There are two distinct ways on how you can build security into your software:
- have your software tested and/or hacked, and start applying technology to plug the holes and keep the bad guys out
- think about how your software could be mis-used and make sure your design prevents that
Or, as Gary McGraw just wrote, in much better words:
Unfortunately the concept of “anticipating attacks” seems to be quite alien for the average developer – recognized by responding to a threat scenario with “but why would someone do that?”.
It also seems to be hard to teach. There is a new effort that I think has lots of promise: the IEEE Center for Secure Design tries to tackle the problem from the design angle. This is their mission statement:
The IEEE Computer Society’s CSD will gather software security expertise from industry, academia and government. The CSD provides guidance on:
- Recognizing software system designs that are likely vulnerable to compromise.
- Designing and building software systems with strong, identifiable security properties.
The CSD is part of the IEEE Computer Society’s larger cybersecurity initiative, launched in 2014.
If you’re interested in the topic, I would encourage you to read their document. It tries to explain the most common design flaws that lead to vulnerabilities. Every security architect in your team should have read (and understood) those, ideally:
These are the topics explained in more details in the PDF (click on the image to read it):
- EARN OR GIVE, BUT NEVER ASSUME, TRUST
- USE AN AUTHENTICATION MECHANISM THAT CANNOT BE BYPASSED OR TAMPERED WITH
- AUTHORIZE AFTER YOU AUTHENTICATE
- STRICTLY SEPARATE DATA AND CONTROL INSTRUCTIONS, AND NEVER PROCESS CONTROL INSTRUCTIONS RECEIVED FROM UNTRUSTED SOURCES
- DEFINE AN APPROACH THAT ENSURES ALL DATA ARE EXPLICITLY VALIDATED
- USE CRYPTOGRAPHY CORRECTLY
- IDENTIFY SENSITIVE DATA AND HOW THEY SHOULD BE HANDLED
- ALWAYS CONSIDER THE USERS
- UNDERSTAND HOW INTEGRATING EXTERNAL COMPONENTS CHANGES YOUR ATTACK SURFACE
- BE FLEXIBLE WHEN CONSIDERING FUTURE CHANGES TO OBJECTS AND ACTORS