SE Notes
Fundamental concepts and principles of software security.
Software security is the discipline of designing, building, and maintaining software that continues to function correctly under malicious attack. It is fundamentally different from software quality or reliability—a system can be reliable (rarely crashes) yet insecure (easily hacked). Security is about intentional adversaries actively trying to make your system misbehave, steal data, or deny service. Every connected software system faces these threats, and security breaches carry consequences ranging from financial loss and regulatory penalties to physical harm and national security risks. Understanding security basics is no longer optional for any software professional.
The CIA Triad
The foundation of information security rests on three properties, known as the CIA triad:
Confidentiality ensures that information is accessible only to those authorized to access it. When patient medical records are visible only to their healthcare providers, confidentiality is maintained. When those records leak to unauthorized parties through a vulnerability, confidentiality is violated.
Integrity ensures that information is not modified in unauthorized or undetected ways. When a bank account balance accurately reflects all legitimate transactions, integrity is maintained. When an attacker modifies the balance or injects fraudulent transactions, integrity is violated.
Availability ensures that authorized users can access information and services when needed. When an online store handles customer requests promptly, availability is maintained. When a distributed denial-of-service (DDoS) attack overwhelms the servers, availability is violated.
These three properties often involve tradeoffs. Maximum confidentiality (encrypting everything, restricting all access) can reduce availability. Maximum availability (no access controls, open to everyone) eliminates confidentiality. Security engineering balances these properties based on system requirements and risk tolerance.
Security Principles
Least Privilege: Every user, process, and component should have only the minimum permissions necessary to perform its function. A web application should not connect to the database as a superuser. A microservice should not have access to other services' data stores. If a component is compromised, least privilege limits the damage an attacker can inflict.
Defense in Depth: Never rely on a single security control. Layer multiple defenses so that if one fails, others still protect the system. Like a castle with walls, a moat, guards, and locked doors—an attacker must defeat all layers to succeed.
Fail Secure: When a system encounters an error or unexpected condition, it should default to a secure state rather than an open one. If an authorization check throws an exception, deny access rather than granting it. If a firewall crashes, block all traffic rather than allowing it.
Separation of Duties: No single individual or component should have enough privilege to compromise the system alone. Implementing a transaction might require one person to initiate and another to approve. Deploying code might require both the developer and a separate reviewer.
Economy of Mechanism: Security mechanisms should be as simple as possible. Complex security code is more likely to contain flaws. Simple, well-understood mechanisms are easier to verify, audit, and maintain correctly.
Threat Modeling
Threat modeling systematically identifies potential threats to a system and determines appropriate countermeasures. The STRIDE framework categorizes threats:
| Threat | Definition | Example | Property Violated |
|---|---|---|---|
| Spoofing | Pretending to be someone else | Fake login page stealing credentials | Authentication |
| Tampering | Modifying data without authorization | Altering order amounts in transit | Integrity |
| Repudiation | Denying having performed an action | Claiming a transaction was unauthorized | Non-repudiation |
| Information Disclosure | Exposing data to unauthorized parties | Database leak exposing user passwords | Confidentiality |
| Denial of Service | Making resources unavailable | DDoS attack flooding servers | Availability |
| Elevation of Privilege | Gaining unauthorized access levels | Regular user gaining admin access | Authorization |
Real-World Example: E-Commerce Security Architecture
An e-commerce platform implements security fundamentals:
Confidentiality measures:
- Customer passwords hashed with bcrypt (never stored in plaintext)
- Credit card numbers tokenized through payment processor (never stored locally)
- All communication encrypted with TLS 1.3
- Database encrypted at rest
- Personal data accessible only through authorized API endpoints
Integrity measures:
- Digital signatures on order confirmations prevent tampering
- Database transactions with ACID properties prevent partial updates
- File integrity monitoring detects unauthorized changes to application code
- Input validation prevents injection of malicious data
Availability measures:
- Auto-scaling infrastructure handles traffic spikes
- DDoS protection at the network edge
- Redundant databases with automatic failover
- Rate limiting prevents abuse from individual sources
- Graceful degradation under extreme load (serve cached content)
Security in the Development Lifecycle
Security is not a phase—it is a property woven throughout the entire development lifecycle:
Requirements: Define security requirements alongside functional requirements. "Customer data must be encrypted at rest" is as important as "customers can search products."
Design: Threat model the architecture. Identify trust boundaries. Design authentication, authorization, and encryption mechanisms.
Implementation: Follow secure coding practices. Use parameterized queries. Validate all input. Encrypt sensitive data. Never hardcode credentials.
Testing: Perform security-specific testing: vulnerability scanning, penetration testing, code review for security flaws.
Deployment: Harden server configurations. Apply principle of least privilege to service accounts. Enable security monitoring and alerting.
Maintenance: Patch vulnerabilities promptly. Monitor for anomalous behavior. Respond to security incidents. Update security mechanisms as threats evolve.
The Human Factor
Technology alone cannot provide security. Social engineering attacks bypass all technical controls by manipulating people. Phishing emails trick employees into revealing credentials. Pretexting convinces support staff to reset passwords. Tailgating follows authorized personnel through secure doors. Security awareness training, clear security policies, and a culture where reporting suspicious activity is encouraged are essential complements to technical security measures.
Security Metrics
Organizations measure security posture through: time to detect breaches (mean time to detect), time to respond to incidents (mean time to respond), number of known unpatched vulnerabilities, percentage of systems compliant with security policies, results of regular penetration tests, and frequency of security training completion. These metrics guide investment in security improvements and demonstrate due diligence to regulators and stakeholders.
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Software Security Basics.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Software Engineering topic.
Search Terms
software-engineering, software engineering, software, engineering, security, basics, software security basics
Related Software Engineering Topics