Security quality is the ability to reasonably guard against accidental or malicious completion or alteration of tasks as unauthorised users (known as threat actors) or prevention of authorised users from completing tasks when they need to. Together, this makes up for three quality sub-dimensions of confidentiality, integrity and availability (CIA) ((ISC)², 2022). Reliability can be seen as a sub-dimension of cybersecurity where integrity and availability also come into play, however with software testing, its useful to consider threats involving bad actors (security) from those that do not (reliability).
Stakeholders will prioritise quality in software whenever there’s important assets to protect, such as data or completion of certain tasks, and when there’s an increased risk of unauthorised access or external disruption.
Confidentiality: The ability to reasonably guard against completing tasks as unauthorised users, for example, viewing data that must be kept secure.
Integrity: The ability to reasonably guard against altering tasks as unauthorised users, for example, changing system configuration or data.
Availability: The ability to reasonably guard against losing the ability to complete tasks as authorised users, for example, viewing or changing data.
Office software that’s installed and used locally from within a private office and doesn’t deal with important data or operations wouldn’t gain much value from increased security. However should the software be available to use online, then security becomes more important, so the software would need to restrict who could use and access any files created. Examples of threats to security value include:
- Lacking or broken access control (authentication and authorisation)
- Lack of patching process for known vulnerabilities
- Servers not stored in a secure place where anyone can walk in
- Servers lacking redundancy in case of power cut, fire or flood
- Form inputs not sanitised and open to SQL injection
- Data not being encrypted when sent across networks
- User repudiation, especially during a security event
Some famous security bugs include:
Heuristics to test for security quality may include:
- Auth - Authentication vs Authorisation: Confirming users are who they say they are and assigning what users can do and access
- MAC/DAC/RBAC - For authentication and authorisation, logical access control can be mandatory, discretionary or role-based
- MFA - Authentication via multiple method types of knowledge, possession (token) and inherence (biometric) where needed
- (ISC)². (2022). Security Principles. Certified in Cybersecurity Resources. (p. 7)