If your application is not dealing with sensitive data, is it still important to test for security?
To answer this question, it’s important to understand that security is not simply the absence of vulnerabilities. Security is typically defined as confidentiality, integrity, and availability of information and processing systems. Today’s headlines are full of security compromises; most of the stories involve the loss of confidentiality (the leaking of sensitive data, the release of personal health information, the disclosure of credit card information, etc.) While not all applications deal with sensitive data, all applications which are sensitive to confidentiality, integrity or availability must be reviewed with security in mind.
One way to approach this question is to consider two real-world examples. Our first example involves the integrity of data. Take, for instance, an online service which supplies statistical data to various fantasy sports sites (pick your sport – fantasy cricket, fantasy football, you name it). There’s usually more than just pride riding on the results-- many people bet real money on the outcome of their fantasy season. These sites are relied upon as being correct and accurate in the data they use. That means the originating service is relied upon, too. While the originating service may contain no sensitive information (no personally identifiable information, no personal health or financial data), the accuracy of the game results means everything to the consumers. If hackers are able to modify the data residing on the service, they can call into question the outcome of every fantasy sports game in every league leveraging the service.
A second consideration is a site’s availability. Consider a site which stores no important information, and for which the accuracy of data, while important, isn’t core to the ongoing business strategy. Take, for instance, a news aggregation site. This site is not responsible for the content of the actual news articles; all the site does is gather news headlines in a central location where users can quickly come up to speed on recent events. If that site’s entire revenue is funded by ad click-throughs, it’s safe to say the site must be available in order for the owning company to generate revenue. Should the site be taken down, click-through activity will cease and the company will not make money.
It’s important for companies to consider each aspect of security-- confidentiality, integrity, availability-- and determine their sensitivity to each aspect. This will allow the company to develop a security strategy which is risk-based and which allocates resources where they’ll achieve the biggest return. Not all companies store sensitive information, but all companies will ultimately have a need to address at least one of these aspects of security.
This was first published in September 2011