LinkedIn and 3rd parties use essential and non-essential cookies to provide, secure, analyze and improve our Services, and to show you relevant ads (including professional and job ads) on and off LinkedIn. Learn more in our Cookie Policy.

Select Accept to consent or Reject to decline non-essential cookies for this use. You can update your choices at any time in your settings.

Start free trial Sign in

From the course: ISC2 Certified Secure Software Lifecycle Professional (CSSLP) (2023) Cert Prep

Unlock the full course today

Join today to access over 24,700 courses taught by industry experts.

Open design

Open design

From the course: ISC2 Certified Secure Software Lifecycle Professional (CSSLP) (2023) Cert Prep

Start my 1-month free trial Buy for my team

Open design

“

- [Instructor] Assuming that hidden is the same thing as secure is a dangerous habit for application security professionals. Obscurity provides a false sense of security. Any penetration tester could tell you that there is always a way to get to the secrets that you thought were safe from prying eyes. The more eyes you have on your application security design, the better. We call this approach open design. Keep in mind that we're talking about the high-level design here, not the details of every component within the application. Certain secrets, like passwords and encryption keys, should remain secret. Don't publish that information for everyone to see. But things like frameworks, libraries, and encryption algorithms should be documented and reviewed by a larger team. One of the reasons for embracing this open design principle is that it actually helps ensure the confidentiality of both the data and the source code. This might seem counterintuitive at first, but bear with me for a…

Contents