1. SECURITY DESIGN PATTERNS
Ofer Rivlin
Product Security Architecture Lead
1
5TH ISRAELI CONFERENCE ON SOFTWARE ARCHITECTURE
2. Product security architecture lead at CyberArk
10 years as a cybersecurity architect and researcher
10 years as a software & system architect & developer
(not overlapping )
Passionate about innovative technology and cybersecurity
OFER RIVLIN
2
3. Review of 4 security design patterns
Covering description & standard, examples, threats and risks of fixing after the fact
• Clear separation between layers
• Segregate components
• Centralized security controls
• Fail securely
• Minimize attack surface area
• Separation of concerns (duties)
• Principle of defense in depth
AGENDA
3
• Avoid security by obscurity
• Principle of least privilege
• Zero trust
• Establish secure defaults
• Use a low-privilege account for app components
• Keep sensitive data out of client-side code
• Keep security simple
• . . .
4. Review of 4 security design patterns
Covering description & standard, examples, threats and risks of fixing after the fact
• Clear separation between layers
• Segregate components
• Centralized security controls
• Fail securely
• Minimize attack surface area
• Separation of concerns (duties)
• Principle of defense in depth
AGENDA
4
• Avoid security by obscurity
• Principle of least privilege
• Zero trust
• Establish secure defaults
• Use a low-privilege account for app components
• Keep sensitive data out of client-side code
• Keep security simple
• . . .
5. • Security layer
• Well designed architecture can prevent attacks even if there
are vulnerabilities
WHY DESIGN PATTERNS
5
6. • Security layer
• Well designed architecture can prevent attacks even if there
are vulnerabilities
• Must be part of any architecture
WHY DESIGN PATTERNS
6
7. • Security layer
• Well designed architecture can prevent attacks even if there
are vulnerabilities
• Must be part of any architecture from day #1
WHY DESIGN PATTERNS
7
9. Ensure there is a clear separation between the
data - controller – display
layers
such that security decisions can be enforced on
trusted systems
CLEAR SEPARATION BETWEEN LAYERS
9
11. • Malicious code injected as ‘Data’ and executed by the Controller
• Malicious code execution and affects Data Confidentiality and Integrity
• Confidential data exposed by Presentation layer
THREATS
11
15. Ensure that components are
segregated
via a defined security control such as
network segmentation
firewall rules
etc.
SEGREGATE COMPONENTS WITH SECURITY CONTROLS
15
19. • Potential for a very high effort
• May require redesign and reimplementation due to dependencies
• May require redesign of the authorization model
RISKS OF FIXING AFTER THE FACT
19
21. Verify that all security controls
(including libraries that call external security services)
have a
Centralized
implementation
CENTRALIZED IMPLEMENTATION FOR SECURITY CONTROLS
21
25. • Very high effort
• Rewiring of every object to this control, sometimes in several places.
• Risk of forgetting to connect objects or different places
• Similar to implementing non-centralized controls
RISKS OF FIXING AFTER THE FACT
25
40. • Security layer
• Must be part of any architecture from day #1
SUMMARY
40
41. SUMMARY
41
We reviewed these patterns
• Clear separation between layers
• Segregate components
• Centralized security controls
• Fail securely
42. We reviewed these patterns
• Clear separation between layers
• Segregate components
• Centralized security controls
• Fail securely
SUMMARY
42
Not covered patterns in this talk
• Minimize attack surface area
• Separation of concerns (duties)
• Principle of defense in depth
• Avoid security by obscurity
• Principle of least privilege
• Zero trust
• Establish secure defaults
• Use a low-privilege account for app components
• Keep sensitive data out of client-side code
• Keep security simple
• . . .