Security as a Feature

I read Alik Levin's "I do want to write secure code, where do I start?..." post a few days ago. What caught my eye was the statement:

"To me, application security is not different from other application feature--really it is not."

Well, I think this statement is wrong. Here's why.

On one hand, security doesn’t add direct value to the users of the system. Security doesn't alter the way the application behaves--and if it does it is for the worse. For example, usability-wise it is a nuisance to have to key in a password before you can start being productive. Moreover, adding encryption/decryption makes it harder to achieve performance requirements.

On the other hand, adding security is not like adding a support for Gold and VIP statuses to the Customer Service. It isn't really isolated to a specific area of the application; rather you need to pay attention to it all over the application and in several different levels.

Nevertheless security is very important--and while the lack of security will not alter the solution functionality, it will have an impact on the quality of the solution. This characteristic of security makes it a quality attribute of the system and thus an architectural element.

Posted by Arnon Rotem-Gal-Oz at 01:26 PM  Permalink