Software development is about making things work, what infosec brings to the table is to account for what happen when things don't work as planned. Years ago software security was mostly scanning apps right before they shipped, but most enterprise SDLCs have got better over the years about building at least some security into the process further upstream. This has improved the access control, defensive programming and other key bits in the security of many systems. Still Richard Bejtlich's question is relevant
Q: What happens when you try to prevent an attack by professionals?
A: You lose. So, fast detection & response is best refuge.
You have to assume that the adversaries are as skilled or more so than your teams, and that they will find a way. This means that User stories that say what the system is supposed to do on behalf of the user are not enough by themselves, we need Loser stories to account for loss of data, failing access control and other misuse scenarios. As Richard mentions, this leads to building and integrating more effective detection systems to identify malice or at least to give the response team a vital data source. Other requirements may be derived, including
- Following the Golden Rule of Dependency management - Own your own repository
- Scoping data and tokens - based on use, time and privilege
- Finer grained, dynamic authorization - use freshest, most specific data for authZ rules
- Attack surface reduction - limit failure points
- Asynchronous messaging with protected stores - designed to fail
- "Limp mode" - designed to limp, resiliency when things go awry, Netflix's recent example of staying up when Amazon east coast went down
What drives the SDLC is answering the question - "what do we want the system do on behalf of the user"?Whereas following the question "how does the system fail and what do we want the system to do next?" leads infosec in the direction of building more survivable systems. You can not assume that protection always works, failure and loss are inevitable in any system, but the mission must survive.
Interesting line of thought Gunner,
I was thinking some of these questions might come up if some sort of threat modeling session was done for the project. I see something like an additional type of user(loser) stories could be added to that process
-Craig
Posted by: Craig Munson | June 26, 2012 at 09:38 AM