Introduction

Information security means protecting data and systems from unauthorized access, use, or damage. The goal is to keep data safe from people who shouldn't have access to it, whether they intend to cause harm or not.

1. Confidentiality: Keeping data private and only allowing authorized people to see it.

2. Integrity: Ensuring that data is not changed in an unauthorized way.

3. Availability: Making sure data and systems are accessible when needed.

1. Interception: Unauthorized access to data (e.g., eavesdropping on a network).

2. Interruption: Making data or systems unavailable (e.g., shutting down a website).

3. Modification: Changing data in an unauthorized way (e.g., altering a document).

4. Fabrication: Creating false data or activities in a system (e.g., sending fake emails).

1. Threats: Potential dangers (e.g., hackers trying to steal data).

2. Vulnerabilities: Weaknesses that threats can exploit (e.g., weak passwords).

3. Risks: The chance that a threat will successfully exploit a vulnerability and cause harm.

1. Abuse Cases: Thinking about how hackers might misuse the software and planning defenses early during architecture & design phase

2. Architectural Risk Analysis: Identifying security weaknesses in the software’s design. For example by using Thread modelling also impacting already the architecture and design phase.

3. Code Review: Checking the source code for security mistakes that can be exploited as a security vulnarability. This can either be done using manual review or static analyse tools.

4. Risk-Based Security Testing: Running automated tests to check if vulnerabilities can be succesfully attacked. This can also include unit-, integration and system tests.

5. Penetration Testing: Simulating hacker attacks to test security and find any security holes.

6. Secure Operations: Keeping systems updated and monitoring them for security threats.