Software Engineering, Project Management, and Effectiveness
If you know the underlying principles for security, you can be more effective in your security design. While working on Improving Web Application Security: Threats and Countermeasures, my team focused on creating a durable set of security principles. The challenge was to make the principles more useful. It's one thing to know the principles, but another to turn it into action.
Turning Insights Into Action
To make the principles more useful, we organized them using our Security Frame. Our Security Frame is a set of actionable, relevant categories that shape your key engineering and deployment decisions. With the Security Frame we could quickly find principles related to authentication, or authorization or input validation ... etc.
Once we had these principles and this organizing frame, we could then evaluate technologies against it to find effective, principle-based techniques. For example, when we analyzed doing input and data validation in ASP.NET, we focused on finding the best ways to constrain, reject, and sanitize input. For constraining input, we focused on checking for length, range, format and type. Using these strategies both shortened our learning curve and improved our results.
Core Security Principles
We started with a firm foundation of core security principles. These influenced the rest of our security design principles. Here's the core security principles we started with:
Frame for Organizing Security Design Principles
Rather than a laundry list of security principles, you can use the Security Frame as a way to organize and share security principles:
Auditing and Logging
Here's our security design principles for auditing and logging:
Here's our security design principles for authentication:
Here's our security design principles for authorization:
Here's our security design principles for configuration management:
Here's our security design principles for cryptography:
Here's our security design principles for exception management:
Input / Data Validation
Here's our security design principles for input and data validation:
Here's our security design principles for sensitive data:
Here's our security design principles for session management:
Using the Security Design Principles
This is simply a baseline set of principles so that you don't have to start from scratch. You can build on this set and tailor for your specific context. I find that while having a set of principles helps, that you can't stop there. To share the knowledge and help others use the information, it's important to encapsulate the principles in patterns as well as show concrete examples and create precise, actionable guidelines for developers. Personally, I've found Wikis to be the most effective way to share and manage the information.
My Related Posts
PingBack from http://creditcard.creditspeak.com/2008/04/07/security-principles/
...and when you are done with all that, make it user-friendly J
This is some great foundational work! I couldn't agree more completely about the need to base everything upon solid principles. This takes me back to my days studying physics, where everything was proved through from first-principles... I think that lesson (as you have suggested) is a perfect fit for approaching security.
Why no mention of HttpOnly cookies in your session handling section? Otherwise, this is a fantastic resource.
@Eber - I agree. Great design is effetive trade-offs/balance among user experience, business, and technological requirements.
@Dave - I'm a fan of principles. They simplify my life. I also like to know "how things work." That too has simplified my life.
@Jim - Good catch!