SlideShare a Scribd company logo

Secure by Design - Security Design Principles for the Rest of Us

Eoin Woods
Eoin Woods

Security is an ever more important topic for system designers. As our world becomes digital, today’s safely-hidden back office system is tomorrow’s public API, open to anyone on the Internet with a hacking tool and time on their hands. So the days of hoping that security is someone else’s problem are over. The security community has developed a well understood set of principles used to build systems that are secure (or at least securable) by design, but this topic often isn’t included in the training of software developers, assuming that it’s only relevant to security specialists. In this talk, we will briefly discuss why security needs to be addressed as part of architecture work and then introduce a set of proven principles for the architecture of secure systems, explaining each in the context of mainstream system design, rather than in the specialised language of security engineering. This version of the talk was presented at GOTO London in October 2016.

Software
1 of 31
Download to read offline
SECURE BY DESIGN Security Design Principles for the Rest of Us
 GOTO London 2016 Eoin Woods - Endava
 @eoinwoodz 1
BACKGROUND • Eoin Woods • CTO at Endava (technology services, 3300 people) • 10 years in product development - Bull, Sybase, InterTrust • 10 years in capital markets applications - UBS and BGI • Software engineer, then architect, now CTO • Author, editor, speaker, community guy 2
CONTENT • What is security and why do we care? • What are design principles, why are they useful? • Security design principles • 10 important principles useful in practice 3
REVISITING SECURITY • We all know security is important - but why? • protection against malice, mistakes and mischance • theft, fraud, destruction, disruption • Security is a risk management business • loss of time, money, privacy, reputation, advantage • insurance model - balance costs against risk of loss 4
ASPECTS OF SECURITY PRACTICE Secure Application Design Secure Application Implementation Secure Infrastructure Design Secure Infrastructure Deployment Secure System Operation 5
SECURITY DESIGN PRINCIPLES What is a “principle” ? a fundamental truth or proposition serving as the foundation for belief or action [OED] We define a security design principle as …. a declarative statement made with the intention of guiding security design decisions in order to meet the goals of a system 6
SECURITY DESIGN PRINCIPLES • There are many sets of security design principles • Viega & McGraw (10), OWASP (10), NIST (33), NCSC (44), Cliff Berg’s set (185) … • Many similarities between them at fundamental level • I have distilled 10 key principles as a basic set • these are brief summaries for slide presentation • www.viewpoints-and-perspectives.info 7
A SYSTEMTO BE SECURED 8
TEN KEY SECURITY PRINCIPLES • Assign the least privilege possible • Separate responsibilities • Trust cautiously • Simplest solution possible
 • Audit sensitive events • Fail securely & use secure defaults • Never rely upon obscurity • Implement defence in depth • Never invent security technology • Find the weakest link 9
LEAST PRIVILEGE Why? Broad privileges allow malicious or accidental access to protected resources Principle Limit privileges to the minimum for the context Tradeoff Less convenient, less efficient, more complexity Example Run server processes as their own users with exactly the set of privileges they require 10
SEPARATE RESPONSIBILITIES Why? Achieve control and accountability, limit the impact of successful attacks, make attacks less attractive Principle Separate and compartmentalise responsibilities and privileges Tradeoff Development and testing costs, operational complexity, troubleshooting more difficult Example “Payments” module administrators have no access to or control over “Orders” module features 11
SEPARATE RESPONSIBILITIES 12
TRUST CAUTIOUSLY Why? Many security problems caused by inserting malicious intermediaries in communication paths Principle Assume unknown entities are untrusted, have a clear process to establish trust, validate who is connecting Tradeoff Operational complexity (particularly failure recovery), reliability, some development overhead Example Don't accept untrusted RMI connections, use client certificates, credentials or network controls 13
TRUST CAUTIOUSLY Why? Many security problems caused by inserting malicious intermediaries in communication paths Principle Assume unknown entities are untrusted, have a clear process to establish trust, validate who is connecting Tradeoff Operational complexity (particularly failure recovery), reliability, some development overhead Example Don't accept untrusted RMI connections, use client certificates, credentials or network controls 14
TRUST CAUTIOUSLY Why? Many security problems caused by inserting malicious intermediaries in communication paths Principle Assume unknown entities are untrusted, have a clear process to establish trust, validate who is connecting Tradeoff Operational complexity (particularly failure recovery), reliability, some development overhead Example Don't accept untrusted RMI connections, use client certificates, credentials or network controls 15
TRUST CAUTIOUSLY Who are you? How do we know? What is connecting to our services? What are we connecting to? What can access our database?16
SIMPLEST SOLUTION POSSIBLE Why? Security requires understanding of the design - complex design is rarely understood - simplicity allows analysis Principle Actively design for simplicity - avoid complex failure modes, implicit behaviour, unnecessary features, … Tradeoff Hard decisions on features and sophistication Needs serious design effort to be simple Example Does the system really need dynamic runtime configuration via a custom DSL? The price of reliability is the pursuit of the utmost simplicity - C.A.R. Hoare 17
AUDIT SENSITIVE EVENTS Why? Provide record of activity, deter wrong doing, provide a log to reconstruct the past, provide a monitoring point Principle Record all security significant events in a tamper- resistant store Tradeoff Performance, operational complexity, development cost Example Record all changes to "core" business entities in an append-only store with (user, ip, timestamp, entity, event) 18
AUDITING 19
SECURE DEFAULTS & 
 FAIL SECURELY Why? Default passwords, ports & rules are “open doors” Failure and restart states often default to “insecure” Principle Force changes to security sensitive parameters Think through failures - must be secure but recoverable Tradeoff Convenience Example Don’t allow “SYSTEM/MANAGER” after installation On failure don’t disable or reset security controls 20
NEVER RELY ON OBSCURITY Why? Hiding things is difficult - someone is going to find them, accidentally if not on purpose Principle Assume attacker with perfect knowledge, this forces secure system design Tradeoff Designing a truly secure system takes time and effort Example Assume that an attacker will guess a "port knock" network request sequence or a password encoding 21
DEFENCE IN DEPTH Why? Systems do get attacked, breaches do happen, mistakes are made - need to minimise impact Principle Don’t rely on single point of security, secure every level, vary mechanisms, stop failures at one level propagating Tradeoff Redundancy of policy, complex permissioning and troubleshooting, can make recovery harder Example Access control in UI, services, database, OS 22
DEFENCE IN DEPTH 23
NEVER INVENT SECURITYTECH Why? Security technology is difficult to create - specialist job, avoiding vulnerabilities is difficult Principle Don’t create your own security technology always use a proven component Tradeoff Time to assess security technology, effort to learning it, complexity Example Don’t invent your own SSO mechanism, secret storage or crypto libraries … choose industry standards 24
NEVER INVENT SECURITY TECHNOLOGY 25
NEVER INVENT SECURITY TECHNOLOGY 26
SECURETHE WEAKEST LINK Why? "Paper Wall" problem - common when focus is on technologies not threats Principle Find the weakest link in the security chain and strengthen it - repeat! (Threat modelling) Tradeoff Significant effort required, often reveals problems at the least convenient moment! Example Data privacy threat met with encrypted communication but with unencrypted database storage and backups 27
TEN KEY SECURITY PRINCIPLES • Assign the least privilege possible • Separate responsibilities • Trust cautiously • Simplest solution possible
 • Audit sensitive events • Fail securely & use secure defaults • Never rely upon obscurity • Implement defence in depth • Never invent security technology • Find the weakest link 28
REFERENCES • UK Government NCSC Security Principles:
 https://www.ncsc.gov.uk/guidance/security-design-principles-digital-services- main • NIST Engineering Principles for IT Security:
 http://csrc.nist.gov/publications/nistpubs/800-27A/SP800-27-RevA.pdf • Short intro to McGraw’s set:
 http://www.zdnet.com/article/gary-mcgraw-10-steps-to-secure-software/ • OWASP Principles set:
 https://www.owasp.org/index.php/Category:Principle 29
BOOKS 30
THANKYOU … QUESTIONS? Eoin Woods
 Endava
 eoin.woods@endava.com @eoinwoodz 31

Recommended

Secure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectSecure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working Architect
Eoin Woods
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
hardik soni
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
sommerville-videos
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
Network Security 1st Lecture
Network Security 1st LectureNetwork Security 1st Lecture
Network Security 1st Lecture
babak danyal
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
cclark_isec
 
Introduction Network security
Introduction Network securityIntroduction Network security
Introduction Network security
IGZ Software house
 

Recommended

Secure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectSecure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working Architect
Eoin Woods
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
hardik soni
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
sommerville-videos
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
Network Security 1st Lecture
Network Security 1st LectureNetwork Security 1st Lecture
Network Security 1st Lecture
babak danyal
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
cclark_isec
 
Introduction Network security
Introduction Network securityIntroduction Network security
Introduction Network security
IGZ Software house
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural Decisions
Peter Rawsthorne
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 
Patch Management Best Practices 2019
Patch Management Best Practices 2019Patch Management Best Practices 2019
Patch Management Best Practices 2019
Ivanti
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
btpsec
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
PECB
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
mohamed nasri
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
Coenraad Smith
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
 
Introduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsIntroduction to Cybersecurity Fundamentals
Introduction to Cybersecurity Fundamentals
Toño Herrera
 
Network Security ppt
Network Security pptNetwork Security ppt
Network Security ppt
SAIKAT BISWAS
 
Building the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseBuilding the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAse
Don Murdoch GSE CyberGuardian CISSP
 
Information security
Information securityInformation security
Information security
AlaaMahmoud108
 
Computer security design principles
Computer security design principlesComputer security design principles
Computer security design principles
Shaishav Dahal
 
Design of a secure "Token Passing" protocol
Design of a secure "Token Passing" protocolDesign of a secure "Token Passing" protocol
Design of a secure "Token Passing" protocol
Augusto Ciuffoletti
 

More Related Content

What's hot

What's hot (20)

Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural Decisions
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
 
Patch Management Best Practices 2019
Patch Management Best Practices 2019Patch Management Best Practices 2019
Patch Management Best Practices 2019
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
Introduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsIntroduction to Cybersecurity Fundamentals
Introduction to Cybersecurity Fundamentals
 
Network Security ppt
Network Security pptNetwork Security ppt
Network Security ppt
 
Building the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseBuilding the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAse
 
Information security
Information securityInformation security
Information security
 

Viewers also liked

Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
WrikeTechClub
 
Security_Testing_Presentation
Security_Testing_PresentationSecurity_Testing_Presentation
Security_Testing_Presentation
Razil Shaik
 
Endava Career Days Jan 2012 Five Dysfunctions of a Team
Endava Career Days Jan 2012 Five Dysfunctions of a TeamEndava Career Days Jan 2012 Five Dysfunctions of a Team
Endava Career Days Jan 2012 Five Dysfunctions of a Team
Endava
 
Penetration Testing Execution Standard
Penetration Testing Execution StandardPenetration Testing Execution Standard
Penetration Testing Execution Standard
Iftach Ian Amit
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
Amazon Web Services
 

Viewers also liked (20)

Computer security design principles
Computer security design principlesComputer security design principles
Computer security design principles
 
Design of a secure "Token Passing" protocol
Design of a secure "Token Passing" protocolDesign of a secure "Token Passing" protocol
Design of a secure "Token Passing" protocol
 
Using Software Architecture Principles in Practice
Using Software Architecture Principles in PracticeUsing Software Architecture Principles in Practice
Using Software Architecture Principles in Practice
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
 
Security_Testing_Presentation
Security_Testing_PresentationSecurity_Testing_Presentation
Security_Testing_Presentation
 
Endava Career Days Jan 2012 Five Dysfunctions of a Team
Endava Career Days Jan 2012 Five Dysfunctions of a TeamEndava Career Days Jan 2012 Five Dysfunctions of a Team
Endava Career Days Jan 2012 Five Dysfunctions of a Team
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
 
Security testing operation vijay
Security testing operation vijaySecurity testing operation vijay
Security testing operation vijay
 
Xss what the heck-!
Xss what the heck-!Xss what the heck-!
Xss what the heck-!
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016
 
Information gathering using windows command line utility
Information gathering using windows command line utilityInformation gathering using windows command line utility
Information gathering using windows command line utility
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
 
Firewalls
FirewallsFirewalls
Firewalls
 
Penetration Testing Execution Standard
Penetration Testing Execution StandardPenetration Testing Execution Standard
Penetration Testing Execution Standard
 
Security testing
Security testingSecurity testing
Security testing
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Compliance in the Cloud Using “Security by Design” Principles
Compliance in the Cloud Using “Security by Design” PrinciplesCompliance in the Cloud Using “Security by Design” Principles
Compliance in the Cloud Using “Security by Design” Principles
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
 
TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...
TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...
TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
 

Similar to Secure by Design - Security Design Principles for the Rest of Us

A New Security Management Approach for Agile Environments
A New Security Management Approach for Agile EnvironmentsA New Security Management Approach for Agile Environments
A New Security Management Approach for Agile Environments
PECB
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
Mark Simos
 
India Start-ups IT Security & IT Act 2008
India Start-ups IT Security & IT Act 2008India Start-ups IT Security & IT Act 2008
India Start-ups IT Security & IT Act 2008
ValueMentor Consulting
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
Adrian Sanabria
 
Developing a Rugged DevOps Approach to Cloud Security
Developing a Rugged DevOps Approach to Cloud SecurityDeveloping a Rugged DevOps Approach to Cloud Security
Developing a Rugged DevOps Approach to Cloud Security
TechWell
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
Career Communications Group
 
Alexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of AppliancesAlexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of Appliances
Positive Hack Days
 

Similar to Secure by Design - Security Design Principles for the Rest of Us (20)

Application and Data Security in the Software Development Lifecycle
Application and Data Security in the Software Development Lifecycle Application and Data Security in the Software Development Lifecycle
Application and Data Security in the Software Development Lifecycle
 
Principles for Secure Design and Software Security
Principles for Secure Design and Software Security Principles for Secure Design and Software Security
Principles for Secure Design and Software Security
 
MS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference ArchitectureMS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference Architecture
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
A New Security Management Approach for Agile Environments
A New Security Management Approach for Agile EnvironmentsA New Security Management Approach for Agile Environments
A New Security Management Approach for Agile Environments
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information Security
 
Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!
 
Agile security
Agile securityAgile security
Agile security
 
India Start-ups IT Security & IT Act 2008
India Start-ups IT Security & IT Act 2008India Start-ups IT Security & IT Act 2008
India Start-ups IT Security & IT Act 2008
 
C days2015
C days2015C days2015
C days2015
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security services
 
Developing a Rugged DevOps Approach to Cloud Security
Developing a Rugged DevOps Approach to Cloud SecurityDeveloping a Rugged DevOps Approach to Cloud Security
Developing a Rugged DevOps Approach to Cloud Security
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
 
Alexander Antukh
Alexander AntukhAlexander Antukh
Alexander Antukh
 
Alexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of AppliancesAlexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of Appliances
 
Risks vs real life
Risks vs real lifeRisks vs real life
Risks vs real life
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 

More from Eoin Woods

Democratising Software Architecture
Democratising Software ArchitectureDemocratising Software Architecture
Democratising Software Architecture
Eoin Woods
 
Models, Sketches and Everything In Between
Models, Sketches and Everything In BetweenModels, Sketches and Everything In Between
Models, Sketches and Everything In Between
Eoin Woods
 
Software Architecture as Systems Dissolve
Software Architecture as Systems DissolveSoftware Architecture as Systems Dissolve
Software Architecture as Systems Dissolve
Eoin Woods
 

More from Eoin Woods (13)

API Vulnerabilties and What to Do About Them
API Vulnerabilties and What to Do About ThemAPI Vulnerabilties and What to Do About Them
API Vulnerabilties and What to Do About Them
 
Democratising Software Architecture
Democratising Software ArchitectureDemocratising Software Architecture
Democratising Software Architecture
 
A Breathless Tour of Blockchain
A Breathless Tour of BlockchainA Breathless Tour of Blockchain
A Breathless Tour of Blockchain
 
Models, Sketches and Everything In Between
Models, Sketches and Everything In BetweenModels, Sketches and Everything In Between
Models, Sketches and Everything In Between
 
Capturing Design (When you really have to)
Capturing Design (When you really have to)Capturing Design (When you really have to)
Capturing Design (When you really have to)
 
Serverless Computing for the Inquiring Mind
Serverless Computing for the Inquiring MindServerless Computing for the Inquiring Mind
Serverless Computing for the Inquiring Mind
 
Software Architecture as Systems Dissolve
Software Architecture as Systems DissolveSoftware Architecture as Systems Dissolve
Software Architecture as Systems Dissolve
 
Software Architecture as Systems Dissolve (OOP2016)
Software Architecture as Systems Dissolve (OOP2016)Software Architecture as Systems Dissolve (OOP2016)
Software Architecture as Systems Dissolve (OOP2016)
 
When Architecture Meets Data
When Architecture Meets DataWhen Architecture Meets Data
When Architecture Meets Data
 
System Security Beyond the Libraries
System Security Beyond the LibrariesSystem Security Beyond the Libraries
System Security Beyond the Libraries
 
Getting Your System to Production and Keeping it There
Getting Your System to Production and Keeping it ThereGetting Your System to Production and Keeping it There
Getting Your System to Production and Keeping it There
 
Common WebApp Vulnerabilities and What to Do About Them
Common WebApp Vulnerabilities and What to Do About ThemCommon WebApp Vulnerabilities and What to Do About Them
Common WebApp Vulnerabilities and What to Do About Them
 
Deferring the Last Responsible Moment
Deferring the Last Responsible MomentDeferring the Last Responsible Moment
Deferring the Last Responsible Moment
 

Recently uploaded

StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with StrimziStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
steffenkarlsson2
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in Michelangelo
Alluxio, Inc.
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Gáspár Nagy
 

Recently uploaded (20)

A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
 
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with StrimziStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
 
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems ApproachKLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfImplementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
 
10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in Michelangelo
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by Design
 
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning Framework
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
 
Breaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdfBreaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdf
 

Secure by Design - Security Design Principles for the Rest of Us

  • 1. SECURE BY DESIGN Security Design Principles for the Rest of Us
 GOTO London 2016 Eoin Woods - Endava
 @eoinwoodz 1
  • 2. BACKGROUND • Eoin Woods • CTO at Endava (technology services, 3300 people) • 10 years in product development - Bull, Sybase, InterTrust • 10 years in capital markets applications - UBS and BGI • Software engineer, then architect, now CTO • Author, editor, speaker, community guy 2
  • 3. CONTENT • What is security and why do we care? • What are design principles, why are they useful? • Security design principles • 10 important principles useful in practice 3
  • 4. REVISITING SECURITY • We all know security is important - but why? • protection against malice, mistakes and mischance • theft, fraud, destruction, disruption • Security is a risk management business • loss of time, money, privacy, reputation, advantage • insurance model - balance costs against risk of loss 4
  • 5. ASPECTS OF SECURITY PRACTICE Secure Application Design Secure Application Implementation Secure Infrastructure Design Secure Infrastructure Deployment Secure System Operation 5
  • 6. SECURITY DESIGN PRINCIPLES What is a “principle” ? a fundamental truth or proposition serving as the foundation for belief or action [OED] We define a security design principle as …. a declarative statement made with the intention of guiding security design decisions in order to meet the goals of a system 6
  • 7. SECURITY DESIGN PRINCIPLES • There are many sets of security design principles • Viega & McGraw (10), OWASP (10), NIST (33), NCSC (44), Cliff Berg’s set (185) … • Many similarities between them at fundamental level • I have distilled 10 key principles as a basic set • these are brief summaries for slide presentation • www.viewpoints-and-perspectives.info 7
  • 8. A SYSTEMTO BE SECURED 8
  • 9. TEN KEY SECURITY PRINCIPLES • Assign the least privilege possible • Separate responsibilities • Trust cautiously • Simplest solution possible
 • Audit sensitive events • Fail securely & use secure defaults • Never rely upon obscurity • Implement defence in depth • Never invent security technology • Find the weakest link 9
  • 10. LEAST PRIVILEGE Why? Broad privileges allow malicious or accidental access to protected resources Principle Limit privileges to the minimum for the context Tradeoff Less convenient, less efficient, more complexity Example Run server processes as their own users with exactly the set of privileges they require 10
  • 11. SEPARATE RESPONSIBILITIES Why? Achieve control and accountability, limit the impact of successful attacks, make attacks less attractive Principle Separate and compartmentalise responsibilities and privileges Tradeoff Development and testing costs, operational complexity, troubleshooting more difficult Example “Payments” module administrators have no access to or control over “Orders” module features 11
  • 13. TRUST CAUTIOUSLY Why? Many security problems caused by inserting malicious intermediaries in communication paths Principle Assume unknown entities are untrusted, have a clear process to establish trust, validate who is connecting Tradeoff Operational complexity (particularly failure recovery), reliability, some development overhead Example Don't accept untrusted RMI connections, use client certificates, credentials or network controls 13
  • 14. TRUST CAUTIOUSLY Why? Many security problems caused by inserting malicious intermediaries in communication paths Principle Assume unknown entities are untrusted, have a clear process to establish trust, validate who is connecting Tradeoff Operational complexity (particularly failure recovery), reliability, some development overhead Example Don't accept untrusted RMI connections, use client certificates, credentials or network controls 14
  • 15. TRUST CAUTIOUSLY Why? Many security problems caused by inserting malicious intermediaries in communication paths Principle Assume unknown entities are untrusted, have a clear process to establish trust, validate who is connecting Tradeoff Operational complexity (particularly failure recovery), reliability, some development overhead Example Don't accept untrusted RMI connections, use client certificates, credentials or network controls 15
  • 16. TRUST CAUTIOUSLY Who are you? How do we know? What is connecting to our services? What are we connecting to? What can access our database?16
  • 17. SIMPLEST SOLUTION POSSIBLE Why? Security requires understanding of the design - complex design is rarely understood - simplicity allows analysis Principle Actively design for simplicity - avoid complex failure modes, implicit behaviour, unnecessary features, … Tradeoff Hard decisions on features and sophistication Needs serious design effort to be simple Example Does the system really need dynamic runtime configuration via a custom DSL? The price of reliability is the pursuit of the utmost simplicity - C.A.R. Hoare 17
  • 18. AUDIT SENSITIVE EVENTS Why? Provide record of activity, deter wrong doing, provide a log to reconstruct the past, provide a monitoring point Principle Record all security significant events in a tamper- resistant store Tradeoff Performance, operational complexity, development cost Example Record all changes to "core" business entities in an append-only store with (user, ip, timestamp, entity, event) 18
  • 20. SECURE DEFAULTS & 
 FAIL SECURELY Why? Default passwords, ports & rules are “open doors” Failure and restart states often default to “insecure” Principle Force changes to security sensitive parameters Think through failures - must be secure but recoverable Tradeoff Convenience Example Don’t allow “SYSTEM/MANAGER” after installation On failure don’t disable or reset security controls 20
  • 21. NEVER RELY ON OBSCURITY Why? Hiding things is difficult - someone is going to find them, accidentally if not on purpose Principle Assume attacker with perfect knowledge, this forces secure system design Tradeoff Designing a truly secure system takes time and effort Example Assume that an attacker will guess a "port knock" network request sequence or a password encoding 21
  • 22. DEFENCE IN DEPTH Why? Systems do get attacked, breaches do happen, mistakes are made - need to minimise impact Principle Don’t rely on single point of security, secure every level, vary mechanisms, stop failures at one level propagating Tradeoff Redundancy of policy, complex permissioning and troubleshooting, can make recovery harder Example Access control in UI, services, database, OS 22
  • 24. NEVER INVENT SECURITYTECH Why? Security technology is difficult to create - specialist job, avoiding vulnerabilities is difficult Principle Don’t create your own security technology always use a proven component Tradeoff Time to assess security technology, effort to learning it, complexity Example Don’t invent your own SSO mechanism, secret storage or crypto libraries … choose industry standards 24
  • 27. SECURETHE WEAKEST LINK Why? "Paper Wall" problem - common when focus is on technologies not threats Principle Find the weakest link in the security chain and strengthen it - repeat! (Threat modelling) Tradeoff Significant effort required, often reveals problems at the least convenient moment! Example Data privacy threat met with encrypted communication but with unencrypted database storage and backups 27
  • 28. TEN KEY SECURITY PRINCIPLES • Assign the least privilege possible • Separate responsibilities • Trust cautiously • Simplest solution possible
 • Audit sensitive events • Fail securely & use secure defaults • Never rely upon obscurity • Implement defence in depth • Never invent security technology • Find the weakest link 28
  • 29. REFERENCES • UK Government NCSC Security Principles:
 https://www.ncsc.gov.uk/guidance/security-design-principles-digital-services- main • NIST Engineering Principles for IT Security:
 http://csrc.nist.gov/publications/nistpubs/800-27A/SP800-27-RevA.pdf • Short intro to McGraw’s set:
 http://www.zdnet.com/article/gary-mcgraw-10-steps-to-secure-software/ • OWASP Principles set:
 https://www.owasp.org/index.php/Category:Principle 29
  • 31. THANKYOU … QUESTIONS? Eoin Woods
 Endava
 eoin.woods@endava.com @eoinwoodz 31