Security by Design Principles

Quick collection of useful Security by design principles.

Least Privilege

The principle least privilege assigns only the minimum necessary rights to software components and individuals. They should only be able to perform their required functions. Its purpose is to minimize the risk by restricting the number of entities and individuals with access to critical systems.

Further readings:

Defense in Depth

The principle defense in depth refers to an approach in which a variety of security mechanisms are layered on top of each other to protect the confidentiality, integrity, availability, and authenticity of a network and the data it contains. No individual mechanism can prevent all cyber threats. However, they collectively provide protection against a wide range of threats while providing redundancy in the event that one mechanism fails.

Further readings:

Fail Securely

The principle fail securely involves several actions such as secure defaults, transactional security, and sanitizing return values. As a general rule, whenever your software has to handle an occurring error, do not leak internal information and return into a state where the system is good to serve the next request.

Further readings:

When implementing this principle:

  • Disable all debug output in production that is useful during development.
  • Configure middleware like application servers to not return version numbers, stacktrace, and technical error messages.
  • When receiving a malformed HTTP request, reject it rather than guessing the intended content.

No Security by Obscurity

The principle no security by obscurity states that the security of a system must be guaranteed, even if the whole design and source-code is publicly available. The most famous example is Kerckhoffs’s Principle regarding encryption algorithms: It is easier to keep a key secret than an algorithm. In case the security is compromised, it is easier to replace the key than to fix the algorithm.

Further readings:

Detect and Record

The principle detect and record relies on proper logging activities that provide the basis for several activities including security monitoring, troubleshooting, and forensics.

Further readings:

Don’t Trust

The principle don’t trust refers to the assumption that the environment in which a system resides is insecure. Trust in external systems, code, or people should always be limited and never given loosely. Minimize trust in other systems and always validate/sanitize inputs.

Further readings:

Keep It Simple

The principle keep it simple states that the complexity of a system is one factor in evaluating a system’s security. If the design, implementation, or security mechanisms are highly complex, then the likelihood of vulnerabilities is increased.

Further readings:

The principle secure the weakest link refers to the fact that attackers prefer the weakest component instead of strongly fortified ones for their attacks. This is why there must be an nearly equal level of security for all components.

Further readings:

Decomposition

The principle decomposition describes the approach to logically partition subsystems. It ensures that a subsystem remains self-contained such that a compromise of one subsystem does not result in a compromise of another. By following this principle, a more fine granular approach to Least Privilege and Don’t Trust is possible.

Further readings:

Separation of Privilege

The principle separation of privilege refers to an approach that combines Decomposition and Least Privilege, which results in components and accounts with highly limited responsibilities and permissions. If an attacker is able to obtain one permission but not a second, the attacker might not be able to launch a successful attack.

Further readings:

Use Secure Defaults

The principle use secure defaults ensures that components always use secure configurations by default (e.g., when installed).

Further readings:

Don’t Reinvent the Wheel

The principle don’t reinvent the wheel states that existing solutions should be preferred over self-developed ones. Using security technologies - like crypto - correctly is hard, correctly implementing them is even harder. Apart from security technologies, this applies to other technologies like parsers, unparsers, data formats, and protocols as well.

Further readings:

Written on June 6, 2022


◀ Back to the Pensieve