Defining the quality levels was the first step, now we need to talk about the individual protection profiles of certain applications. Knowing those protection profiles allows us to decide, which quality level we need for our security activities.
Minimal Protection Profile
An application or system finds itself in this category, if it doesn’t have to fulfill any substantial security requirements. You don’t mind it being knocked offline for a few days and even if someone manipulates its content, you couldn’t care less. The software is not used in any environments, where it can be utilized as an entry point to more critical systems or applications. Common examples are private home pages or the fan page of your local sports team. In a business context, you usually don’t find any of those applications.
Low Protection Profile
This category represents applications with low protection requirements. Your software has a certain relevance, but the potential damage that can be done won’t cause any long lasting financial loss or harm to your brand. Especially when it comes to data handled by such an application, no confidential data is processed or stored. You will usually find business applications on this level, that are not considered critical for operation.
Medium Protection Profile
This category builds the bridge between the applications not really considered relevant for security and those that can have a massive impact. You worry about those applications and are willing to spend a certain amount of resources and manpower into their protection, but a system compromise still feels manageable. An internal knowledge base comes to mind. If it is offline, employees will be less efficient. If the content gets manipulated, people will make ill advised decisions. If confidential data gets accessed unauthorized, valuable information will fall into the wrong hands. Depending on the actual impact of those scenarios, it can be argued that the protection profile should be considered lower or higher instead, but this category is a solid middle ground for those important applications, that you don’t feel comfortable rating high.
High Protection Profile
Once an application reaches this category, things become interesting. Such an application might not have the potential to bring a company to its knees in case of failure, but an attacker could still deal significant damage by compromising such a system. A broad range of application types come to mind for this category. This could be a VPN server protecting your network against unauthorized access, a news portal with a broad audience or a system acting as potential entry-point for an attacker into critical areas of your network. If a system compromise would really hurt you, but the company will likely survive the impact, you have probably identified an application with a high protection profile.
Very High Protection Profile
This category is reserved for the most critical applications that are considered business critical. A successful attack against such an application often has an immediate but also long lasting impact like a significant financial loss, violation of law or a very detrimental effect on the value of the brand. In the worst case, a significant breach could be the end of the company using the software. Usually, such applications are core systems of critical infrastructure, are involved in high-value financial transactions, handle large amounts of PII, provide the main service of a company or have to capacity to harm the safety of people.
Which profile is best?
Of course it is no coincidence that we have the same amount of quality levels as we have different protection profiles. Those two definitions are aligned. If you have an application with just a minimal protection profile, guess what? Wood quality might actually be enough for you. Of course you can invest more in such applications, but from a security perspective, you are fine doing the minimum. When we are talking about applications with a very high protection profile, there is only one way to go. Diamond quality is crucial to address the needs of such critical applications.
To keep track of the big picture, I have created an overview that summarizes the essential properties of each quality level. This overview will also serve as a reference for all future articles in this series in order to model the respective security activities. You are welcome to start assessing selected areas of your secure software development process based on this generic overview. However, it only becomes really tangible once you are using the specific versions that will be released in the months to come.