Consideration on security review

These days, many companies and organizations use various solutions and equipment. While we may have been doing so before, we will all acknowledge the need for a security review on what we are introducing in the future.

Then, what will consider for security review?

 

There will be a variety of products that require a security review. It could be a specific function used to develop a web service or a solution for operations. While previously used products are well known for security review items, the new products do not provide guidance from auditing organizations.

 

So what should we do?

If you think of it in a big category, it's still the third element of security : integrity, confidentiality and availability.

Considerations for integrity will include authority or audit, and confidentiality will require access only to authorized users. Availability will ensure that services are not overloaded and will consider ways to recover from a disaster.

 

 

Let's think about the recently posted Docker. First, consideration for integrity, Account management should be possible to ensure that authorized users work only with the rights granted only to prevent unauthorized users from tampering with or infringing on images running on dockers.

  

People who operate or manage dockers as examples of confidentiality need to set ACL to prevent other users from accessing them only on designated PC. If there is an administrator web service, vulnerability checks are necessary to prevent ACL settings and authentication/permission bypass through web hacking.

Availability provides server redundancy when services are affected by DOS attacks or traffic growth and other issues, or establishes policies to avoid major disruption in service operation through rapid recovery in the event of an accident.