security Getting started with security High Level Introduction to Information Security
Example
It is a basic human instinct to assess risk and to accept or take some kind of action on that risk. This is the essence of security, which is the body of knowledge that provides a framework around this instinct.
Security defines three key concepts in a triangular paradigm - Confidentiality, Integrity, and Availability (The CIA paradigm).
While it is common for society to believe that security is simply about protecting confidentiality, as a developer there is nothing done that does not fall somewhere under the banner of security. For example, code is written to add features to software (availability), to keep credentials safe (confidentiality), or to ensure that the simplest of functions produces a consistent and correct output (integrity).
The three concepts are quite often at odds by their nature. Imagine making a company's information available via an extranet. This availability opens up attack vectors that could compromise the confidentiality of the data. Similarly, a company with onerous confidentiality demands will hamper the company's desire to make data available to customers and partners. Or perhaps they wanted the data to be made available so fast the development of the site was rushed and led to data leaks between users - a lack of data integrity.
Following on from this, whoever or whatever is having software developed has different CIA values. Imagine that a retail website may value availability over integrity or confidentiality, while a bank will likely value confidentiality over availability and integrity. This is not to say that all are not valued in each case, but that each scenario carries different weightings of these values depending on the underlying risks.
In the real world, the CIA triad is often added to with up to 3 further factors, making up the Parkerian hexad: Possession or Control, Authenticity and Utility, and for transactional models, Non-Repudiation. So as you can see there is no simple model that fits all scenarios.
As a developer, "good security" is about knowing the right balance for what is being protected and how to protect it, and this is vastly different based on the type of data involved and the problems the software is solving.
