Secure design best practices and design patterns
0 likes219 views
The document outlines secure design best practices and design patterns presented by Henry Haverinen during a meetup. It discusses various principles such as attack surface reduction, complete mediation, and design patterns like the wrapper pattern and distrustful decomposition that aid in secure software development. Emphasizing the importance of training and team involvement, the document encourages implementing these practices in a practical and adaptive manner.
Secure design best practices and design patterns
- 1. TRESEC MEETUP Secure design best practices and design patterns Henry Haverinen, February 5, 2019
- 2. | © INSTA
- 3. | © INSTA AVIATIONDEFENCE ANALYTICS CYBERRESPONSE AUTOMATION SOLUTIONS WORTH YOUR TRUST PROFITABLE GROWTH AND CONTINUITY GLOBAL AND LOCAL TECHNOLOGY AND PARTNER NETWORK C5ISR Training Systems & Simulation Secure Software Development AI, Advanced Analytics and Data Driven solutions for mobile machinery and process industry Partner for Security Aware Organizations SOC, Secure Identity, Network Security Next Generation Emergency Response Centers Virtual Control Room Automation and electrification solutions, lifecycle services Aviation technology solutions, services and lifecycle solutions UAV training, operation services SECURE DIGITALIZATION
- 4. | © INSTA Henry Haverinen Leads technology and R&D at Intopalo Digital Software leader, SDL specialist, cybersecurity architect, product manager, SAFe 4 Certified Agilist, Doctor of Science (Technology) Connect with me on LinkedIn at https://www.linkedin.com/in/henryhaverinen/ About the speaker
- 5. | © INSTA Outline Secure design best practices and design patterns – what are they? A few examples How to include them in the development process Discussion – How do you apply them? What would you recommend to try out?
- 6. | © INSTA| © INSTA Secure design best practices
- 7. | © INSTA Secure design best practices Rules of thumb on secure design Many best practices work on different levels: from system design to software design High level and simple A certain best practice might not apply to all situations. Different best practices may give contradicting advice. Adult supervision is recommended! You’ll also hear excuses and explanations that are not valid reasons to ignore secure design best practices. | 7
- 8. | © INSTA Secure design best practices • Keep It Simple, Stupid (KISS) • Defense in depth • Attack surface reduction • Principle of least privilege • Use proven components and designs • No single points of failure • Complete mediation • Input validation and error handling • Good enough security • Data privacy design considerations • Fail safe and fail secure • Open design • Psychological acceptability • Secure by default • Separation of duties
- 9. | © INSTA Attack surface reduction: • Turn off unnecessary functionality, ports, services etc. • Reduce the amount of code running • Reduce entry points available to untrusted users • Prefer a whitelist approach instead of blacklisting Attack surface reduction
- 10. | © INSTA Attack surface reduction: • Turn off unnecessary functionality, ports, services etc. • Reduce the amount of code running • Reduce entry points available to untrusted users • Prefer a whitelist approach instead of blacklisting Example of using this practice – Remove all development time features, debug ports etc. or document their presence and the need to protect them. Examples of not following this practice – Allowing direct maintenance remote access with RDP or SSH to all individual hosts of the system, rather than implementing a separate intermediate host, so called “bastion host” or “jump host” Attack surface reduction
- 11. | © INSTA Complete mediation: A software system that requires access checks to an object each time a subject requests access for objects; decreases the chances of mistakenly giving elevated permissions to the subject. • Explicit deny: any function that is not specifically authorized is denied by default. Complete mediation
- 12. | © INSTA Complete mediation: A software system that requires access checks to an object each time a subject requests access for objects; decreases the chances of mistakenly giving elevated permissions to the subject. • Explicit deny: any function that is not specifically authorized is denied by default. Example of using this practice – the system does not rely on a previous access control check done at login time, but it performs an authorization check on every REST API call. Examples of not following this practice – The developer assumes a certain sequence of actions in a complex use case such as purchasing, and performs an authorization check only when the user starts the sequence Complete mediation
- 13. | © INSTA| © INSTA Secure design patterns
- 14. | © INSTA Secure design patterns There are certain problems that occur time after time in system architecture design and software design. A security design pattern is a general reusable solution to a commonly occurring problem. A commonly occuring design problem Design pattern: Problem description, solution description, example uses
- 15. | © INSTA How to use a legacy component in a secure way? The Wrapper pattern – the problem
- 16. | © INSTA Introduce a wrapper component that implements a well-tested secure interface. Invoke the legacy component only via the wrapper. Ensure that the wrapper cannot be invoked directly. Source: Kenneth van Wyk, Mark Graff, ”Secure Coding: Principles and Practices”, O’Reilly Media 2009 Example uses of this pattern – Wrapping a legacy command line application or a RESTful service. The Wrapper pattern External entity Without wrapper With wrapper Legacy Application Legacy Application External entity Wrapper
- 17. | © INSTA A large program requires elevated privileges, which increases the attack surface. How can the impacts of a compromise be minimized? Distrustful decomposition – the problem
- 18. | © INSTA Decompose the application into smaller mutually untrusting programs that need less privileges Pay attention to the parts that communicate with external entities Source: Secure Design Patterns, Technical report by Software Engineering Institute Example uses of this pattern – The qmail and Postfix mail systems use multiple processes. Distrustful decomposition Peer component 1 Without this pattern With this parttern Monolithic application Peer component 2 Peer component 1 Peer component 2 Interface 1 process Interface 2 process Internal processing (privileged)
- 19. | © INSTA How to separate functionality that requries elevated privileges from functionality that does not require elevated privileges? How to take advantage of existing user verification and process separation functionalities available in the operating system? Defer to kernel – the problem
- 20. | © INSTA Decompose the application into a basic client server architecture. The server runs with elevated privileges and uses existing kernel functionality to verify users. Examples: The Unix client-server program interface (UCSPI), Securable Objects on Windows. Source: Secure Design Patterns, Technical report by Software Engineering Institute Defer to kernel Client application External entity Server application OS Kernel (1) Request (2) User ID verification request (3) User ID verification results (4) Server response
- 21. | © INSTA| © INSTA OK – so how do we use these in practice?
- 22. | © INSTA How to make these concepts real for your team, idea 1/3 Start with training the team
- 23. | © INSTA How to make these concepts real for your team, idea 2/3 Which best practices or patterns are relevant will depend on your team 1. Start with a small set of relevant best practices and patterns 2. Extend the set based on feedback, lessons learned, retros, incidents
- 24. | © INSTA How to make these concepts real for your team, idea 3/3 Consider secure design reviews 1. Review whether the selected set of best practices have been followed (I have done this in practice and this seems to work) 2. Review whether it would have been useful to apply some of the selected secure design patterns (I haven’t tried this in pratice – I have some doubts of whether this would be useful) A security design review can produce trails of usage for compliance
- 25. | © INSTA Discussion How do you apply secure design best practices and design patterns? Your recommendations? | 25