vanderaj
commented
8 years ago My $0.02. Yes, it's in ISO 27002. Application resiliency and rapid recovery is the current trend in application security, so I believe it should be included.
Closed grimley517 closed 1 year ago
vanderaj
commented
8 years ago My $0.02. Yes, it's in ISO 27002. Application resiliency and rapid recovery is the current trend in application security, so I believe it should be included.
kernelrich
commented
8 years ago CIA are the atomic principles of security; meaning they cannot be decomposed and still be a security principle. Availability is the generalization of resilience.
bradchesney79
commented
8 years ago I don't see why a chapter about backups and restoration cannot exist in its own right-- it is a rather important topic that people may want an overview on. Additionally, what good is keeping the live data safe if a malicious entity can try capturing a backup, necessitating a cursory effort at keeping that collection of the everything safe.
In general and at the very least, I try to mention the base of complex ideas that the reader can deep dive on if desired. I am treating the dev guide as a source for exposure to ideas that they may not see without a guiding hand, which in turn will allow them to fill in the higher level exact details of their own knowledge if they are so inclined.
lukos
commented
8 years ago In information security, the aim is Business Recovery rather than something as specific as Backups so we would need to keep the line clear between whether we are covering the general or the specific. Business Recovery includes processes, personnel, alternate sites etc. whereas from a development perspective, we would only be able to touch a small part of that.
pquodling
commented
7 years ago Indeed, it is a very common and dangerous mistake to assume that Business (Disaster) Recovery, and Business Resilience, and Backups and restores are the same (or can be serviced by the same criteria). but practise in a development environment is a step towards a good production environment. I experienced at a Large telco (that ajv will know well) a situation where a large SW Company had been doing application development on a multimillion dollar development platform, that even had a Storagetek tape robot attached, and hadn't had a backup done in two years. Development is still a production process in the voyage towards actual production.
jgadsden
commented
1 year ago Agreed that business continuity is certainly one of the central domains of security, but closing this issue because it will not be included in the Developer Guide itself
Is recovery a part of security?
In an extension to the principles of security mentioned In foundations - Security fundamentals. Should 'recovery' come into the scope of security?
The three principles that exist are all valid, and act to prevent damage to a website. However; when a compromise occurs, the ability to recover to a secure state quickly and effectively is an important component. It is commonly performed as part of many web teams role, however perhaps under the heading of 'maintenance'.
In the triad 'recovery' might fit as part of availability, and also part of integrity.