Confidentiality, integrity, and availability are considered the three core principles of security. Similar to a three-bar stool, security falls apart without any one of these components. Thus, the CIA triad (Confidentiality, Integrity, Availability) posits that security should be assessed through these three lenses.
The CIA triad can be used before and after you conduct security testing.
The CIA triad is a powerful model that drives the identification of critical applications, assessment of vulnerability severity, and prioritization of vulnerability fixes. In the following sections, we’ll dive into each of theCIA components.
Confidentiality refers to measures that prevent sensitive information from reaching the wrong people, while still reaching the right people. Confidentiality revolves around the “least privilege” principle.
Information access should be provided on a need-to-know basis. Information needs to be categorized by sensitivity to enforce user access levels and control.
Confidentiality related security measures aim to prevent information theft from an application. Examples include:
Integrity refers to the measures taken to ensure consistency, accuracy, and trustworthiness of data over its entire lifecycle. Once information is submitted into a system, data must be protected from unauthorized tampering or deletion. Integrity related security measures aim to prevent the manipulation of information within a system. Examples include:
Availability is the final component in the CIA Triad. Availability related security measures aim to ensure that vital systems have the infrastructure support and mechanisms required to ensure the data they house is available when needed. Examples include:
Application availability, or lack thereof, is commonly underestimated as a security issue. Sure, application failures or crashes can lead to inconvenient and unexpected scrambles to meet SLA requirements, but they can also serve as an entry point for attack. In software security, competing priorities and long paralyzing vulnerability backlogs are universal.
As organizations sift through their vulnerability backlogs, models like the CIA triad can help identify which vulnerabilities pose the greatest risk.
The model urges organizations to triage vulnerabilities with three simple questions in mind:
Download the complete whitepaper: How to Address Software Reliability, Security, and Quality Requirements with Fuzz Testing.
By answering these questions, organizations can better understand where to focus remediation efforts or what areas of code to further test. As you begin applying these learnings to your organization, you may come to realize that you have to answer more than three questions. These three questions have to be applied to every vulnerability your testing tool flagged! There’s not enough time or resources to get through them all. That’s where the NIST’s CVSS scoring system can help. The CVSS scoring system already utilizes the basic principles in the CIA triad to assess the severity of disclosed vulnerabilities, or known vulnerabilities. Bear in mind, the CVSS scoring system is only available for known vulnerabilities. This means sense. If we don’t know the vulnerabilities exist, how can we rate it?
To learn how fuzz testing can help you identity unknown vulnerabilities, fast, download the complete How to Address Software Reliability, Security, and Quality Requirements with Fuzz Testing white paper.
Thank you for subscribing!