integrity ensures a message, data, or transaction has not been tampered (i.e., compromised). It encompasses different properties of stored or information including correctness, completeness, consistency, and accuracy. When a security mechanism provides integrity, it prevents improper or unauthorized access and modification of data, or a resource, in a system.

An example of integrity is the case of the balance of your bank account. At any point in time, the balance needs to be correct by means of any transactions (e.g., withdraw and deposit) you legitimately performed.

Maintaining integrity also ensures that any piece of information is internally and externally consistent.

Availability

Availability ensures that information is constantly and readily accessible by authorized users. Protection mechanisms must be in place to protect against both outside and inside threats that could affect the availability of the organization’s assets.

Back to our bank account example. Ensuring availability means that accessing the various banking services should work anytime you need to.

Typical attacks against availability are denial of service (DoS) attacks and its distributed form DDoS. Anyhow, when dealing with system availability, it should also be taken into account possible power outages as well as risks due to natural disasters (i.e., physical security). Between all, properly implementing redundancy is the very first step into achieving availability.

Non-repudiation

The CIA triad is sometimes also referred to as PAIN, which stands for privacy, availability/authentication, integrity, and non-repudiation.

Non-repudiation means that an action cannot be denied. Any action (e.g., access or modification) is bounded to a unique subject. For instance, this property ensures that after a message is sent, it cannot be disputed if it has been sent or not.

Back to our email example; this means that if a friend sends you an email, they cannot argue whether they sent it or not.

Trade-offs

Implementing the right controls, based on security requirements, is fairly intricate. Trade-offs are made all the time between the various triad aspects. Certain aspects might require priority, but a balance should always be considered. Consider, for example, a scenario where high confidentiality is highly enforced but availability is neglected: in case of an attack, even the subject with the right permission would not be able to access anything.

Back to our banking example, high confidentiality means that the account holder is the only person allowed to access banking services. However, a lack of availability implies that not even the account holder can use services even if they should be allowed to.

Not balancing properly security requirements given the criticality of the offered services, the environment they run into, as well as any legal obligation would cost a lot for the industry, both in terms of money and reputation.

Least Privilege

Least privilege states that any subject should be given the minimum possible privilege on the minimum portion of resources for the minimum amount of time (Figure 10-3). In other words, a user should be given only those privileges which are strictly required to perform its designated task.

A simple example application is often enforced in physical security: you do not have access to an office unless you need to (e.g., you work for the company who owns/rents that specific office).

Defense in Depth

Defense in depth is about providing multilayer protection: subsequent layer will provide protection if a previous one is breached (Figure 10-4). The reasoning behind this principle is that combining several layers of different types of security mechanisms is the only way to deploy a reasonably secure environment: attackers would need to overcome all the levels of protection that surround the protected assets in order to gain access to it.

As an an example, think about a simple multilayered software consisting of an API, some backend computation, and a database. Attempting to secure only the API is insufficient: any circumvention of the API would leave backend and data exposed to possible attacks.

Segregation of Duties

The segregation of duties (SoD) principle states that no person should be given responsibility or access to more than one related function (Figure 10-5). The reasoning behind this principle is that it mitigates the risks arising from accidental or intentional misuse of resources and information.

This is as simple as thinking about the development tools we use every day, git included. Segregation of duties happens when you are granted read/write permissions to the projects your team owns, but you do not have permissions, by default, to the other projects within the company.

Fail Safe

The fail safe principle states that if a system fails, it should fail to a state in which security and data are not compromised (Figure 10-6). It means that the default access rights for any entity to any resource is no access.

Back to our banking system. If you attempt to perform a withdrawal, but no money can be released by the ATM, fail safe means that the error is clear and the failure of the withdrawal is reflected by no change into the balance of your checking account.

Complete Mediation

Complete mediation means that every request by a subject to access an object must be authorized, without exceptions (Figure 10-7). Indeed, it applies to every protected or unprotected object in the system. This principle imposes the constraint of identifying every subject attempting to access an object. Thus, it enables a consistent access control of the whole system, thus improving security as well as assurance and confidence.

As an example, complete mediation means that you won’t access to any of the data and services (either critical or not) on your laptop unless you authenticated yourself and authorization has been granted.

Least Common Mechanism

The least common mechanism states that a minimum number of protection mechanisms should be common to multiple (i.e., more than one) users, since shared access paths may lead to information leakage (Figure 10-8). In other words, mechanisms to access resources should not be shared.

Consider, for example, two virtual machines, each running a service with a different set of users. Those two virtual machines need to be properly isolated in order to guarantee no leakage from one machine to another.

Weakest Link

The weakest link principle stresses how important it is to identify—and mitigate—the weakest mechanisms in the security chain and layers of defense (Figure 10-9).

Generally speaking, the commonly known weakest link is ourselves as humans and the usage we do of a system. Phishing and social engineering attacks are at the order of the day, and there is not much security a system can offer if we willingly, yet unconsciously, volunteer information.

Security Principles Caveats

The described principles do not look like rocket science. However, they are a huge boost in securing any solution. Bad things always happen (Murphy’s law), but I think that—really—starting from the foundations of security principles and software development is the way to go. It does not end there for sure, but they are still underrated nowadays.

Worth noting, however, that any of these fundamental principles can be very complex depending on the technologies used and the context they run into.

As an example, let’s go back to the least common mechanism: isolating virtual machines is not the same as isolating containers that, in turn, is not the same as separating flows within a given service on top of them depending on the specific business logic and usage expectations.

Secure Software Development Lifecycle

Security code reviews are only a small piece into the secure software development lifecycle (SSDLC).

As anticipated, security should be by design. However, there is much more that goes into a proper SSDLC (Figure 10-10). Specifically

• Security is a critical piece of any software application and a very complex one. Proper awareness training on the topic is fundamental to the security process and is generally provided by most companies.

• As we saw, a good understanding of context and environment in which the application operates is fundamental to understand security requirements, implications, and potential risks from the get-go.

• Always consider security by design.

• Secure development and testing (reviews performed here as detailed in the following section).

• It is very important to have an outlined security/incident response plan in place ahead of releasing the code. In other words, it is fundamental to have and know which processes are in place in case an incident happens and who is supposed to resolve it within which time frame.

• Depending whether code needs to be publicly released or not, extra processes (company specific) are generally in place.

• Last, but not least, like general code quality, it is important to consider how to maintain security over time.

Security Code Reviews

A security code review serves the purpose of ensuring that major inconsistencies and other flows, not already detected, are still looked at. Figure 10-11 shows the software development lifecycle (SDLC) and highlights in which phase security code reviews are usually performed.

Generally speaking, such reviews focus on finding exposure to potential threats in the areas discussed earlier, that is, availability, confidentiality, and integrity. However, those are pretty broad, since they span across checking for identity and access management, how sessions are managed, data privacy, logging, error handling, confidential information, and encryption, just to mention some.

Automating Security Reviews

Automated code reviews might help a lot in speeding up the review—we love automation, don’t we?

Static application security testing (SAST) tools can be used to support static code analysis and help find security flaws. Generally speaking, they are very useful during the development process, and they are fairly easy to embed during the development phase.

As an example, GitLab CI/CD offers easy integration with SAST (https://docs.gitlab.com/ee/user/application_security/sast/) and can be used to spot both the existence unsafe code that could potentially be used for unintended code execution and XSS attacks.

At the other side of the seesaw, there are manual code reviews that require a good knowledge of the programming language, domain, application, use cases, and—in this case—security as well. They are definitely more complex and time consuming than using automation.

However, some of the aspects like how identities are managed can be better detected via manual reviews. Code scanners can speed up the process, especially if the code base is fairly big. Their use is useful especially as a first pass. Anyway, they may lack context, hence possibly producing both false positives and false negatives. Thus, I encourage you to automatize when possible but still embed manual reviews to ensure as much as possible code quality and security.