Securability is about controlling access to a variety of resources such as software components, data, and hardware. Security measures are based on the following four concepts:

  1. Authentication
  2. Authorization
  3. Data Protection
  4. Auditing


Authentication is confirming identity. A requestor must be authenticated before it can request access to a resource. The requestor establishes identity by passing in some form of credentials which is only known to the requestor and the authenticating host.


Authorization is the process of verifying that an authenticated requestor has permission to access certain resources. Authentication does not imply authorization. Authentication is about 'who are you?' Authorization is about 'what are you allowed to access?'

Data Protection

Data protection is the process of providing data 1)  confidentiality 2) integrity and 3) non-repudiability. Data-protection is required not only when data is in transit from one place to another, but also while it is stored.

Data confidentiality can be provided through encryption.

Data integrity can be achieved through the use of hash-algorithms, digital signatures, and message authentication codes. A hash is a fixed-length string of numbers and characters. It is computed using a hashing algorithm such Message-Digest 5 (MD5) or other standard hashing algorithms. This hash value is then sent with the data where a receiver can then compare a hash value it calculates based on the received data with the actual hash value already supplied by the data. If the two values differ, then data integrity has been compromised.

Digital signatures take hashing a step further by encrypting the computed hash using a private key. This step prevents attackers from intercepting data, modifying it, and then simply re-computing the hash for the modified data. Because the hash is now encrypted, an attacker would need to have access to the original private used to decrypt the hash value. On the receiving end, digital signatures can be verified using the associated public key.

Non-repudiability can be used to prove the origin, contents, and time-stamp of the data.


Auditing is the process of logging and monitoring events that occur in a system and that are of interest to security. Auditing provides the key source of security forensics.

Designing for Securability

The security design process is cyclical. Application security depends upon the vigilance of developers and administrators during all phases of an application's life. Because new security threats arise almost daily, an application must be scrutinized constantly for potential security flaws. Application scrutiny may include all software development efforts - design, development, testing, and deployment. The following recommendations can be helpful when designing for securability:

Testing for Securability

Security testing is about validating your application's security services and identifying potential security flaws.  Observe the following pitfalls when testing for securability:

Keeping the above points in mind, below are suggestions for testing the securability of your application:

Staying Secure

Applications evolve, new features are added, bugs are fixed, but at the same time, security threats evolve.  Therefore, it is important to conduct periodic security reviews to ensure that the application continues to be secure. The following are steps you can take to preserve the security of your application:

Best Practices for Securability

The following best practices (presented in no particular order) are recommended for creating secure applications: