Friday, 23 September 2016

Developers need data classification

(from Software Security Book)

Every type of data that exists in an organisation, especially the data that is consumed by applications, needs to have a Data Classification mapping.

Developers need to know if a particular piece of data is sensitive, and what value it holds for the business.

A good way to determine the expected level of confidentiality and integrity, is to ask what would happen 'If a particular set of data were to be fully disclosed?' (for example uploaded to PasteBin) or 'If some of the data was being maliciously modified over a period of months?'.
These are really hard questions, and only by answering them, the developers (and business owners) can start to understand the value of an particular data set (given-to or generated-by their application).

Developers need to understand what they are dealing with, what is valuable to the business, and what needs to be protected.

See Microsoft's Data Classification Wizard for a good list of data types that exist on large organisations (this will need to be tweaked per application)