Week 32 contribution of PDK documentation content. See release notes for details. Fixes bug Bug 3582
<?xml version="1.0" encoding="utf-8"?>
<!-- Copyright (c) 2007-2010 Nokia Corporation and/or its subsidiary(-ies) All rights reserved. -->
<!-- This component and the accompanying materials are made available under the terms of the License
"Eclipse Public License v1.0" which accompanies this distribution,
and is available at the URL "http://www.eclipse.org/legal/epl-v10.html". -->
<!-- Initial Contributors:
Nokia Corporation - initial contribution.
Contributors:
-->
<!DOCTYPE concept
PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
<concept id="GUID-CC8EA664-FF2E-40FB-BC1C-89FB1255A9C9" xml:lang="en"><title>General
protection principles</title><prolog><metadata><keywords/></metadata></prolog><conbody>
<p>Paying attention to the general protection principles below increases
security in mobile software.</p>
<section id="GUID-221C271B-4E13-4666-803C-6BCB7BDD8C1E"><title>Prevention</title>
<p><i>Prevention</i> is the key component in security threat management.
Over the past few years, the approach to security has shifted from <i>reactive</i> to <i>proactive</i>,
meaning that prevention is increasingly important. However, the reactive component
is still necessary because security levels degrade over time due to information
corruption, new attack methods and viruses, etc.</p>
<p>By intercepting security breaches before they even happen you can create
potentially safe applications and systems. However, even the most secure solutions
may have weaknesses, so you should never place your trust in only one method.</p>
</section>
<section id="GUID-78A8158D-1F67-46BE-91AD-8227200B46D6"><title>Control</title>
<p>If a security incident is about to happen, it is still possible to minimize
and isolate damage with <i>control of events</i> and strong <i>internal borders</i>.
By dividing the system or software into sufficiently small units, it is easier
to control and manage security features. Division also helps to isolate infections
within a single unit.</p>
<p>Another useful control feature is the <i>minimum rights principle</i>,
wherein each unit is given only the minimum rights to complete its tasks.
Controls can be imposed by <i>authenticating</i> and <i>authoring</i> all
traffic between units, and by limiting access rights of unidentified parties.
These techniques can be applied from a single software component to an entire
business system.</p>
<p>From Symbian OS v9.1 onwards, <xref href="GUID-4BFEDD79-9502-526A-BA7B-97550A6F0601.dita">platform
security</xref> implements control of events inside the operating system and
creates borders for different security areas (for example, by means of <xref href="GUID-ACDED56F-38FE-491D-B019-BE2C53A75D28.dita">data caging</xref> and server
protection). Platform security also implements the minimum rights principle.</p>
<p>Additionally, there are <xref href="GUID-9058F379-C495-4B22-B270-FF6A80E450B8.dita#GUID-9058F379-C495-4B22-B270-FF6A80E450B8/GUID-9058F379-C495-4B22-B270-FF6A80E450B9">third-party
security applications</xref> such as <i>antivirus software</i>, <i>firewalls,</i> and <i>intrusion
detection systems</i> that provide good protection against hostile attacks
when combined with strict <i>policies</i>.</p>
</section>
<section id="GUID-13186350-A3DC-4793-8D7A-7832086083AD"><title>Testing and validation</title>
<p>Even the strongest security systems may have vulnerabilities which are
not apparent until the application or product is in use. Software complexity
and combinations of different technologies are known to increase the chance
of software flaws. Software usually functions properly even when it is not
secure. This is why extensive <i>testing and validation</i> are needed during
development. The purpose of security testing is to find errors and flaws that
may jeopardize the security and integrity of information stored in the mobile
device.</p>
<p>Traditional testing validates software against specifications, but security
testing studies behavior and possible side effects in different environments.
For example, <i>white hat hacking</i> attempts to identify vulnerabilities
before malicious (black hat) hackers do. Common areas for security testing
include user interfaces, information storage, communications, and the software's
internal security (for example, algorithms, robustness, recovery).</p>
<p>To have a complete evaluation of security features and risks, it is
important to perform a full security analysis for every published version
of an application.</p>
</section>
</conbody></concept>