Code surety: Secure by design

Visibility and maintenance

Fuzzing, static analysis and functional testing are also critical during key stages of development and after the application has been put into production. So design must include stages for testing the application during design, development and post-production to maintain the application's security posture.

That means design must include basic monitoring support, such as producing usable logs and registering changes to data and access, says Symantec's Phillips. “To build trust, monitoring is very important, so you must have a close view of your system and access logs, as well as activity that occurs around the data,” he says.

There are numerous tools and services to test web applications for SQL injections, XSS and other code-based and functional vulnerabilities. However, when it comes to visibility into applications in the public cloud, organizations must rely on monitoring tools supported by their cloud provider to monitor their own data, say experts. To keep an eye on their provider's network, they will need to rely mostly on contracts and annual audits.

Getting to secure design will take planning, time and coordination between business, development and security units. But the task is not impossible, many say.

“No one says secure by design is a quick architecture change that makes an application ready for the web or the cloud,” IBM's Danahy says. “If it were easy, there would already be a common secure design template that everyone can use.”

Secure design resources

Finding guidelines that apply to developers is easier than finding guides for designers and planners, but they do exist. Here are some examples:

The Cloud Security Alliance has many helpful guides for developing and implementing to the cloud at , including:

Security Guidance for Critical Areas of Focus in Cloud Computing – delineates cloud types and components and a means to map risk around key focal areas of architecture, government and operations

A Cloud Controls Matrix spreadsheet listing control areas, specifications, and architectural components for providers and consumers of cloud services

Toolkits to assess public, private and hybrid cloud environments

The Open Web Application Security Project (OWASP) has a popular code review guide that connects the dots between security, design and business contexts. Other popular resources include:

• Security cheat sheet for developers
• Threat modeling guidance
• Secure coding and testing guidelines

The Software Assurance Forum for Excellence in Code (SAFECode) has recently published the second edition of its Fundamental Practices for Secure Software Development. Other resources, include:

• Software assurance for supply chain applications
• An overview of software integrity controls
• Software security engineer training

 Secure design points

No matter where the application resides, basic design frameworks apply. In the case of Symantec, development teams follow these basic design principals:

1. Data re-validation and protection at trust boundaries

Data transfer across trust boundaries, such as between two processes at differing privilege levels or two separate computers, must be protected. Data must be validated for type, range of values, size and semantics at both the client as well as the server. Data protection can be implemented using a tamper evident mechanism such as digital signatures.

2. Mutual authentication of service and user agent

Because many untrusted entities are involved in the interaction between a user agent and a service, the user agent and service must establish mutual authentication, which is best achieved through PKI and multi-factor authentication.

3. Prevent eavesdropping - strong encryption

Sensitive and critical data can be exposed by the untrusted entities between the user agent and the server. FIPS 140-2 compliant encryption algorithms must be used for data in transit. Sensitive data must be encrypted even when at rest. Passwords must be securely hashed to make brute-force decryption more difficult.

4. Short session timeout and one-time passwords

Long lasting sessions can lead to replay attacks and session hijack. Especially for cloud-based applications, one-time passwords and short session timeouts significantly mitigate this type of vulnerability.

5. Least privileges

Multiple components making up the application must be granted the minimum set of permissions and resources to perform the task to reduce risk of an attacker escalating privileges.

6. Compartmentalization

Tasks requiring different sets of permissions and resources must be isolated to mitigate resource exhaustion and denial of service vulnerabilities.

Republished from SC Magazine US.