With the amount of data that is being generated these days, it is getting more and more challenging to keep track of what data is being exposed to the public and what should be controlled. And as for the control, there are various levels of imposing it. It can be registration only, so that number of views can be logged.
It can be registration with verification, enabeling tracking of what information each user access to. It can be complete restriction of access, so that certain data is only available for a small number of people and so on. While this is not something completely new, the ideas I want to discuss are of great importance and can both add business value if properly implemented, as well as become a show stopper if overseen.
There are, of course, a number of vendors on the market that offer products that handle security on different levels, as well as various open source solutions, but I think that any product, however sofisticated it may be, is only half of the solution.
Without proper understanding of what is going on in the system and how things should work under the hood, you are more or less bound to get lost. I do understand that different systems have different needs and thus there is no perfect solution for each and every case, but some concepts can still be considered cornerstones of application security. And I would like to discuss some of them. Let us consider a simple system, e.g. for an online shop, which has a database with tables for products, clients and orders, some services that are used to call the database and a front end that is publicly available.
The easiest solution is just to connect components directly with each other and implement security in the front end only, but what good will it do? What if the front end app gets compromised? Or even worse, the internal network gets hacked so that there is someone with access to the inside of the system that can directly call IO services. Should we then implement security in each and every component? It can of course be achieved by writing a security library reused by all components, but what about updates? Say, a new component is implemented using some other technologies which are not compliant with the library being used. In that case there is no other way than to start a new round of development, and that involves new tests and potentially inconsistencies between components.
