Adopting a AAA ap­proach to soft­ware se­cu­rity


Data is king. Consumers are more con­scious than ever in pro­vid­ing or­gan­i­sa­tions with ac­cu­rate data. The Cambridge Analytica - Facebook scan­dal cer­tainly did­n’t help change con­sumer per­cep­tions. With such a pre­mium placed on data, it’s im­per­a­tive that soft­ware de­vel­op­ers vig­i­lantly pro­tect con­sumer data. This ar­ti­cle will il­lus­trate WorkingMouse’s ap­proach to soft­ware se­cu­rity. If you’d like ad­vice on your se­cu­rity strat­egy, con­tact us.

The AAA Approach

When we con­sider an ap­pli­ca­tion’s se­cu­rity, we keep three points top of mind - au­then­ti­ca­tion, au­tho­ri­sa­tion and au­dit­ing. The best strat­egy for se­cu­rity is to have a lay­ered de­fence and a strong se­cu­rity plan in place. The strength of your se­cu­rity is only as strong as your weak­est link and two thirds of cy­ber breaches are caused or en­abled by em­ploy­ees.

As part of the lay­ered de­fence, we con­sider the soft­ware, hard­ware and host­ing of the ap­pli­ca­tions we build.


Authentication is a way of iden­ti­fy­ing a user. Essentially, it’s en­sur­ing you are who you say you are. Traditionally, this has been achieved through a user­name and a valid pass­word. Using only strong pass­words is a good start. More re­cently, two fac­tor au­then­ti­ca­tion and bio­met­rics have grown in pop­u­lar­ity. Two fac­tor au­then­ti­ca­tion (2FA) pro­vides that ex­tra layer of se­cu­rity. Not only must you pro­vide a user­name and pass­word, you will also be asked to pro­vide a unique code, usu­ally sent to your mo­bile. Chances are you’ve ex­pe­ri­enced 2FA al­ready, es­pe­cially if you’ve done any form of in­ter­net bank­ing.

Biometric iden­ti­fi­ca­tion en­crypts data un­til the user has been au­then­ti­cated us­ing bio­met­ric data (most com­monly a fin­ger­print). Most smart phones now ac­co­mo­date for bio­met­ric au­then­ti­ca­tion.


Following on from au­then­ti­ca­tion (we know who they are), a user must gain au­tho­ri­sa­tion for do­ing cer­tain tasks (what can they do). According to the Australian Signals Directorate, 1 of the top 4 mit­i­ga­tion strate­gies for cy­ber se­cu­rity is to re­strict ad­min­is­tra­tive priv­i­leges.

By us­ing the Codebots per­mis­sions be­hav­iour, prod­uct own­ers can cre­ate user groups and con­trol ac­cess lev­els. This en­sures that users are au­tho­rised to see only the nec­es­sary parts of the ap­pli­ca­tion.


Auditing is a re­ac­tive mea­sure. It tracks re­sources that end-users con­sume. Sometimes a cy­ber se­cu­rity at­tack can come from a trusted source like an em­ployee or end-user that has au­then­ti­ca­tion and au­tho­ri­sa­tion. So, we track every re­quest on your ap­pli­ca­tion for foren­sic pur­poses and com­pli­ance with the Notifiable Data Breaches scheme.

For more depth on each of these, watch the video be­low or head to the Codebots blog.

Assess Your Security Measures

The AAA frame­work gives you a bench­mark to as­sess your own ap­pli­ca­tion se­cu­rity. Firstly, con­sider au­then­ti­ca­tion. Are you au­then­ti­cat­ing users with a ba­sic user­name and pass­word or have you in­cluded 2FA/biometrics. The level of au­then­ti­ca­tion needed de­pends on the sen­si­tiv­ity of the data you’re pro­tect­ing. Serious con­sid­er­a­tion to an ex­tra layer of se­cu­rity should be given if you’re pro­tect­ing any kind of fi­nan­cial data.

Authorisation is tied closely to au­then­ti­ca­tion. Once you have au­then­ti­cated a user, do they have only the nec­es­sary per­mis­sions? If you have not set per­mis­sion lev­els or users are per­form­ing ac­tions they should not be able to per­form, a se­ri­ous au­dit of your au­tho­ri­sa­tion strat­egy is nec­es­sary.

Auditing re­quires log­ging of ses­sion sta­tis­tics and us­age in­for­ma­tion. If this is ne­glected, then you’re un­able to ef­fec­tively re­act to any threats. It means the same per­son can at­tack your soft­ware a num­ber of times and you would­n’t know. If you don’t log user records then im­me­di­ate ac­tion is re­quired to im­prove your soft­ware se­cu­rity.

Hardware Security

There are a num­ber of se­cu­rity mea­sures you can take when host­ing on the cloud. I’ll out­line some of the con­trols we have put in place to keep ap­pli­ca­tions WorkingMouse has de­vel­oped, safe.

We use a multi zone re­dun­dancy plan. All crit­i­cal data (database and shared file sys­tem) is repli­cated across at least two but more com­monly three phys­i­cal lo­ca­tions or “zones”. Because of the repli­ca­tion of crit­i­cal data across mul­ti­ple zones if a server phys­i­cally fails then data that has­n’t been backed up dur­ing the nightly cy­cle is not lost.

Site re­source ac­cess is pro­tected us­ing HTTPS. Internal sys­tem ad­min­is­tra­tion is pro­tected us­ing a two layer sys­tem. All data­bases are pass­word pro­tected with sev­eral lev­els of user priv­i­leges. Databases are only ac­ces­si­ble from within the in­ter­nal pri­vate fire­walled net­work.

Keeping a struc­tured ap­proach to your soft­ware’s se­cu­rity is crit­i­cal. Audit your­self on the three A’s and see how you per­form.

Discover Software


Eban Escott

Big pic­ture thinker and Star Wars fa­natic

Get cu­rated con­tent on soft­ware de­vel­op­ment, straight to your in­box.

What is OpenID Connect and How Does it Work?

Everything You Need to Know as a Cyber Security Beginner

Your vi­sion,

our ex­per­tise