Data Protection and Integity
Traditionally, data integity and confidentiality have only played a subordinated role in software development. The focus was always on features and convenience. Worse, this general attitude is still prevalent. A critical point is that software companies earn money selling 'solutions' for security problems they created.
As a result, we have applications normally saving content neither encrypted nor signed. Without hurtles, files are being loaded into applications just because of their file suffix. There are many such obvious security risks build into applications.
Despite all the talk about IT-security, the issue is usually only tackled after some incident. Apart from sloppy programming and reckless implementation of dangerous features, the main security risk are the people using IT-resources. It requires clear and coherent directives and consistent observance by the superiors to implement data protection measures and establish confidential communication.
There are some simple rules
- A non-existing feature can not be exploited.
- The weakest point determines the security of the whole system.
- Avoiding a potential security threat is usually less expensive than guarding against it.
- Unwanted access (intrusion) is difficult to detect, but always after the fact.
- Implementing IT-security requires restrictions of access to and availability of resources.
- Application security and data integrity are usually subordinated to features and convenience.
- Users tend to be annoyed by any security related rules complicating the use of an application and will try to ignore or circumvent them.