Right at this point in the course, we’ve been taught many things about effective security in our environment as software engineers. However, it is also true that we are involved in one big project, an application that will allow elementary school children to have a better learning in math. And since, we have to take also special care about its own security, and this is a topic that we haven’t discussed in this blog.
First of all, there are several rules we should follow. I found many interesting things on golden rules for security purposes. One of them said that there were three golden rules for not having security issues: do not own a computer, do not turn it on and do not use it. These are not so practical, because, well, if you are reading this then you already broke the three rules (just as me).
We get a nice golden lock.
Because of that, we need another set of rules, and I found one that I liked because it had to do with IoT. First of all, we must review repeated times the code we make and we must test the security things very often. We have seen a lot of these practices earlier. This point implies prioritizing for sure, and knowing your strengths and weaknesses. Second, continuous development. I consider this one as to not come into a halt when working on the security area. Things are changing everyday, and so must the security measures that are implemented (improved, at minimum). Last, managers (in business cases) must take responsibilities. I differ on this one. I think managers and engineers who make security parts should take responsibilities, mainly because managers most of the times are not the ones who look after security.
Our Semestre i project need security measures, mainly because we will be treating delicate information about people. These rules must apply on it, and I have thought on making it on the next way. For rule number one, on the developing of this things we will test it many times, this to assure that our methods are correctly implemented and will be useful once our application is started to be used. For the second one, we should offer maintenance services for sure. If one of the things we worked on begins to see itself compromised by new attacks or by vulnerabilities found, we should be there and ready to fix all of those things quickly, because lots of information could be exposed. For the third and last, we will assume responsibility as long as it is used correctly. If one of the users gives away a password or something like that, then it is more likely that the information will be in sight. It is our responsibility to see the things we did, and not any leak related to a bad use by the users (I think).
On further posts I will talk more specifically about what have we done (or could do) about the security part in our project.
References Rossi, B. (october 7th, 2015). Information Age. Taken from http://www.information-age.com/three-golden-rules-software-security-iot-123460293/ Spira, D. (january 24th, 2010). The Geek Whisper. Taken from https://thegeekwhisperer.com/2010/01/24/morriss-three-golden-rules-of-computer-security/
Security blog 