Questions tagged [security-by-design]

29 questions
9
votes
2 answers

Security by design - clarification

I work as a contractor in the IS Security field. I was hired by my current client to design and enforce a methodology to make sure security risks are assessed and addressed in all IT projects. Besides this assignment, my client asked me yesterday…
ero
  • 504
  • 2
  • 6
8
votes
2 answers

End-to-end Encrypted Group Chat Considerations

I was thinking about building a simple end-to-end encrypted chat with group chat capabilities. Please bare in mind that 1) it's just an experiment to help me know more about cryptography and 2) I'm an humble programmer not a security expert that…
TCB13
  • 217
  • 3
  • 7
3
votes
1 answer

What are the security implications of allowing API consumer to decide primary key stored in database?

Story We are developing an API that which allow consumer to create or modify (i.e. upsert) objects stored in database via an endpoint with HTTP PUT. The primary key of the object stored in this way is a GUID instead of an auto-increment number to…
Zephyr
  • 151
  • 3
3
votes
1 answer

Security-by-design based on an existing framework or a custom design?

Personally I do most of the development in PHP (the programming language doesn't really matter for this question). Popular PHP frameworks along developers are for example: CodeIgniter Laravel Symfony From this three frameworks, I know most about…
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
2
votes
2 answers

How can I verify the hash of the plain text without being able to decrypt the cipher text?

I am building an E2EE chat app where there is one asymmetric key pair per group. Each user also has one asymmetric key pair. All messages in a group chat are encrypted with the group public key and decrypted with the group private key. When Alice is…
2
votes
3 answers

Are injection vulnerabilities a design or an implementation flaw?

Are injection vulnerabilities mainly a design or an implementation problem? I'm using SQL injection as an example; I'm interested in other injection vulnerabilities as well. I believe that it is the direct consequence of lazy programming, i.e. lack…
2
votes
1 answer

Multi Factor and order of authentication

I'm questionning the design and architecture around 2FA/MFA controls while authenticating to services and servers. On major platforms(*), the end-user is: first prompted for credentials (username/password) - something you know then prompted for the…
2
votes
0 answers

Why don't smartphone manufactures write the IMEI onto one time writable ROM so that it can't be tampered with?

The title says it all basically. Even now, why is tampering IMEI possible at all? Shouldn't manufactures be using one time writable memory to embed IMEI into phones? Why don't they?
Nikhil
  • 21
  • 1
2
votes
1 answer

How useful is PDF signing in real world usage?

Background scenario: So we had a problem where our system (Alice's shiny widgets) generated a PDF with a quote amount for 10 widgets. Someone (Eve) took the PDF, altered it to increase the price by 20%, they then presented the PDF as an expense…
DarcyThomas
  • 1,298
  • 1
  • 10
  • 15
2
votes
3 answers

Partitioning database to enhance security/anonymity?

The goal here is to prevent identification of the users and their data. Is it a good idea to partition my database into multiple ones, one for each kind of sensitive data, hiding the links between them? At first it seems that the answer is yes,…
2
votes
2 answers

Why isn't applying security and usability best practices enough?

I have a homework question that suggests that applying security and usability best practices isn't enough to create a secure and usable system. What am I missing? Why isn't this enough? If I follow usability best practices will I end up with a…
Amy
  • 23
  • 4
1
vote
1 answer

Do we need threat modelling after following ASVS standard?

We are planning to lay out guidelines in our organisation for everyone to follow a secure software development lifecycle. As part of this, we plan to adopt the security knowledge framework (SKF) that provides a checklist based on the ASVS standard…
1
vote
4 answers

Is it possible to detect malicious software just by analyzing the code structure?

I'm a newbie to software security. I'm designing a network and I was wondering is it possible to detect if a program upgrade being downloaded on the network is malicious just by analyzing the structure of the downloaded executable? I tried some…
1
vote
1 answer

How can I preserve the uniqueness of a document without a database?

I’m willing to create a system of transferable documents (identified by it’s ID) whose author can transfer his ownership of that document to another person (identified by his/her ID). For example: Alice; owner of document 1. Alice transfers his…
John
  • 85
  • 1
  • 7
1
vote
0 answers

How can you stay safe from spyware used by governments?

It is a fact that antivirus software can't detect all the spyware/viruses/malware that exist. And when they get detected, new ones are created. An example is the pegasus spyware for ios created by the NSO group. There is also an android version…
1
2