What George Washington Has to Do with Application Security
I wanted to write a blog article about application security that would be interesting, informative and most definitely not boring - a task easier said than done. Apparently a lot of technologists agree, because there is a website dedicated solely to clever analogies between information security and things people already know.
Application security cannot rely on technology alone; it also requires awareness and vigilance from the human users who constantly access, share and act upon digital assets and enterprise content. Recognizing this fact, the Analogies Project was launched in 2012 to help technology subject matter experts convey information security best practices to non-technical end users.
Contributors use the power of storytelling to draw parallels between key security topics and common topics such as art, literature, sports, history and family life, to help application development leaders engage effectively with end users to build security awareness and preparedness throughout the organization.
Among the many clever Analogies Project articles, a humorous story by IT consultant Claus Houmann particularly stood out. Houmann drew a comparison between frontline information security and his young daughter’s pet rabbits that kept finding new ways to escape their garden cage, despite his best efforts!
Poking fun at himself over getting outsmarted by the freedom-seeking bunnies, Houmann noted that “many of these troubles could have been avoided if MANAGEMENT had thought this through and created a strategic security program” before building the rabbits’ cage!
Similarly, if application security protection is done “after the fact,” separately from the application development itself, your organization’s valuable digital assets and intellectual property may well be at risk.
As noted in a recent Nuxeo tech brief, Protect Enterprise Digital Assets with Built-In Security, a true content application development platform will enact security as a permanent, pervasive process throughout the entire software development life cycle. As just one example, the Nuxeo Platform provides “always on” security. It is not possible to even develop on the Nuxeo Platform without at least a default security model.
In another Analogies Project article, contributor Yotam Gutman addresses the risk of security breaches perpetrated by company insiders, who violate their trust and try to steal digital assets or help outsiders gain illicit access to intellectual property. To help make this point, Gutman uses a provocative quote, often attributed to Voltaire:
May God defend me from my friends; I can defend myself from my enemies.
I would like to expand on this point by drawing another analogy between internal security and the wisdom of George Washington regarding friendship:
Be courteous to all, but intimate with few, and let those few be well tried before you give them your confidence. True friendship is a plant of slow growth, and must [first] undergo and withstand the shocks of adversity...
From a security perspective, President Washington’s advice conveys the importance of not entrusting any one manager - no matter how “friendly” - with any complete security process from beginning to end. A true digital asset management application development platform will address attack vectors from within the organization using multiple layers of security.
For example, the Nuxeo Platform provides the following concurrent levels of security which cannot be bypassed:
- Access control lists (ACLs), used by Nuxeo to manage security at the data level.
- Custom security policies consist of dynamic code that enables the Nuxeo Platform to enforce mandatory access controls (MACs) that may override or supplement any applicable ACLs - a common requirement for military systems.
These layers of security can be used to limit user access (for example, Elena can access only those digital assets related to projects she is managing) as well as limit user actions (because Louis does not have permission to modify existing files, the Nuxeo Platform does not display an “edit” button as part of his application UI).
Of course, there are many more common attack vectors - internal and external alike - all with the same ultimate goal of gaining illicit access to your organization’s invaluable digital assets and confidential files. Nuxeo defeats these attack vectors through application security built into the platform itself.
For further details, download our tech brief, Protect Enterprise Digital Assets with Built-In Security, and discover how content-driven applications developed on the Nuxeo Platform are highly secure by design!