This document outlines principles of secure system design, beginning with assumptions that secrets are not safe, the network is untrusted, and help should be sought. It then describes 9 primary design principles: principle of least authority, failing securely, keeping it simple, mediating all access, open rather than obscure designs, separation of duties, least common mechanisms, psychological acceptability of security, and defense in depth. Examples are provided for each principle. The document notes some additional considerations like password management and two-factor authentication.

1. Principles of Secure System Design
John Scrimsher
CISO / Head of IT @ Damballa
jps@damballa.com

2. This is a unique presentation of non-unique ideas
›Information gathered from multiple sources, including speakers own experiences
›Todd Merritt: https://dzone.com/articles/9-software-security-design
›Gary McGraw: http://searchsecurity.techtarget.com/opinion/Thirteen-principles-to-ensure-
enterprise-system-security
›Google: Principles of Secure System Design

3. The Buzz

4. Initial Considerations
› Start with the weakest link
› Do not trust by default
› Assume secrets are not safe
› Assume network is dirty
› Ask for help / borrow others ideas

5. 9 Primary Principles of Secure System Design
1. Principle of Least Authority
2. Fail Securely
3. Economy of mechanism (KISS Principle)
4. Mediate Completely
5. Open Design (vs. security by obscurity)
6. Separation of Duties / Privileges
7. Least Common Mechanism
8. Psychological Acceptability
9. Defense in Depth

6. Principle of Least Authority
› Need to know basis
› Only grant the permissions required to complete the task requested

7. Fail Securely
› Fail Open: Service continues to work when mechanism fails
› Fail Closed: Service ceases work when mechanism fails
› Fail Securely: Fail in the manner which provides security of life and intellectual property
Open Closed

8. Economy of Mechanism
› KISS Principle - Keep it as simple and small as possible
› Complexity is the enemy of security
› Design and Implementation errors may result in unauthorized access that would not be noticed
until normal use.
› Complexity may also break access where needed
Ankita Thaker, Maze door lock

9. Mediate Completely
› All access requests should be validated for authorization
› Prevent backdoor or “go-around” access

10. Psychological Acceptability
› If users perceive that security is hindering their job, they are more likely to go around the process
› Perceived value in their job will increase utilization

11. Open Design
› Do not rely upon obscurity
› Eventually someone will stumble upon it
› Don’t get stuck in the trap of “its behind our firewall, so that’s good enough”
Rendering by Jonathan L.: http://www.blendernation.com/2012/07/14/cabin-in-the-woods/

12. Separation of Duties / Privileges
› Prevents Fraud and Error
› Quality Control (Integrity of data)
› Examples (includes people with access to
these roles / environments):
− Development and Production
Environments
− Database Admin (DBA) vs. System
Admin

13. Least Common Mechanism
› Separate sessions for separate users
› Similar to Separation of Duties
› Do not share resources where not required
− Internal Authentication for internal resources, External Authentication for External
resources
− This is a why we need Complete Mitigation

14. Defense In Depth
› Layered Approach to Security
› Requires multiple attack types to penetrate

15. 9 Primary Principles of Secure System Design
1. Principle of Least Authority
2. Fail Securely
3. Economy of mechanism (KISS Principle)
4. Mediate Completely
5. Open Design (vs. security by obscurity)
6. Separation of Duties / Privileges
7. Least Common Mechanism
8. Psychological Acceptability
9. Defense in Depth

16. Whats Missing?
›Password Management
›Two Factor Authentication
›Encryption
›Data In Motion vs. At Rest
›I am sure you can think of more….

17. Threat Discovery Center
processes nearly 15% of the
world’s Internet traffic daily
Protect more than ½ billion
devices daily
Founded by data scientists
& researchers in 2006
DAMBALLA: Specialists in Advanced Threat Detection
Product innovation:
4 patents; 12 pending
Global deployments and
customers on five continents
Customers in every
vertical market

18. AUTOMATE DETECTION AND RESPONSE
Advanced Threat Detection
Automate
Discovery and validation
without human intervention
Detect
Unknown threats that hide from
traditional controls & assess
risk / impact of infection
Respond
Automatically, with
indisputable evidence to
prevent loss