Insecure Design means that software is not designed to be fundamentally secure. It contains vulnerabilities caused by ineffective or missing control design. When companies fail to determine what level of security design is required, they are more likely to be victim to these vulnerabilities.
These risks start from the planning phase, even before coding activities actually start. A lack of planning and anticipation from the developers causes these vulnerabilities to arise.
To achieve Security By Design there are certain requirements which a developer must follow:
To anticipate where weak points are located in software, it is necessary to always assume attacks are going to occur, what impact these can have and to put countermeasures in place where needed.
Security Through Obscurity (STO) means hiding the details of your security mechanism. The goal is to discourage attackers by hiding important information and enforcing the secrecy of the software. Short-term this method will see a reduced amount of risks, however obscuring security often leads to a false sense of security. Over time attackers apply techniques which will cause these secrecy methods to fail.
This principle requires that every user, process or program can only access the resources and information which are essential to perform it’s intended function. A normal user cannot have access to admin functions.
The SDL helps developers build more secure software by reducing vulnerabilities, while also reducing development costs. It consists of a set of practices that support security assurance and compliance requirements.
These practices include providing training, define security requirements, perform static and dynamic analysis security testing, use approved tools, establish a standard incident response plan and more.
Threat modeling is a process in which potential risks and threats are identified, prioritized and mitigated. This way a systematical analysis can be created of what defenses must be included or implemented.
There are many approaches to threat modeling, with the most known ones being STRIDE and P.A.S.T.A.
Developed by Microsoft, it is a model of threats, used to find what could go wrong in a system. The threats in this model are Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege.
The Process for Attack Simulation and Threat analysis is a seven-step, risk-centered methodology. Its intent is to provide dynamic threat identification, enumeration and a scoring process.
These approaches both use data flow diagrams to develop a visual representation of the application infrastructure.
Secure Design Patterns are reusable solutions to commonly occurring design problems. They are meant to eliminate the accidental insertion of vulnerabilities into code and to mitigate the consequences of these vulnerabilities.
These patterns follow a template which describes different elements of the pattern. Like its intent, examples, applicability, implementation and more.
When working on a project, you can create a secure design pattern when facing a common problem. Later when the same problem occurs again but in a different situation, you can apply the pattern to implement the same solution.
Because Insecure Design is a completely new category in the OWASP Top 10, we can see that it is necessary to bring attention to these vulnerabilities. It’s important for developers to follow these guidelines and spend more time and resources on planning and modeling before starting coding activities.
At Brightest, we perform a complete one-off penetration test of applications based on the OWASP top 10, which includes Insecure Design. Additionally, we assist with the implementation of the Secure Development Lifecycle. This means converting security-concepts into requirements and use cases in the design phase of the SDL. At last, we can verify if developers follow the requirements to be secure by design, checking if the least privilege principle is lived up to, verify the design patterns and making sure security through obscurity is avoided.
Do you want to know more about the OWASP Top 10? Read here our previous articles on the topic.
Written by Mitch Rollez