--Originally published at PocketMinder's Blog

So, cryptography… How important is it in a system? Well you guessed it! Pretty important.

Cryptography and security go hand in hand. Cryptography helps securing a system by transporting encrypted data that cannot be decrypted easily.

There are many ways encrypting data works, mostly now there are two man categories, symmetric cryptography and asymmetric cryptography. Both of them use a term called “keys” but they work in a different way. In a general way, the way symmetric encryption works is by having one key for each person that will encrypt and decrypt data. This way both keys have a relation between them, and if one is compromised (stolen) then pretty much the other is compromised as well. Asymmetric encryption works by having two sets of keys, one set is private, meaning only the person who created the key can have the key, and the other set is public so anyone can see it. Then data is encrypted using a private key and then is decrypted by a public key and a private key. Again is a general explanation of how those methods work but there is much more behind them.

So yeah, encryption is a really important thing that must be take into account when developing the security architecture of a system, and there are many ways to do it, one must choose the most appropriate method of encryption for the given system.

I’ll leave a link below to a (very good) video about asymmetric encryption (also known as public key encryption), enjoy!

--Originally published at PocketMinder's Blog

So, how important it is to create a good security architecture?

If your answer is something similar to “not that important” then you are screwed my friend.

It is VERY important to create and maintain a good security architecture, because if you don’t do it properly, following the steps necessary to ensure minimal risk, then your system will fail, and depending on the type of information your system handles, it can be very bad.

A good security architecture is one where it is being planned and developed in parallel to the actual system itself, having a good foundation so that any other new features the system will implement can actually be implemented properly. It cannot be bolted on to the system, if it is, then how can you be sure that there are no flaws?

Another important aspect to the security architecture of the system is the testing, if you can’t test the security properly, then it is not well-implemented. You must check every single aspect of the architecture to make sure you have a good security architecture, otherwise it is like shooting in the dark!

Again, security is pretty much the most important aspect of any system, and depending of the type of information handled, then it can be critical to the success of the system to have a really good security architecture, and also well documented, because no one wants to bang their head trying to figure out what the heck a variable is doing to the overall security of the system.

--Originally published at PocketMinder's Blog

So you might think that having a secure website/application/system is about being shielded from any attack. But you are wrong, because there is no silver bullet in programming, there will always be vulnerabilities, and the art in security is managing and reducing those flaws in your system and have a backup plan in case everything goes to hell.

Risk management is all about that, maganing the risks that a system can have. There is process involved in order to know what level of risk is acceptable for the system. First off you need to know the AIC principle, once you have that you can start looking into security controls and applying them. Then someone has to assess them and accept the level of risk imposed. Basically someone has to take responsibility for what risks are acceptable for a system. And last but not least, there must be continuous monitoring of those security controls in other to find more possible flaws and assess them fix them.

So, again, it’s okay to know that your system is vulnerable, but you must know how to address those issues if they ever come, and also your team is really important, because everyone is important for securing your system.

--Originally published at PocketMinder's Blog

So, code of ethics. Where to begin?… Code of ethics (in programming) it’s similar to every other code of ethics, it has rules and principles that must be followed in order to never do the wrong things.

In the many principles that the code of ethics for programmers has, some of the most “important” are:

A programmer must.

• …never create or distribute malware.
• …never reuse copyrighted code unless the proper license is purchased or permission is obtained.
• …acknowledge (verbally and in source code comments) the work of other programmers on which the code is based, even if substantial changes are made.
• …never reveal the secret corporate knowledge of an employer.
• …never accept compensation from multiple parties for the same work unless permission is given.

Again, there are many principles and rules, which are listed in this WEBSITE made by the ACM.

So, how important are they? Well, pretty important, you must obey them by all means and never break one of them, because you could end up in jail (no joke), or you could destroy your entire programming career.

But don’t worry! It’s hard (unless you really want to break some rules) to break these principles and rules, you just need to be consistent in your work, and always be open to new ideas of working and also (and pretty much the most important thing) be good.

--Originally published at PocketMinder's Blog

So, in security there are three main “pillars”, these pillars are the most important aspects about security. First of all “CIA” is an acronym for Confidentiality, Integrity and Availability. I’ll tell you more about it in just a sec.

Confidentiality is sort of a synonym for security, and basically it means that only authorized users must be able to access certain data, so no snoopers can access it and do what they want with it.

Integrity means that the saved data must be certain, must be accurate and well, true… No one should temper with it and change it without anyone knowing, so big no no for “man in the middle” enthusiasts.

Availability is that data must be accessible for users (authorized ones) at any given moment, so they can read it or share it on Facebook or whatever they want (actual joke).

Now, the above concepts look all pretty and simple right? well no! In this modern age there are many concerns and challenges for this triad (CIA), and some of those problems are Big Data and IoT.

Big Data is a problem for security because more and more companies want to invest in this practice, they move huge amounts of data (and I mean HUGE), and it becomes a problem when the sources of that data are varied (Integrity gets compromised) and the sheer volume of data needed to be safeguarded gets pretty huge (and hard to keep it secure). An actual example of this problem can be what happened with Edward Snowden when he brought to public eye the NSA’s massive collection of American citizen’s personal data.

Then there is IoT, oh man what a beautiful (not to mention utopian) concept it is huh? Well now people for some reason want their toaster to be intelligent because

Continue reading "AIC (CIA) Triad" →