9

I work as a contractor in the IS Security field. I was hired by my current client to design and enforce a methodology to make sure security risks are assessed and addressed in all IT projects. Besides this assignment, my client asked me yesterday what my knowledge of the Security by Design (SbD) concept was, if I thought it was applied in his organization and how my mission contributed to this. I honestly replied that while I had a basic understanding of what SbD is, I didn't feel comfortable giving him a definitive answer on the spot and that I would look into it.

Which I did. But it seems pretty hard to find a concrete definition of SbD. My impression is that it is - in practice, I know there is an actual and important concept behind these words - mainly used as a fashionable marketing argument people put in their presentations to please management. But are there concrete criteria to assess if a project / organization applies the SbD concept? Or is it just the idea of taking security problems into account in every aspect of the work, and letting one decide how to enforce this?

schroeder
  • 123,438
  • 55
  • 284
  • 319
ero
  • 504
  • 2
  • 6
  • 1
    Bruce Schneier recently had something about security lessons from a power saw in [his blog](https://www.schneier.com/blog/archives/2016/10/security_lesson_3.html) that you might find interesting. I associate "security by design" with "failsafe" or "fail safely". That's probably way too narrow, though. – Out of Band Mar 08 '17 at 16:05
  • 3
    My understanding is that, security comes before the business requirements. You don't "build something that works that is secure", you "build something that is secure, and also happens to work". It's more of a way of looking at problems than anything – Cruncher Mar 08 '17 at 18:11

2 Answers2

8

It is a little bit of a grey area, as everyone interprets it a little differently, but consistent aspects of Secure by Design include:

  • an architecture which has security built in by default
  • a code design and review process which has sufficient checks
  • developers/designers/architects trained in security
  • automated checking
  • continuous monitoring through development (esp DevOps)
  • 4-eyes checking

Etc.

It puts the emphasis on getting security built in early, instead of counting on remediation after the fact.

This has some obvious benefits, including a dramatically lowered lifecycle cost.

To clarify as per jpmc26's comment, building a secure architecture means designing it to have layers of protection, to avoid obvious holes (and also to avoid having accidental holes appear), to default-secure or default-closed when things fail, to understand the security requirements before starting to build so they don't need to be added on afterwards...etc.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • "an architecture which has security built in by default" I'm not quite sure what this even means, beyond some broad sense of, "This soup of stuff has some handy features that will help us be more secure if we bother to use them correctly." Is that about all it's supposed to say? – jpmc26 Mar 09 '17 at 02:30
  • No. That's almost the opposite. I'll make time to clarify later – Rory Alsop Mar 09 '17 at 06:52
2

I would agree with @Pascal's comment: my first thought was that secure by design would involve having well specified failures modes.

Or, more generally, to avoid any unspecified/unexpected behaviour, and ensure both success and failure follow the appropriate paths.

Possibly not entirely on-topic, but checking Microsoft's Secure Development Lifecycle (which I partially see as an attempt to make Windows secure by design, albeit after the original design has been built and shipped), they have some useful pointers on the design stage of their SDL (https://www.microsoft.com/en-us/sdl/default.aspx) - I am slightly paraphrasing them:

  • Establish design requirements (include security and privacy requirements)
  • Attack surface analysis and reduction
  • Using threat modelling

See also https://www.microsoft.com/en-us/SDL/process/design.aspx.

So I would tend to think that Secure by Design would involve something a bit more concrete than only considering security in general - but finding a solid reference to back the feeling up is a little more difficult, it seems.

iwaseatenbyagrue
  • 3,631
  • 1
  • 12
  • 24