Transforming Secure Coding into Secure Design

René Pfeiffer/ August 21, 2016/ Discussion, High Entropy, Security

Secure Coding is the way to go when you develop applications for the real world. Rename errors and bugs into failures. Turn #fail to #win. Instant karma. In addition there are lots of best practices, checklists, and documents around that will tell you what to anticipate. However the design of an application precedes the code itself. Given the scope and purpose of your product implementing security at the coding stage might be too late.

Let us consider an example. The Internet of Things (IoT) is all around us, especially in the information security news sections. While connecting devices to make one’s life easier isn’t a bad idea (just think about writing this article on a networked device and you reading it! Cool, eh?), the connecting parts and the security design should be sound. Smart stuff will be exposed to threats. A Facebook party in your living room is the perfect example. It will quickly expose your infrastructure to all kinds of threats. That’s what IoT is required to handle. In the age of always connected devices your infrastructure won’t catch a break. You need secure design in the network protocols, in authentication, in the code itself; the list is long.

Where can you learn secure design? The best approach is to take a few steps back. Once you have committed to a programming language or any specifics, the design choices get restricted. Isolating the data you need to handle and all the interactions with other components is a good start. When it comes to selecting the right building blocks do not try to reinvent technology that is already out there. This is especially crucial for all the crypto parts. Encryption libraries and their parameters have been extensively researched by security researchers in the past three years. Take a look at best practices. Try to use reliable components. Use code that is around for a long time. Identify the threats your code will be facing. The list gets quite long, but it’s worth doing all these considerations before the first line of code is written. Then you can start to address the issues of secure coding.

A lot of products benefits from secure design. In case you forgot the design, there is always secure testing for those who put the security design into the code after the application hit the market.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.