• A security negligence at design and architecture phase may lead to vulnerabilities that are difficult to detect and expensive to fix in production
    設計和架構階段的安全疏忽可能導致難以檢測的漏洞和在生產中修復的昂貴漏洞
  • Security vigilance at design phase enables detecting potential security flaws early in the software development lifecycle
    設計階段的安全警惕能夠在軟件開發生命週期的早期檢測潛在的安全漏洞
  • Secure design of an application is based on security requirements identified in the previous phase of the SDLC
    應用程序的安全設計基於SDLC前一階段確定的安全要求
  • Secure design is a challenging process as designing required security controls may obstruct the business functionality requirements
    安全設計是一個具有挑戰性的過程,因為設計所需的安全控制可能會妨礙業務功能要求

Goal of Secure Design Process

  1. Identifying the threats in sufficient details for developers to understand and code accordingly to mitigate the risk associated with the threats
    以足夠的細節識別威脅,以便開發人員相應地理解和編碼,以降低與威脅相關的風險
  2. Designing a architecture in such a way that it mitigates as many threats as possible
    以這樣的方式設計架構,以便盡可能減少威脅
  3. Enforcing secure design principles that force developers to consider security while coding
    實施安全設計原則,迫使開發人員在編碼時考慮安全性

Secure Design Actions

  • Security Requirement Specifications-安全要求規範
    Design the application according to security specifications gathered at requirement phase (Covered in Module 02: Security Requirements Gathering)
    根據需求階段收集的安全規範設計應用程序(模塊02中包含:安全要求收集)
  • Threats Modeling-威脅建模
    Perform threat modeling to know your threats
    執行威脅建模以了解您的威脅
  • Secure Design Principles-安全設計原則
    Define the secure coding standards to be implemented in development phase
    定義要在開發階段實施的安全編碼標準
  • Secure Application Architecture-安全應用架構
    Design secure application architecture
    設計安全應用架構

Define Secure Design Principles

  • Secure design principles are the state of practices or guidelines that should be enforced on the developers to follow during development phase
    安全設計原則是開發人員在開發階段應遵循的實踐或指導原則
  • It helps in deriving secure architectural decisions
    它有助於推導出安全的架構決策
  • It helps to eliminate design and architecture flaws and mitigate common security vulnerabilities within the application
    它有助於消除設計和體系結構缺陷,並緩解應用程序中的常見安全漏洞

Secure Design Principles

List of secure design principles to prevent common security vulnerabilities:

  • Security through obscurity
    透過隱匿來實現安全
  • Secure the weakest link
    保護最薄弱的環節
  • Use least privilege principle
    使用最小特權原則
  • Secure by default
    默認安全
  • Fail securely
    安全失敗
  • Apply defense in depth
    深度應用防禦
  • Do not trust user input
    不要相信用戶輸入
  • Reduce attack surface
    減少攻擊面
  • Enable auditing and logging
    啟用審核和日誌記錄
  • Keep security simple
    保持安全簡單
  • Separation of duties
    職責分離
  • Fix security issues correctly
    正確修復安全問題
  • Apply security in design phase
    在設計階段應用安全性
  • Protect sensitive data
    保護敏感數據
  • Exception handling
    異常處理
  • Secure memory management
    安全的記憶體管理
  • Protect memory or storage secrets
    保護記憶體或存儲機密
  • Fundamentals of control granularity
    控制粒度的基礎知識
  • Fault tolerance
    容錯
  • Fault detection
    故障檢測
  • Fault removal
    故障排除
  • Fault avoidance
    故障避免
  • Loose coupling
    鬆散耦合
  • High cohesion
    高凝聚力
  • Change management and version control
    變更管理和版本控制

Secure Design Principles (Cont’d)

Security through Obscurity

  • Security Through Obscurity (STO) relies on preventing access to certain users to protect internal data
    透過隱匿來實現安全(STO)依賴於阻止對某些用戶的訪問以保護內部數據
  • STO systems may have theoretical or actual security vulnerabilities, but designers believe that flaws are unknown and attackers are unlikely to find them
    STO系統可能存在理論或實際的安全漏洞,但設計人員認為漏洞未知,攻擊者不太可能找到漏洞(應該說是存在漏洞 但此技術掩蓋漏洞讓駭客容易忽略?)
  • Its usefulness has declined with the rise of open systems, networking, greater understanding of programming techniques, and increased capabilities of home users
    隨著開放系統,網絡的增加,對編程技術的更深入理解以及家庭用戶能力的提高,它的實用性已經下降

Secure the Weakest Link

  • Attackers target a system that is easy to penetrate
    攻擊者瞄準一個易於穿透的系統
  • For example, to gain access to the encrypted data on the network, attackers will not intercept the data and crack encryption; instead they will go after the end points of communication to find a flaw that discloses the data
    例如,為了訪問網絡上的加密數據,攻擊者不會攔截數據並破解加密; 相反,他們會追踪通信的終點,找到揭示數據的缺陷
  • Identify and strengthen the areas at risk until levels of risk are satisfactory
    確定並加強風險領域,直至風險水平令人滿意

Secure Design Principles (Cont’d)

Use Least Privilege Principle
使用最小權限原則

  • Applications with maximum system privileges are vulnerable to the attacks
    具有最大系統權限的應用程序容易受到攻擊
  • For example: Many web applications use database admin account though not required to connect to the backend database, enhancing the impact of SQL injection exploits
    例如:許多Web應用程序使用數據庫管理員帳戶,但不需要連接到後端數據庫,從而增強了SQL注入攻擊的影響
  • Protects application from malicious attacks by:
    保護應用程序免受惡意攻擊:
    Determining and assigning rights only to those who require privileges to complete the specific task
    僅為需要特權才能完成特定任務的人確定和分配權限
    – Avoiding applications that get installed and run by default
    避免默認安裝和運行的應用程序
    – Writing applications that can be used by users having non-administrative privileges
    編寫可由具有非管理權限的用戶使用的應用程序

Secure by Default

  • The software solution or application provided to the users should be security enabled by default. If permitted, it is up to the user to reduce the security
    默認情況下,提供給用戶的軟體解決方案或應用程式應啟用安全性。如果允許,則由用戶降低安全性
  • For example: By default the security feature password aging and complexity should be enabled
    例如:默認情況下,應啟用安全功能密碼過期和復雜性

Secure Design Principles (Cont’d)

Fail Securely

  • The developer should not give application secrets by default error messages
    開發人員不應該通過默認錯誤消息提供應用程序機密
  • Application that discloses confidential information on failure assists attackers in creating an attack
    披露有關失敗的機密信息的應用程序可幫助攻擊者創建攻擊
  • When an application fails, determine what may occur and ensure that it does not threaten the application
    當應用程序失敗時,確定可能發生的情況並確保它不會威脅應用程序
  • Provide logical and useful error messages to the users and store the details in the log file
    向用戶提供邏輯和有用的錯誤消息,並將詳細信息存儲在日誌文件中

Apply Defense in Depth

  • The architects and developers should consider all the levels of the software to impose security while developing software
    架構師和開發人員應該考慮軟體的所有級別,以便在開發軟體時強制實施安全性
  • Implement security mechanisms at different layers that include network layer,kernel layer, physical layer, and the file system layer
    在不同層實現安全機制,包括網絡層,核心層,實體層和檔案系統層

Do Not Trust User Input

  • Protect the application from all malicious inputs coming from the user input to the application
    保護應用程序免受來自用戶輸入到應用程序的所有惡意輸入
  • Consider all inputs as a malicious input and apply security measures to restrict them
    將所有輸入視為惡意輸入,並應用安全措施來限制它們

Secure Design Principles (Cont’d)

  • Reduce Attack Surface 減少攻擊面
    Application attack surface area is to be minimized by reducing the number of entry points into the application
    應用程序攻擊表面區域應通過減少進入應用程序的入口埠號來最小化
    Remove or turn off the features, protocols, and functionality which are not in use to minimize number of vulnerabilities and the overall risk
    刪除或關閉未使用的功能,協議和功能,以最大限度地減少漏洞數量和整體風險
    For example: If a vulnerability exists in a way an XML is parsed, denying XML from unknown users minimizes that security vulnerability
    例如:如果以解析XML的方式存在漏洞,則拒絕來自未知用戶的XML可以最大限度地減少該安全漏洞
  • Enable Auditing and Logging 啟用審核和日誌記錄
    Auditing and logging states how the security related events are recorded by an application
    審計和日誌記錄說明應用程序如何記錄安全相關事件
    Auditing enables identification of attacks or intruders in progress, whereas logging aids in identifying how an attack is performed
    審計可以識別正在進行的攻擊或入侵者,而記錄幫助可以識別攻擊的執行方式
    Perform auditing and logging to gather information about attacks
    執行審核和日誌記錄以收集有關攻擊的信息

Secure Design Principles (Cont’d)

  • Keep Security Simple 保持安全簡單
    If the design is complicated, it is hard to understand and errors are likely to occur in implementation, configuration, and use
    如果設計很複雜,則很難理解,並且在實現,配置和使用中可能會出現錯誤
    On the other hand, if the complexity of security mechanisms increases, the effort required to reach the appropriate level of software assurance also increases
    另一方面,如果安全機制的複雜性增加,達到適當軟件保障級別所需的工作量也會增加
    Avoid complex architectures and opt for simpler approaches that are fast and simple
    避免使用複雜的體系結構,並選擇快速簡單的簡單方法
  • Separation of Duties 職責分離
    Separation of duties is the key control of fraud
    When assigning privileges, system roles are to be considered. In general, system administrators are also the users as some super user privileges are required to make the system run
    職責分離是欺詐的關鍵控制分配權限時,應考慮系統角色。 通常,系統管理員也是用戶,因為需要一些超級用戶權限才能使系統運行
    For example: System administrator can set the password policy, turn off or on the system, etc. but should not be able to log in as a super-privileged user
    例如:系統管理員可以設置密碼策略,關閉或打開系統等,但不能以超級特權用戶身份登錄

Secure Design Principles (Cont’d)

  • Fix Security Issues Correctly 正確修復安全問題
    When a security issue is identified, fix it, considering it as the actual problem, and then go through the security process as you do for the new code, ensuring that the fix does not introduce new errors
    當發現安全問題時,將其修復,將其視為實際問題,然後像處理新代碼一樣完成安全性過程,確保修復不會引入新錯誤
    For example: User capable of viewing another user’s account balance by simply adjusting cookie. In this context once the security issue is fixed it has to be tested on all the applications as cookie handling code is shared among all applications
    例如:用戶只需調整cookie即可查看其他用戶的帳戶餘額。 在此上下文中,一旦安全問題得到解決,就必須在所有應用程序上對其進行測試,因為cookie處理代碼在所有應用程序之間共享
  • Apply Security in Design Phase 在設計階段應用安全性
    Before starting the application development process, always consider security issues that can help prevent many security vulnerabilities
    在開始應用程序開發過程之前,請始終考慮有助於防止許多安全漏洞的安全問題
    Considering security issues helps you understand the coding
    weaknesses and vulnerabilities from the most obvious exploits
    考慮安全問題可以幫助您從最明顯的漏洞中了解編碼漏洞和漏洞
  • Protect Sensitive Data 保護敏感數據
    Do not hard code the sensitive data such as passwords in the program
    不要對程序中的密碼等敏感數據進行硬編碼
    Use data encryption mechanism to transmit data over the network
    使用數據加密機制通過網絡傳輸數據

Secure Design Principles (Cont’d)

  • Exception Handling 異常處理
    Events that disrupt the coding process are called exceptions
    破壞編碼過程的事件稱為異常
    Exception handling occurs when error conditions interrupt the normal flow of a program’s execution
    當錯誤條件中斷程序執行的正常流程時,會發生異常處理
    Programmers have difficulty in designing for exception handling, as continuous checking for error conditions is necessary
    程序員在設計異常處理時遇到困難,因為需要連續檢查錯誤條件
    Proper use of exception handling helps to ensure proper error handling
    正確使用異常處理有助於確保正確的錯誤處理
  • Secure Memory Management 安全的記憶體管理
    Check memory bounds on the length of input variables, array, and arguments to prevent buffer overflow attacks
    檢查輸入變量,陣列和參數長度的內存界限,以防止緩衝區溢出攻擊
    Apply coding standards for simplicity, which help in implementing security in the program and keep things simple
    應用編碼標準以簡化,這有助於在程序中實現安全性並使事情變得簡單
  • Protect Memory or Storage Secrets 保護記憶體或存儲秘密
    Encrypt secrets to protect memory storage from ending up in crash dump file
    加密秘密以保護記憶體存儲不會在崩潰轉儲文件中結束
    Use a perfect cryptographic method to perform encrypting secrets process Scrub secrets in memory storage before deletion
    使用完美的加密方法執行加密機密過程在刪除之前擦除記憶體存儲中的機密

Secure Design Principles (Cont’d)

Fundamentals of Control Granularity

  • Applications managing sensitive data should possess privacy protection that can be achieved through flow control
    管理敏感數據的應用程序應具有可通過流量控制實現的隱私保護
  • Flow control prevents data from non-secure information flows
    流量控制可防止數據來自非安全信息流
  • Systems with low-level granularity may lack control in protecting data from misuse
    具有低級粒度的系統可能缺乏保護數據免受濫用的控制
  • System administrators are given better control of granularity at the URL level, shared directory level, and application level
    系統管理員可以在URL級別,共享目錄級別和應用程序級別更好地控制粒度
  • Different granularity is needed to control information flows within an application
    需要不同的粒度來控制應用程序內的信息流
  • Role-based Access Control|(RBAC)is a flow control model offering multiple levels of control granularity
    基於角色的訪問控制(RBAC)是一種流控制模型,提供多級控製粒度
    Also called an n-leveled RBAC (LnRBAC), as a level of granularity is controlled by a level of RBAC control
    也稱為n級RBAC(LnRBAC),粒度級別由RBAC控制級別控制
    Handles and solves problems caused by abnormal program stopping
    處理並解決異常程序停止引起的問題
    Controls method invocation, write accesses, and avoids Trojan horses
    控制方法調用,寫入訪問,並避免特洛伊木馬

Secure Design Principles (Cont’d)

Fault Tolerance 容錯

  • Strategy applied to software design (or system design) to permit system to continue functioning even in the presence of faults by enhancing its robustness
    策略應用於軟件設計(或系統設計),以允許系統通過增強其魯棒性即使在存在故障的情況下也能繼續運行

Fault Detection

  • Closely linked to fault tolerance, used in detecting faults and producing appropriate responses of system behavior
    與容錯密切相關,用於檢測故障並產生適當的系統行為響應
  • Examples include system monitors, safety monitors, built-in test, loop-back test, etc.
    例如 包括系統監視器,安全監視器,內置測試,環回測試…等

Fault Removal

  • Removes faults during design process
    在設計過程中消除故障
  • Examples include error detection, verification through inspection, built-in testing, correction functions, etc.
    例如 包括錯誤檢測,檢查驗證,內置測試,校正功能等。

Fault Avoidance

  • Avoids errors that contribute to system faults during the development process
    避免在開發過程中導致系統故障的錯誤
  • Examples include defensive programming, error minimization during design process, minimization of safety critical code, using appropriate SDLC techniques, etc.
    例如 包括防禦性編程,設計過程中的誤差最小化,安全關鍵代碼的最小化,使用適當的SDLC技術等。

Secure Design Principles (Cont’d)

Loose Coupling

  • Procedures that operate independently from other procedures are called loosely coupled procedures
    獨立於其他程序運行的程序稱為鬆散耦合程序
  • Loose coupling describes the exchange relationship that occurs between two or more systems or organizations
    鬆散耦合描述了兩個或多個系統或組織之間發生的交換關係
  • The concept loose coupling of systems is adopted when either source or destination machines are supposed to be changed frequently
    當源或目標機器應經常更換時,採用鬆散耦合系統的概念
  • Loose coupling can be achieved in web services or service-oriented architecture by hiding the implementation details from the caller
    通過隱藏調用者的實現細節,可以在Web服務或面向服務的體系結構中實現鬆散耦合

Well-known Techniques that Create Loose Coupling
創造鬆散耦合的眾所周知的技術

  • Vendor and platform independent messages
    供應商和平台無關的消息
  • Coarsegrained, self-describing, and self-contained messages
    粗粒度,自我描述和自包含的消息
  • Well-defined interfaces
    定義良好的接口
  • Extensible versionable interfaces
    可擴展的可版本化接口
  • Constrained interfaces
    約束接口
  • Stateless messaging
    無狀態消息傳遞
  • Human readable strings (URIs) for service and instance addresses
    用於服務和實例地址的人類可讀字符串(URI)
  • Stateless messaging where possible and appropriate
    盡可能適當的無狀態消息傳遞
  • Humans controlling clients where possible and appropriate
    人類在可能和適當的地方控制客戶
  • Asynchronous exchange patterns where possible and appropriate
    盡可能和適當的異步交換模式

Secure Design Principles (Cont’d)

High Cohesion
高凝聚力

  • Procedures that perform a single function
    執行單個功能的過程
  • Cohesion is a measure of identifying the extent of strongly related functionalities in the source code of the single module
    內聚是在單個模塊的源代碼中識別強相關功能的程度的度量
  • A particular class is said to have high cohesion if the methods in that class perform similar actions in many aspects
    如果該類中的方法在許多方面執行類似的操作,則稱特定類具有高內聚性
  • This high cohesively code increases the code readability and reusability without increasing complexity
    這種高內聚代碼提高了代碼的可讀性和可重用性,而不會增加複雜性
  • Procedures that are more reliable, easy to read, and maintain are usually loosely coupled and have high cohesion
    更可靠,易於閱讀和維護的程序通常是鬆散耦合的並且具有高內聚性

Change Management and Version Control
變更管理和版本控制

  • Integrity of system changes is controlled by a well-defined process called configuration management
    系統變更的完整性由稱為配置管理的定義明確的過程控制
  • Allows all stakeholders to know upcoming changes
    允許所有利益相關者了解即將發生
  • Change management controls integration costs and development
    變更管理控制集成成本和開發
  • Required changes to code may cause vulnerabilities
    對代碼所需的更改可能會導致漏洞
  • Anticipation of change requirements may limit negative effects
    預期變更要求可能會限制負面影響