What is the CIA triad in software security?

The CIA triad is the three core security objectives: confidentiality (only authorised parties can read data), integrity (data is accurate and has not been tampered with), and availability (the system is accessible to authorised users when needed). Every security control supports one or more of these. For example, encryption protects confidentiality, hashing and checksums support integrity, and backups and redundancy support availability.

What is the difference between encryption and hashing?

Encryption is reversible: data is transformed with a key and can be decrypted back to the original with the right key. It protects confidentiality. Hashing is one-way: it produces a fixed-length digest that cannot be reversed to recover the input. It is used for integrity checks and for storing passwords (you compare hashes, never decrypt them). Passwords should be hashed with a slow, salted function such as bcrypt or Argon2, not encrypted.

What is the secure development lifecycle?

The secure development lifecycle (SDL) builds security into every phase of software development rather than adding it at the end. Typical phases: threat modelling and security requirements during design, secure coding standards and code review during development, dependency and static analysis (SAST) during build, dynamic testing (DAST) and penetration testing before release, and monitoring and patching after deployment. Building security in early is far cheaper than fixing breaches later.

Why must validation happen on the server, not just the browser?

Client-side validation in the browser improves user experience and gives quick feedback, but it can be bypassed trivially: an attacker can disable JavaScript or send requests directly with a tool like curl. The server is the trust boundary, so all input must be validated and sanitised again on the server. Client-side validation is a convenience; server-side validation is the actual security control.

← Software Engineering guides

NSWSoftware Engineering

HSC Software Engineering Module 1 Secure Software Architecture deep dive

Deep dive on HSC Software Engineering Module 1, Secure Software Architecture. The CIA triad, authentication and authorisation, encryption and hashing, the OWASP Top 10, input validation, and the secure development lifecycle, with worked exam examples.

Generated by Claude Opus 4.717 min readNESA-SENG-12-M1Updated 2026-05-24

Jump to a section

How Module 1 fits into HSC Software Engineering
The CIA triad
Authentication and authorisation
Encryption: symmetric and asymmetric
Hashing and password storage
The OWASP Top 10
Input validation and sanitisation
The secure development lifecycle
Common Module 1 examiner traps
Check your knowledge
Where to go next

How Module 1 fits into HSC Software Engineering

Secure Software Architecture is Module 1 of Year 12 Software Engineering, and it sets up ideas that recur throughout the course. The Programming for the Web module reuses these security concepts when it covers web vulnerabilities, and the Software Engineering Project module reuses the secure development lifecycle. NESA examines this module heavily, and the OWASP Top 10 is the single most reliably tested list in the course.

The module asks you to design software with security built in from the start, reason about threats, and pair each risk with a concrete mitigation a developer can implement. This guide walks through the CIA triad, authentication and authorisation, encryption and hashing, the OWASP Top 10, input validation, and the secure development lifecycle, with worked examples in the style NESA uses.

The CIA triad

Three objectives sit at the centre of software security.

Every control maps to one or more of these. Encryption protects confidentiality. Hashes and digital signatures protect integrity. Backups, redundancy and protection against denial-of-service attacks support availability. When you answer a design question, name which leg of the triad a control supports; markers reward that linkage.

Authentication and authorisation

These two are constantly confused, so be precise.

Authentication mechanisms include passwords (hashed and salted), multi-factor authentication (something you know, have, and are), and token-based or session-based login. Authorisation mechanisms include role-based access control (assigning permissions to roles such as user and admin) and object-level checks (confirming the current user owns the specific record they request). A common exam trap is hiding an admin button in the user interface but forgetting the server-side check, which leaves the endpoint exposed.

Encryption: symmetric and asymmetric

In practice the two combine. HTTPS uses asymmetric cryptography during the TLS handshake to agree on a shared symmetric session key, then uses fast symmetric encryption for the actual traffic. Digital signatures use the private key to sign and the public key to verify, which provides integrity and non-repudiation.

Hashing and password storage

Hashing is one-way. A hash function maps any input to a fixed-length digest that cannot be reversed. You never decrypt a password; you hash the submitted password and compare digests.

Correct practice uses a slow, purpose-built password hashing function (bcrypt, scrypt or Argon2) with a unique random salt per user. The slowness frustrates brute-force attacks; the salt ensures identical passwords produce different hashes and defeats precomputed rainbow tables. The following Python uses bcrypt correctly.

import bcrypt

def hash_password(plain: str) -> bytes:
    # bcrypt generates and embeds a random salt automatically
    return bcrypt.hashpw(plain.encode("utf-8"), bcrypt.gensalt(rounds=12))

def verify_password(plain: str, stored_hash: bytes) -> bool:
    return bcrypt.checkpw(plain.encode("utf-8"), stored_hash)

The salt is generated by gensalt and stored inside the resulting hash string, so each user's hash is unique even if two users pick the same password.

The OWASP Top 10

The Open Worldwide Application Security Project publishes the Top 10 most critical web application security risks. The 2021 list is the current reference. You should be able to name a risk, give a concrete example, and state a mitigation.

You will not be expected to recite all ten verbatim under pressure, but you should know the most-examined ones cold: broken access control, injection (especially SQL injection and cross-site scripting), and cryptographic failures. For each, practise the example-plus-mitigation pattern.

Risk	Example	Mitigation
Broken access control	Changing `/api/orders/123` to `/124` to read another user's order	Object-level authorisation on every endpoint; deny by default
Injection	SQL injection through string-concatenated queries	Parameterised queries; allow-list input validation
Cryptographic failures	Passwords stored in plain text; traffic over HTTP	Hash with bcrypt or Argon2; enforce HTTPS everywhere

Input validation and sanitisation

The server is the trust boundary. All input from the client must be validated (does it meet the expected format and range) and sanitised or safely handled (so it cannot be interpreted as code).

Validation defends against many OWASP risks at once. Parameterised queries stop SQL injection. Context-aware output encoding stops cross-site scripting. Length and type checks stop buffer and logic errors. Note that the legitimate way to defend against script injection is to encode output for its context, not to write <script> tags yourself; the literal script examples you see in the web vulnerabilities dot points are lesson content showing what an attack looks like.

The secure development lifecycle

Security is built in across every phase, not bolted on at the end.

The economic argument is central: fixing a vulnerability found during design costs a fraction of fixing it after a breach in production. Threat modelling early, reviewing code, and scanning dependencies catch issues before they ship.

Common Module 1 examiner traps

Confusing authentication with authorisation.
Saying "encrypt passwords" instead of "hash and salt passwords".
Naming an OWASP risk without a concrete example or a specific mitigation.
Relying only on client-side validation.
Treating security as a final testing step rather than a lifecycle concern.

Check your knowledge

Answer all questions under exam conditions, then mark against the solutions block.

(3 marks) Define each component of the CIA triad and give one security control that supports each.
(4 marks) A developer says "we encrypt our users' passwords with AES so they are safe". Explain what is wrong with this approach and describe the correct way to store passwords.
(5 marks) For three risks from the OWASP Top 10, give a concrete attack example and a specific developer-side mitigation. Tie each mitigation to a phase of the secure development lifecycle.
(4 marks) Explain why input validation performed only in the browser is insufficient, and describe where and how validation should be performed instead. Include the difference between an allow-list and a deny-list.
(4 marks) Compare symmetric and asymmetric encryption, and explain how HTTPS uses both during and after the TLS handshake.

Solutions

Q1: Confidentiality means only authorised parties can read data; a supporting control is encryption (or access control). Integrity means data is accurate and unaltered; a supporting control is hashing, checksums or digital signatures. Availability means authorised users can access the system when needed; a supporting control is backups, redundancy or protection against denial-of-service. Markers reward a correct definition plus a matching control for each.
Q2: Encryption is reversible, so anyone who obtains the AES key (and keys are often stored near the data or in source code) can decrypt every password at once. Passwords should never be recoverable. The correct approach is one-way hashing with a slow, salted, purpose-built function such as bcrypt, scrypt or Argon2: hash the password on registration, store only the hash, and at login hash the submitted password and compare digests. The per-user salt ensures identical passwords have different hashes and defeats rainbow tables; the slowness frustrates brute force. Markers reward identifying that encryption is reversible and that hashing with a salted slow function is the standard.
Q3: Example marking points (any three): (i) Injection, SQL injection through "... WHERE name = '" + input + "'", mitigated by parameterised queries and allow-list validation, enforced through secure coding standards and SAST in the development and build phases. (ii) Broken access control, reading another user's record by editing the id in a URL, mitigated by server-side object-level authorisation that denies by default, designed in during the requirements and design phase and verified by penetration testing. (iii) Cryptographic failures, traffic sent over HTTP and passwords in plain text, mitigated by enforcing HTTPS and hashing passwords with bcrypt, addressed in design and verified in the test phase. Markers reward three distinct, correctly named risks, each with an example, a specific mitigation, and a lifecycle phase.
Q4: Browser validation can be bypassed: an attacker can disable JavaScript, edit the page, or send requests directly with a tool such as curl, so the server never sees the browser's checks. The server is the trust boundary, so all input must be validated and sanitised again on the server before it is used in a query, rendered, or stored. An allow-list accepts only input matching known-good patterns (for example, a postcode must be exactly four digits) and is preferred because it fails safe; a deny-list blocks known-bad patterns and tends to miss novel attacks. Markers reward the bypass argument, server-side validation as the real control, and the allow-list versus deny-list distinction.
Q5: Symmetric encryption uses one shared key to encrypt and decrypt (for example AES); it is fast and suited to bulk data, but the key must be shared securely. Asymmetric encryption uses a public and private key pair (for example RSA); anyone can encrypt with the public key but only the private key decrypts, and it is slower so it is used for key exchange and signatures. HTTPS combines both: during the TLS handshake the client and server use asymmetric cryptography to authenticate the server (via its certificate) and to securely agree on a shared symmetric session key; after the handshake, all traffic is encrypted with that fast symmetric key. Markers reward the same-key versus key-pair distinction, the speed and use-case difference, and the handshake-then-bulk explanation of HTTPS.

Where to go next

Practise these ideas in exam format with our HSC Software Engineering practice questions, and see how security applies to real web applications in the Programming for the Web deep dive. For dot-point answers, browse the full syllabus index.

For the official syllabus, refer to NESA at educationstandards.nsw.edu.au.