Home  /  Empower and Protect  /  11 Design Principles for Secure Applications

11 Design Principles for Secure Applications

By Emerging Technologies Group •  April 15, 2013

Application Security – It Starts at Design

The design phase is one of the major parts of the SDLC (software development life cycle).  How well an application performs and meets its business goals is directly affected by decisions made during this phase.
Designing secure software requires a secure mind set. Envisioning the finished product and looking at it from various perspectives is essential to achieving a well-rounded application design that is also secure.  The best way to achieve secure application design is to follow proven industry practices as well as thinking out of the box in cases where newer technologies are to be used.
What could go wrong with poor application design?
Before looking at some secure design principles to follow, let’s consider what can happen when you don’t follow secure design principles. Below is the OWASP Top 10 (RC1) for the most critical security concerns of 2013. If one were to trace the root cause of most of these issues, application security design flaw is at the heart of it.

Source: OWASP
Take A1 for example – Injection.  Properly selecting the correct data access API for an application would mostly mitigate the possibility of this vulnerability. This is a decision that is part of most software design. Another example is A3 — Cross-Site Scripting (XSS).  How input data is validated and displayed is also something that is decided in the design phase of an application.
Some Design Principles for Secure Applications
Software applications come in all sizes — from small embedded systems to large-scale enterprise systems. There are no hard rules or silver bullets regarding what security concerns should be considered for an application, but the following secure design principles can help guide architects and designers alike.
    1. Minimize Attack Surface – Reduce entry points that can be exploited by malicious users
    2. Least Privilege – Just having enough access level to do the job
    3. Separation of Duties – Different entities have different roles
    4. Defense in Depth – Multiple layers of control make it harder to exploit a system
    5. Fail Secure – Limit amount of information exposed on errors encountered by a system
    6. Economy of Mechanisms – Keep things simple
    7. Complete Mediation – Access to all resources of a system are always validated
    8. Open Design – Security based on proven open standards
    9. Psychological Acceptability – Security implementation should protect a system but not hamper users of the system
    10. Weakest Link – Any system is only as strong as its weakest link
    11. Single Point of Failure – Consider adding redundancy to critical systems
Although the implementation of measures for ensuring the security of an application starts at design, it definitely does not end there.  The fast pace of advancements in web technology also brings about the potential of new vectors for attacks.  Add to this the possible threats presented by new devices and operating system updates, and application security becomes a non-ending cycle.
Continuous awareness and consciousness of new security risks is a must for any organization that designs and develops software. By anticipating issues before they become problems, we can prevent attacks from becoming breaches.
Other great references for secure software design:

 

 

The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.

Leave a Reply

Your email address will not be published.

five × three =