How to Address Software Reliability, Security, and Quality Requirements with Fuzz Testing
Confidentiality, integrity, and availability are considered the three core principles of security. Similar to a three-bar stool, security falls apart without any one of these components. Thus, the CIA triad (Confidentiality, Integrity, Availability) posits that security should be assessed through these three lenses.
The CIA triad can be used before and after you conduct security testing.
- Before testing: Too commonly, a top challenge for organizations is not knowing where to begin. In these cases, conduct an inventory of your applications and assess each one. Determine the potential impact to your business if confidentiality, integrity, or availability were to be compromised. This approach roots out the apps that are most critical to your business. It informs which apps to test and in what order.
- After testing: Organizations can also leverage the CIA triad to prioritize fixes. Another common challenge organizations face after receiving their test results is figuring out how to prioritize fixes. Based on what your business prioritizes most -- confidentiality, integrity, or availability -- the CIA triad can help businesses understand the severity of a vulnerability and inform which vulnerabilities to fix in what order.
The CIA triad is a powerful model that drives the identification of critical applications, assessment of vulnerability severity, and prioritization of vulnerability fixes. In the following sections, we’ll dive into each of theCIA components.
What is Confidentiality?
Confidentiality refers to measures that prevent sensitive information from reaching the wrong people, while still reaching the right people. Confidentiality revolves around the “least privilege” principle.
Information access should be provided on a need-to-know basis. Information needs to be categorized by sensitivity to enforce user access levels and control.
Confidentiality related security measures aim to prevent information theft from an application. Examples include:
- Identification. Identification is a unique identifier that ties an identity to a user. Identification, such as a username, enables systems to assess whether the individual should have access to the information.
- Authentication. Authentication is the process of an individual proving they are the identity they claim by providing credentials. Examples of credentials include a pin or password.
- Authorization. Once an individual has been authenticated, they are given access, or authorization, to specified information and resources.
- Encryption. Encryption is the practice of converting plain text into ciphered data. The ciphered data can only be decoded by entities that have the decryption key. This ensures communications remain private, even in plain view of adversaries.
Integrity refers to the measures taken to ensure consistency, accuracy, and trustworthiness of data over its entire lifecycle. Once information is submitted into a system, data must be protected from unauthorized tampering or deletion. Integrity related security measures aim to prevent the manipulation of information within a system. Examples include:
- Hashing. Hashing is the practice of generating a value for a file or string of data. Hashes are sent along with the original message. The receiving system, then, generates its own hash of the received data. Differences between the original hash and the generated hash indicates loss of integrity, considered the submitted data suspect.
Availability is the final component in the CIA Triad. Availability related security measures aim to ensure that vital systems have the infrastructure support and mechanisms required to ensure the data they house is available when needed. Examples include:
- Load balancing. Load balancing is the practice of distributing network requests across various computing resources to ensure maximum output, minimize response times, and avoid overloading a single system.
- Fault tolerance. Fault tolerance means that a system can tolerate a fault, recover, and continue to operate. Fault tolerance is established by having redundant systems in place to resume operation when system failures occur.
Application availability, or lack thereof, is commonly underestimated as a security issue. Sure, application failures or crashes can lead to inconvenient and unexpected scrambles to meet SLA requirements, but they can also serve as an entry point for attack. In software security, competing priorities and long paralyzing vulnerability backlogs are universal.
CIA Triad Offers Clarity Amidst the Chaos
As organizations sift through their vulnerability backlogs, models like the CIA triad can help identify which vulnerabilities pose the greatest risk.
The model urges organizations to triage vulnerabilities with three simple questions in mind:
- Confidentiality. Can the vulnerability lead to theft of information?
- Integrity. Can the bug allow manipulation of data during or after submission?
- Availability. Can the vulnerability impact the availability of a system or systems?
By answering these questions, organizations can better understand where to focus remediation efforts or what areas of code to further test. As you begin applying these learnings to your organization, you may come to realize that you have to answer more than three questions. These three questions have to be applied to every vulnerability your testing tool flagged! There’s not enough time or resources to get through them all. That’s where the NIST’s CVSS scoring system can help. The CVSS scoring system already utilizes the basic principles in the CIA triad to assess the severity of disclosed vulnerabilities, or known vulnerabilities. Bear in mind, the CVSS scoring system is only available for known vulnerabilities. This means sense. If we don’t know the vulnerabilities exist, how can we rate it?
To learn how fuzz testing can help you identity unknown vulnerabilities, fast, download the complete How to Address Software Reliability, Security, and Quality Requirements with Fuzz Testing white paper.