Security is an overloaded and misused term and should be sunset. In development projects, words have value when they enable people to discuss design concepts and tradeoffs. Ask five different people to define "security" and you are likely to get six different responses. Some will respond with security policy, others with access management, others with crypto, and of course firewalls and other controls. These elements may all be part of a security solution, but they do not "secure" much of anything in a holistic sense. Lack of clear agreement over the definition of security leads to incorrect assumptions about who is doing what and Texas leaguers where solveable problems do not get addressed due to low resolution communication.
Instead of using the word "security", be more specific.
Use specific terms like confidentiality, integrity, and availability; as in: "we need integrity services for this message that is going over the wire", and then drill down from there. Instead of "we need to secure the message."
Use specific terms like authentication, authorization, and attribution; as in: "we need to delegate authentication to the app server", and then drill down from there. Instead of "we need to secure the session."
Use specific terms like input validation; as in "all input is validated upon entry to server", and then drill down from there. Instead of "we need to secure the app"
Be specific, write specific requirements, write specific Use Cases, tie it together with architecture, build it into the process, code to it, test it. Deploy it.
Comments