diff -r 43e37759235e -r 51a74ef9ed63 Symbian3/SDK/Source/GUID-39A995DC-F047-4B41-A60D-27063CE329BE.dita
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/Symbian3/SDK/Source/GUID-39A995DC-F047-4B41-A60D-27063CE329BE.dita	Wed Mar 31 11:11:55 2010 +0100
@@ -0,0 +1,77 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2007-2010 Nokia Corporation and/or its subsidiary(-ies) All rights reserved. -->
+<!-- This component and the accompanying materials are made available under the terms of the License 
+"Eclipse Public License v1.0" which accompanies this distribution, 
+and is available at the URL "http://www.eclipse.org/legal/epl-v10.html". -->
+<!-- Initial Contributors:
+    Nokia Corporation - initial contribution.
+Contributors: 
+-->
+<!DOCTYPE concept
+  PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
+<concept id="GUID-39A995DC-F047-4B41-A60D-27063CE329BE" xml:lang="en"><title>Planning
+system and software security</title><prolog><metadata><keywords/></metadata></prolog><conbody>
+<p>Devices based on the Symbian platform are capable of joining both public
+and private networks and often have the functionality of a normal desktop
+computer. However, the average user does not perceive the device as a computer,
+but rather as a regular phone that is safe from security threats. This creates
+an opportunity for hostile attackers to infiltrate the device and wreak severe
+direct or indirect damage (for example, by penetrating into the corporate
+intranet).</p>
+<p>It is, however, possible to anticipate these kinds of threats, and protect
+applications by using the security features offered by the Symbian platform,
+and by expanding <i>security policies</i> to cover mobile devices and services.</p>
+<p>To develop system or software security, repeat the following steps:</p>
+<ol>
+<li id="GUID-98856624-2B55-44FC-9DD9-69850C2B22D9"><p>Define and
+evaluate all critical assets (resources, information).</p></li>
+<li id="GUID-4FE98A61-A0B8-4249-936E-DF319804AA2D"><p>Identify all
+possible threats, vulnerabilities, and potential attacks, and estimate the
+extent of possible damage.</p><p>Areas to examine in the Symbian platform
+are system resources, removable media, and communication between components.</p>
+</li>
+<li id="GUID-43B87274-297C-4AA8-B2A1-872E2BA83F30"><p>Prioritize
+high-risk vulnerabilities, and select and implement corresponding security
+features. If risks are sufficiently low, protective measures may be unnecessary.</p>
+</li>
+<li id="GUID-3D7F3A95-635E-4D9C-9883-BBD36263401D"><p>Repeat these
+steps until the necessary level of protection is achieved.</p></li>
+</ol>
+<p/>
+<fig id="GUID-A41ADA16-6D0B-4EA4-BBF2-67C2CFED68F3"><title>Security development process</title><image href="GUID-316D7B85-F827-4479-B5EE-81F210614236_d0e10243_href.png"/></fig>
+<p>The security development process is guided by <i>cost</i>, <i>efficiency,</i> and <i>usability</i>.
+If security is too tight, this may be expensive and affect both performance
+and the user's experience of the system or software. On the other hand, if
+security is too slack, this may result in severe damage and, in the long run,
+be even more costly.</p>
+<section id="GUID-39A995DC-F047-4B41-A60D-27063CE329BF"><title>Security methods</title>
+<p>The list below contains the most common and important security methods
+used in the mobile world:</p>
+<ul>
+<li><p><i>Ciphering</i> enables confidentiality. Information is
+accessible only by authorized parties. With ciphering it is also possible
+to maintain integrity.</p></li>
+<li><p><i>Hash</i> function (<i>checksum</i>) can be used to verify
+integrity and detect information tampering.</p></li>
+<li><p><i>Signing</i> allows attaching of information to a certain
+source.</p></li>
+<li><p><i>Authentication</i> ensures that the object is what it
+claims to be.</p></li>
+<li><p><i>Access control</i> restricts unauthorized access to resources.</p>
+</li>
+<li><p><i>Authorization</i> is permission to perform tasks on behalf
+of somebody else.</p></li>
+<li><p><i>Certification</i> is provided usually by a third party
+to prove information validity.</p></li>
+<li><p><i>Recovery mechanisms</i> are usually implemented as redundancy
+(duplication of information or routes).</p></li>
+<li><p>In communication it is possible to use, for example, <i>error
+correction</i> to repair transmission failures, <i>random traffic generation</i> to
+keep the line occupied, and <i>packet uniforming</i> to blend important packets
+into traffic.</p></li>
+</ul>
+<p>Some of the methods above are interconnected (for example, certification
+requires that the information is signed) and not all of them are of equal
+importance, since some basic methods form a base for more complicated methods.</p>
+</section>
+</conbody></concept>
\ No newline at end of file