You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: 02-Design/01-Principles of Security Engineering.md
+14-5Lines changed: 14 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ Also known as layered defense, defense in depth is a security principle where si
6
6
Have diverse defensive strategies, so that if one layer of defense turns out to be inadequate, another layer of defense will hopefully prevent a full breach.
7
7
8
8
## Fail Safe
9
-
A security principle that aims to maintaining confidentiality, integrity and availability by defaulting to a secure state, rapid recovery of software resiliency upon design or implementation failure. In the context of software security, fail secure is commonly used interchangeably with fail safe, which comes from physical security terminology.
9
+
A security principle that aims to maintain confidentiality, integrity and availability by defaulting to a secure state, rapidly recovering software resiliency upon design or implementation failure. In the context of software security, fail secure is commonly used interchangeably with fail safe, which comes from physical security terminology.
10
10
11
11
Unless a subject is given explicit access to an object, it should be denied access to that object, aka *Fail Safe Defaults*.
12
12
@@ -18,22 +18,22 @@ Limits the damage in case of exploited vulnerability.
18
18
In order to apply this principle, proper granularity of privileges and permissions should be established.
19
19
20
20
## Separation of Duties
21
-
Also known as the [compartmentalization principle][1], or separation of privilege, separation of duties is a security principle which states that the successful completion of a single task is dependent upon two or more conditions that need to be met and just one of the conditions will be insufficient in completing the task by itself.
21
+
Also known as the [compartmentalization principle][1], or separation of privilege, separation of duties is a security principle which states that the successful completion of a single task is dependent upon two or more conditions that are insufficient for completing the task by itself.
22
22
23
23
## Economy of Mechanism
24
-
This in layman terms is the [Keep It Simple, Stupid][2] principle because the likelihood of a greater number of vulnerabilities increases with the complexity of the software architectural design and code.
24
+
In layman terms, this is the [Keep It Simple, Stupid][2] principle because the likelihood of a greater number of vulnerabilities increases with the complexity of the software architectural design and code.
25
25
26
26
By keeping the software design and implementation details simple, the attack-ability or attack surface of the software is reduced.
27
27
28
28
## Complete Mediation
29
29
A security principle that ensures that authority is not circumvented in subsequent requests of an object by a subject, by checking for authorization (rights and privileges) upon every request for the object.
30
30
31
-
In other words, the access requests by a subject for an object is completely mediated every time.
31
+
In other words, the access requests by a subject for an object are completely mediated every time.
32
32
33
33
“All accesses to objects must be checked to ensure that they are allowed.”
34
34
35
35
Performance v/s Security issue:
36
-
- Results of access check are often cached
36
+
- Results of access checks are often cached
37
37
- What if permissions have changed since the last check?
38
38
- Mechanisms to invalidate or flush caches after a change are often missing
39
39
@@ -51,6 +51,15 @@ If the secrets are abstracted from the mechanism, e.g. inside a key, then leakag
51
51
## Least Common Mechanism
52
52
The security principle of least common mechanisms disallows the sharing of mechanisms that are common to more than one user or process if the users and processes are at different levels of privilege. For example, the use of the same function to retrieve the bonus amount of an exempt employee and a non-exempt employee will not be allowed. In this case the calculation of the bonus is the common mechanism.
53
53
54
+
According to Saltzer and Schroeder [Saltzer 75] in "Basic Principles of Information Protection" from pages 9-10:
55
+
56
+
> Least common mechanism: Minimize the amount of mechanism common to more than one user and depended on by all users.1 Every shared mechanism (especially one involving shared
57
+
> variables) represents a potential information path between users and must be designed with great care to be sure it does not unintentionally compromise security. Further, any
58
+
> mechanism serving all users must be certified to the satisfaction of every user, a job presumably harder than satisfying only one or a few users. For example, given the choice
59
+
> of implementing a new function as a supervisor procedure shared by all users or as a library procedure that can be handled as though it were the user's own, choose the latter
60
+
> course. Then, if one or a few users are not satisfied with the level of certification of the function, they can provide a substitute or not use it at all. Either way, they can
61
+
> avoid being harmed by a mistake in it.
62
+
54
63
## Psychological acceptability
55
64
A security principle that aims at maximizing the usage and adoption of the security functionality in the software by ensuring that the security functionality is easy to use and at the same time transparent to the user. Ease of use and transparency are essential requirements for this security principle to be effective.
0 commit comments