Tag: Uncategorized

Security Architecture Is Important

--Originally published at PocketMinder's Blog

So, how important it is to create a good security architecture?

If your answer is something similar to “not that important” then you are screwed my friend.

It is VERY important to create and maintain a good security architecture, because if you don’t do it properly, following the steps necessary to ensure minimal risk, then your system will fail, and depending on the type of information your system handles, it can be very bad.

A good security architecture is one where it is being planned and developed in parallel to the actual system itself, having a good foundation so that any other new features the system will implement can actually be implemented properly. It cannot be bolted on to the system, if it is, then how can you be sure that there are no flaws?

Another important aspect to the security architecture of the system is the testing, if you can’t test the security properly, then it is not well-implemented. You must check every single aspect of the architecture to make sure you have a good security architecture, otherwise it is like shooting in the dark!

Again, security is pretty much the most important aspect of any system, and depending of the type of information handled, then it can be critical to the success of the system to have a really good security architecture, and also well documented, because no one wants to bang their head trying to figure out what the heck a variable is doing to the overall security of the system.


Secured is to know you are not secured.

--Originally published at PocketMinder's Blog

So you might think that having a secure website/application/system is about being shielded from any attack. But you are wrong, because there is no silver bullet in programming, there will always be vulnerabilities, and the art in security is managing and reducing those flaws in your system and have a backup plan in case everything goes to hell.

Risk management is all about that, maganing the risks that a system can have. There is process involved in order to know what level of risk is acceptable for the system. First off you need to know the AIC principle, once you have that you can start looking into security controls and applying them. Then someone has to assess them and accept the level of risk imposed. Basically someone has to take responsibility for what risks are acceptable for a system. And last but not least, there must be continuous monitoring of those security controls in other to find more possible flaws and assess them fix them.

So, again, it’s okay to know that your system is vulnerable, but you must know how to address those issues if they ever come, and also your team is really important, because everyone is important for securing your system.


Code of Ethics

--Originally published at PocketMinder's Blog

So, code of ethics. Where to begin?… Code of ethics (in programming) it’s similar to every other code of ethics, it has rules and principles that must be followed in order to never do the wrong things.

In the many principles that the code of ethics for programmers has, some of the most “important” are:

A programmer must.

  • …never create or distribute malware.
  • …never reuse copyrighted code unless the proper license is purchased or permission is obtained.
  • acknowledge (verbally and in source code comments) the work of other programmers on which the code is based, even if substantial changes are made.
  • …never reveal the secret corporate knowledge of an employer.
  • …never accept compensation from multiple parties for the same work unless permission is given.

Again, there are many principles and rules, which are listed in this WEBSITE made by the ACM.

So, how important are they? Well, pretty important, you must obey them by all means and never break one of them, because you could end up in jail (no joke), or you could destroy your entire programming career.

But don’t worry! It’s hard (unless you really want to break some rules) to break these principles and rules, you just need to be consistent in your work, and always be open to new ideas of working and also (and pretty much the most important thing) be good.


Benefits of Software Design Pattern

--Originally published at Barros Creations LLC

What are Design Patterns?

Recurring solutions to software design problems you find again and again in real world application development. Patterns are about design and interaction of objects, as well as providing a communication platform concerning elegant, reusable solutions to commonly encountered programming challenges.  (From Data & Object Factory).

 

Design patterns are a general abstraction of a problem, which can be applied to a specific solution. Even though software developers tendo to solve many similar types of problems, it makes sense that any software solution would incorporate similar elements from other solutions.

 


OS security

--Originally published at Security blog

Operating systems also have some security within them. Well obviously! An operating system is a great place to set security things, since it is a system that also has a lot of users’ information and involvement with hardware. Also, and as we have seen previously, some rules things have been made for people to easily implement security on the OS. This post will talk about some of those things.

The first theme of all of this are passwords. In passwords theory we can use three things in common to create them. We can use what we know, what we have and what we are. What we know are, well, things we know, things we keep in our heads. These are the traditional passwords, words. What we have can be material things we own, such as credentials or tags, which are already used to give access to some places. What we are is our body, our own characteristics such as eyes or fingerprints. These last ones are the best, because you cannot lose yourself, but are more expensive.

Resultado de imagen para os security

We are also introduced to NTFS (new technology file system), a new form of saving, browsing and securing files. This new system has a nice ability to secure data, since premissions and privileges can be granted. Individual persmissions include full control, change, read and execute and list folder, among others. Also, we have the ability to create an active directory. A directory allows information to be stored, classified and retrieved. An active directory is a directory for objects. Essentially a database that resembles the form of a pyramid. Nice things about this is that implements athentication, trust relationships (when servers are added), and groups similar entities together in its structure.

Right to this point, some basic data for OS security has been covered,

Continue reading "OS security"

The principles of web security

--Originally published at Security blog

This theme brings to us many useful information for the security course. At this point, we now know that security is a state away from harm, but that, as we have seen, also includes non-physical things, and things related to systems. Two basic things are needed for making an appropriate security state: awareness (to know the dangers and wait for them) and protection (to use actual security services in an intelligent way). Web security matters because a web service can be very complex, and it is attractive for hackers to look for complex, often built by beginners, to try and steal information. We don’t want to lose control of our projects, do we?

Hackers are defined like “someone who tinkers with computers and come up with innovative ideas”. The term has been misleaded through time, now  a hacker is someone who can gain control of a platform and steal things. Several kinds of hackers exist, but it is sad to see that most of them doesn’t exist for positive purposes. Some people would not think that hackers will not attack them, but the truth is that bad people is roaming around all the time, and so awareness comes in.

The principles for web design are: least privilege, simplicity, never trust users, expect the unexpected, defense in depth, security through obscurity, blacklisting and whitelisting and map exposure points. We will talk briefly about these principles, since they form the basic web security theory. The least privilege principle refesr to give the minimum enough privilege to a user so that they can work in their own field and nothing else. Simplicity means to make the programs more simple, because the less things we have, the easier to protect. To never trust users is just to be careful with the users, because most

Continue reading "The principles of web security"

Cryptograhpy

--Originally published at Security blog

The art of cryptography. It is not just making secret messages, mainly because they are no secret. Anyone can read a encrypted message, or well, try to read them, because what they are about to read is just a senseless disaster. But it is a planned disaster, a key is needed to read an encrypted message, so that makes this a man-made art. This is certainly an old issue, since encrypted messages have old origins (recall the Enigma code!).

Resultado de imagen para cryptography

Today encryption is the safest way to keep information, and to assure the safe transfer of data. At the same time, we have that every server has to have five basic services to guarantee security: confidentiality (protecting data), integrity (unchanged data), accountability (protection in communication), authentication (confirm identity) and availability (services accessible). These things are implemented through security services, and encryption has to do with confidentiality.

Basic concepts of cryptography include trusted third parties, publc key infrastructure and the story of Bob and Alice. A trusted third party helps us to trust connections between other Internet environments, and things like that. Keys can be divided into symmetric and asymmetric. Symmetric uses a single key and asymmetric uses a pair of keys. Bob and Alice have to do with certificates. Bob and Alice can trust each other because they use a trusted third party to authenticate through certificates. Cryptography is a widely used option for protecting data, and also an almost hardly secure option for transfering data.

 


Security architecture

--Originally published at Security blog

When substantial software for a certain service is to be build, a security architecture is also to be considered. What does this mean? Basically, a platform where everything is in its place, easy to maintain and to recover (in certain cases). Some times people need to maintain a software stable by its own (or most of its own) but now, let’s say, the ‘places’ of the components matter. Security must get inside, must be included within the architecture of the system.

The system itself can be constructed in many different ways, and also many things can affect how well the system is built. For example, a lot of preassure, letting inexperienced programmers make big changes or waiting for time’s passing without changing things. At the end, the system will not be able to be tested and will become fragile. Good thing is that we can reengineer everything.

Understanding the technology is an essential part of this, and i fyu don’t understand it completely, take some time to investigate or to ask someone else. Security is never, never a waste of time or money. I could say that a team of people (senior security people to be more precisse) can check these things. What this is al about is to consider a good architecture for the security to run nice, if this is not made like that, further security appliations will be made hard to implement.

Referencias

Boura, Andy [Andy Boura on Information Security, Technology, and Business]. (2014, july, 28th) 
Effective Security Architecture as a Foundation for Risk Reduction. Taken from https://www.youtube.com/watch?v=2flZGFulSOI&feature=youtu.be

What to do on risks!!

--Originally published at Security blog

Security is not just about implementing things and blocking-off just because. We will still talk in further chapters about the awerness of cyber attacks and stuff like that. Well, here we talk about risk mangement, and the first lesson to battle against risks is, effectively, to know that risks exists. Even if you don’t believe it, or you resist to believe it, among the population we have a lot of people who are just trying to leak into your systems, find a mistake to take advantage or to steal everything.

Lucky for us, we have work made for us! A nice framework is to be followed to manage all the risk management. Six steps are available for our knowledge, wich are:

1- Categorize

2- Select

3- Implement

4- Assess

5- Authorize

6- Continuous monitoring

Each of these steps have a clear clue of what they should be, but for illustrative purposes we will explain them one by one. Categorize is to, well, categorize dangers. Most dangers are easier to attack if we put them in groups with same characteristics, so can take in consideration more and more dangers. Select is to, once again, select which technology or correct measure to have against a certain danger or dangers. The next step will be the implementation of the measures selected.

Resultado de imagen para risk management

Assess the decision made is next, we now have to make an evaluation of the thing we will use, and choose between a better one or the current one. To authorize is to accept the solution, and to have it there is to have a clear method of what to do in case of. Continuous monitoring is to look for things constantly. To know where to look for what things, but wishing you will not find anything. Still if you find something,

Continue reading "What to do on risks!!"