Secure Design – Combining Information Security with Software Development
Information security researchers usually see software fail. Sometimes they try to make software fail on purpose. The result is a bug description, also called vulnerability report in case the bug has a security impact. The the best case scenario this information reaches the software developers who in turn fix the problem. Then the cycle continues. This process is fun for the first iterations. After a while it gets boring. Even a while after that you ask yourself why integer overflow, injection attacks, and basic cross-anything is still an issue. Some bug classes are well over 40 years old. Polio is far older, and yet we got rid of it (mostly). What’s different in the field of software creation?
The answers are simple, endless, and change depending on the current trend. Just as computing changed from the first mainframes to personal computing and back again the methods in software development have their mix of temporary fashion and solid implementation choices. Additionally you have more programming languages now than decades before – the agony of choice. Who wants to Rust before you go Go? Of course, we are wiser now and have invented skills such as secure coding. The problems seem to stay the same (take a look at the yearly top n CVE entries).
If you take a look behind the scenes of some software projects and unveil the core design of the application, sometimes the reason for security defects become more obvious. Software projects have a history. Code usually was for to solve a set of problems or perform certain tasks. The early design choices follow the production code. Mistakes in the design can lead to implementations that will never be more secure or suffer from vulnerability classes for all eternity. Getting the design right is critical. The credo of „ship early, ship often“ or „ra(p|b)id prototyping“ can lead to the point where working code is favoured over a sound design that doesn’t tip over easily. Secure Design is a nice thing to have. Where do you find it? This is where the soon-to-be-announced DeepSec 2020 Call for Papers comes in. We would like to take a stab at software development. If you teach/develop/test/implement secure design or secure coding, then we want to hear about it. Presentations are welcome. In case you have a training in mind, please drop us an email.