Mercurial Mercurial > oss > FCL > sftools > depl > docscontent / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Symbian3/SDK/Source/GUID-CC8EA664-FF2E-40FB-BC1C-89FB1255A9C9.dita
changeset 7 51a74ef9ed63 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/Symbian3/SDK/Source/GUID-CC8EA664-FF2E-40FB-BC1C-89FB1255A9C9.dita	Wed Mar 31 11:11:55 2010 +0100
@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2007-2010 Nokia Corporation and/or its subsidiary(-ies) All rights reserved. -->
+<!-- This component and the accompanying materials are made available under the terms of the License 
+"Eclipse Public License v1.0" which accompanies this distribution, 
+and is available at the URL "http://www.eclipse.org/legal/epl-v10.html". -->
+<!-- Initial Contributors:
+    Nokia Corporation - initial contribution.
+Contributors: 
+-->
+<!DOCTYPE concept
+  PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
+<concept id="GUID-CC8EA664-FF2E-40FB-BC1C-89FB1255A9C9" xml:lang="en"><title>General
+protection principles</title><prolog><metadata><keywords/></metadata></prolog><conbody>
+<p>Paying attention to the general protection principles below increases
+security in mobile software.</p>
+<section id="GUID-221C271B-4E13-4666-803C-6BCB7BDD8C1E"><title>Prevention</title>
+<p><i>Prevention</i> is the key component in security threat management.
+Over the past few years, the approach to security has shifted from <i>reactive</i> to <i>proactive</i>,
+meaning that prevention is increasingly important. However, the reactive component
+is still necessary because security levels degrade over time due to information
+corruption, new attack methods and viruses, etc.</p>
+<p>By intercepting security breaches before they even happen you can create
+potentially safe applications and systems. However, even the most secure solutions
+may have weaknesses, so you should never place your trust in only one method.</p>
+</section>
+<section id="GUID-78A8158D-1F67-46BE-91AD-8227200B46D6"><title>Control</title>
+<p>If a security incident is about to happen, it is still possible to minimize
+and isolate damage with <i>control of events</i> and strong <i>internal borders</i>.
+By dividing the system or software into sufficiently small units, it is easier
+to control and manage security features. Division also helps to isolate infections
+within a single unit.</p>
+<p>Another useful control feature is the <i>minimum rights principle</i>,
+wherein each unit is given only the minimum rights to complete its tasks.
+Controls can be imposed by <i>authenticating</i> and <i>authoring</i> all
+traffic between units, and by limiting access rights of unidentified parties.
+These techniques can be applied from a single software component to an entire
+business system.</p>
+<p>From Symbian OS v9.1 onwards, <xref href="GUID-4BFEDD79-9502-526A-BA7B-97550A6F0601.dita">platform
+security</xref> implements control of events inside the operating system and
+creates borders for different security areas (for example, by means of <xref href="GUID-ACDED56F-38FE-491D-B019-BE2C53A75D28.dita">data caging</xref> and server
+protection). Platform security also implements the minimum rights principle.</p>
+<p>Additionally, there are <xref href="GUID-9058F379-C495-4B22-B270-FF6A80E450B8.dita#GUID-9058F379-C495-4B22-B270-FF6A80E450B8/GUID-9058F379-C495-4B22-B270-FF6A80E450B9">third-party
+security applications</xref> such as <i>antivirus software</i>, <i>firewalls,</i> and <i>intrusion
+detection systems</i> that provide good protection against hostile attacks
+when combined with strict <i>policies</i>.</p>
+</section>
+<section id="GUID-13186350-A3DC-4793-8D7A-7832086083AD"><title>Testing and validation</title>
+<p>Even the strongest security systems may have vulnerabilities which are
+not apparent until the application or product is in use. Software complexity
+and combinations of different technologies are known to increase the chance
+of software flaws. Software usually functions properly even when it is not
+secure. This is why extensive <i>testing and validation</i> are needed during
+development. The purpose of security testing is to find errors and flaws that
+may jeopardize the security and integrity of information stored in the mobile
+device.</p>
+<p>Traditional testing validates software against specifications, but security
+testing studies behavior and possible side effects in different environments.
+For example, <i>white hat hacking</i> attempts to identify vulnerabilities
+before malicious (black hat) hackers do. Common areas for security testing
+include user interfaces, information storage, communications, and the software's
+internal security (for example, algorithms, robustness, recovery).</p>
+<p>To have a complete evaluation of security features and risks, it is
+important to perform a full security analysis for every published version
+of an application.</p>
+</section>
+</conbody></concept>
\ No newline at end of file
FCL/sftools/depl/docscontent