Product security needs a holistic approach

How do you secure a webshop, an electronic car, an office management system? Securing an IT-enabled product requires you to consider many topics, and missing one topic could already result in a security flaw of that product.

Let us presume that you have a webshop that sells books. What security measures do you need, to protect the data about the books that you sell, their availability and prices, as well as your customers’ transactions?

Software developers will think about security in source code and application logic, whilst system and network administrators will think of the IT infrastructure on which the application will run. Who has the holistic view of all relevant security measures that should be in place? Realising an eCommerce webshop, are your IT processes well-equipped to be online, or are they only a fit for internal office automation? Being online implies being operational 24/7 and considering to be 24/7 under attack, is that also your requirement?

Also, what does creating an online webshop imply for your business processes? How do business processes support the protection of your webshop data? How do you ensure to not only have a selling webshop, but also to mitigate risks that are accompanied with having an eCommerce webshop, consider e.g. online fraud?

Naturally, the clean approach is to determine requirements for a product, applying the following steps:

  1. evaluate business sensitivity of the product
  2. determine potential risks, including likelihood and impact
  3. set security requirements to manage relevant risks from happening

Practically, for every IT-enabled product, security requirements consist of both manual and automated processes, as well as business-specific and generic functionality. Applying these two dimensions, the following topics are to be covered:

Basic Quadrants

So, you should address the four topics:

  1. administrative business process controls
  2. Application controls
  3. IT infrastructure controls
  4. IT management process controls

And once you go in-depth, you will recognise that each of these four topics has its sub-topics to be considered:

Quadrant details

This model can help you to effectively and efficiently set product security requirements, build an IT-enabled product, and also assess the risks of an IT-enabled product.

As your homework, I recommend applying this model to assess the security of a product in your organisation, for instance your newest website. It will be interesting to evaluate if all (sub) topics are covered, and if missing a (sub) topic causes risks to the website that you assess.