Software Engineering basics - Software Security

Software Security

Definition:
Software security is the practice of protecting software systems from threats, attacks, and unauthorized access, ensuring that the system is confidential, reliable, and available. It is an essential part of software development to safeguard data, maintain trust, and prevent misuse.

Core Principles of Software Security

Authentication
- Confirms the identity of a user or system before granting access.
- Examples: Passwords, multi-factor authentication, biometric verification.
Authorization
- Determines what authenticated users are allowed to do.
- Example: Regular users can read data; admins can edit or delete.
Encryption
- Converts data into a secure format to prevent unauthorized access.
- Symmetric encryption uses the same key for encrypt/decrypt.
- Asymmetric encryption uses public/private key pairs.
- Example: HTTPS for secure communication over the internet.
Integrity
- Ensures data is not altered or tampered with.
- Example: Using hash functions or digital signatures.
Availability
- Ensures software and data are accessible when needed, even under attack.
- Example: Measures against Denial of Service (DoS) attacks.
Secure Coding Practices
- Writing code to prevent vulnerabilities and reduce attack surfaces.
- Examples:
  - Input validation to prevent SQL injection
  - Proper error handling to avoid revealing sensitive information
  - Using parameterized queries and avoiding hard-coded secrets

Common Security Threats

SQL Injection and Code Injection
Cross-Site Scripting (XSS)
Buffer Overflows
Malware and Viruses
Unauthorized Access / Privilege Escalation
Data Breaches

Best Practices for Software Security

Implement strong authentication and authorization
Encrypt sensitive data both at rest and in transit
Regularly update and patch software
Follow secure coding standards (e.g., OWASP guidelines)
Conduct security testing: penetration tests, code reviews, vulnerability scans