Teaching "Secure by Design"

Question

I'm a Security Architect, and I'm used to defining the security of project as a specification that gets carried out by others. I have been recently tasked with teaching new coders how to design and program using the principles of "Secure by Design" (and in the near future "Privacy by Design"). I have 30-45 minutes (yeah, I know), and the talk needs to be language-agnostic. This means I need to present actionable rules than can be applied by the web devs, application devs, and infrastructure devs.

I came up with 5 Basic Rules and a Supplement:

1. Trust no internal/external input (covers sanitation, buffer overflows, etc.)
2. Least Privilege for any entity, object or user
3. Fail "no privilege"
4. Secure, even if design is known/public
5. Log so that someone unfamiliar with the system can audit every action

Supplement: If you violate a Rule, prove the mitigation can survive future programmers adding functionality.

Each of those rules can be augmented with examples from any language or application, for specific guidance. I believe this handles most of the general principles of "Secure by Design" from a high-level perspective. Have I missed anything?

Answer 1

The canonical resource for the concept of secure-by-design is "The Protection of Information in Computer Systems" by Saltzer and Schroeder. The essence is distilled into their 8 principles of secure design:

1. Economy of mechanism
2. Fail-safe defaults
3. Complete mediation
4. Open design
5. Separation of privilege
6. Least privilege
7. Least common mechanism
8. Psychological acceptability

These principles, laid out in 1974, are still fully applicable today.

Answer 2

It will be hard to teach design principles in 30 minutes. I agree with others who say that you have to get them excited in some fashion. I developed the "Elevation of Privilege" card game to get people excited about threat modeling, it might be helpful. (https://blogs.microsoft.com/cybertrust/2010/03/02/announcing-elevation-of-privilege-the-threat-modeling-game/)

Teaching people how to think like an attacker is very challenging, it's easier to teach them about a few attacks like SQL injection or cross-site scripting.

Lastly, if you do want to try to teach principles, I did a series of blog posts illustrating Saltzer and Schroeder with scenes from Star Wars: http://emergentchaos.com/the-security-principles-of-saltzer-and-schroeder

Answer 3

Rather than focus on rules and "follow these 5 rules, and you're secure", I'd focus on teaching developers about attackers, and how they think. You can't really cover 5 different things, each of which requires some in-depth knowledge to really implement properly, so why try?

The developers I've talked to seem to think hacking is "really hard", and don't really understand how easy it can really be. So explaining what people really do to thwart security can be eye-opening.

An example:

A few years ago I was reviewing a 3rd party web based reporting product and we had a developer from the vendor in to create some reports using the product. I asked about security and how it worked in their product. He proceeded to do a "view source" on the report web page, and show me how everything was dynamic HTML, and therefore was unhackable. I sat dumbfounded for a minute, but told him that this wasn't really workable security, that you can't trust the client end, blah blah blah.

He didn't believe me, and asked how anyone could possibly hack this product. I thought for a minute, said that I'd hook up the browser to a proxy server, and examine what the request/response was. (Today I'd just use the tamper-data plugin). He then said this would be "The hack of the century!" At this point I just threw up my hands in defeat, since he'd already decided his product was "secure". The only way to convince him would be to actually hack his product, which wasn't really worth my time since I wasn't going to buy the product anyway.

The point is, you need to start with the need for security and what we're all up against. If they don't understand that, it's game over. At the very least you'll instill a bit of fear in them, which is a good motivator. From what I've seen many developers don't really "get it", and they need to understand what they're up against first. Primarily to be able to understand WHY they need to develop secure applications.

Get people actually interested in security, and you might get something out of it. Otherwise I fear whatever you present in 35 minutes will just fall on deaf ears.

Answer 4

You may want to grab their attention first. A demo of a SQL injection attack is simple, understandable, and might underscore the topic's importance. You can refer back to it throughout the talk as you make points.

I like that you get into trust boundaries. With input validation, I'd hit that in more detail. Length validation first, then mention whitelisting and blacklisting. Do you recommend they try to automatically fix bad data, or should bad input be rejected? Touch on strategies that you'd recommend.

Regarding least privilege, this might be an opportunity to introduce the ideas of role-based access control, and the advantages over a user-based system.

I think there's an opportunity to mention the principle of defense in depth. Input sanitization is critical, but following it up in the code by requiring parameterized SQL would help even if someone misses the boat on the input.

Regarding logging, make sure they understand the delta between an error message displayed to the user, and the contents of the log files. And be sure they aren't logging anything sensitive.

Also consider discussing a development process that helps ensure they stay on a secure track. Make sure peer code reviews, use of static code analyzers, and dynamic analyzers are a part of their development process. That may be outside of the scope of the training, but you could to teach them how reviews and tools help improve their code.

30-45 minutes ... ouch. You could go back to the organizer and request two or three days, see what kind of reaction that gets. Or maybe a 10 semester program... Anyway, good luck!

Answer 5

You've got a tough task, obviously, and all of the considerations to talk about you've mentioned will give you a very full plate. But I think some mention or tie-back to everyone's most-favored-buzzword, less-frequently-implemented overarching strategy of defense-in-depth would be very valuable to work in, if you could. Or, perhaps phrase it in another way, "The need to value and create redundancy of security measures against any given major threat vector in any decent security design."

You're building a web app, and you're pretty confident you've got a robust mechanism in place to sanitize any & all code injection efforts out of your input? That's nice. Now assume a creative attacker finds an implementation flaw that you never even thought of, a flaw that allows some really nasty, powerful code to get in front of your actual application. Are you designing & hardening your app logic with the idea that it might need to face that scenario, or are you just going to assume that because you have what you see as a strong, reliable single defensive mechanism against getting code in front of your application you can shift your focus to other things? Because the difference between those two choices is often going to be the difference between arriving at something that might be a robust security design vs. coming up with what will almost certainly be an inherently fragile security design.

(Note: as I'm writing this I'm realizing the example of relying on input sanitization as a perfect defense isn't the best one, because in the Real World we live in today hopefully few competent developers would fall into a temptation to take something as known-to-be-very imperfect as input sanitization as a rock solid, impenetrable line of defense. Hopefully. But you take my broader point point... )