Security by design: Difference between revisions

Abstract

Secure by design, in software engineering, means that the program in question has been designed from the ground up to be secure. Often this involves being fully fault tolerant. If, for instance, a user has to type his name, and that name is then used elsewhere in the computer program, care must be taken that when a user enters a blank name, the program does not break.

The key idea of "security by design" is design. Many computer systems today are what one might call "secure by accident"; they are the results of years of testing and debugging, and while they may provide a great deal of security, they typically have no way to guarantee that a new bug or exploit won't be revealed tomorrow.

Generally, designs that work well do not rely on being secret. It is not mandatory, but good security usually means that everyone is allowed to know and understand the design, because it is secure. If a design is insecure, it is often kept secret to "protect" its users (and designers!). Conversely, if a design is kept secret, then it may be insecure without anyone's realizing it.

Also, it is very important that everything work with the least privilege possible. A Web server that runs as the administrative user (root or admin) can have the ability to remove files and users that do not belong to itself. Thus, a flaw in that program could put the entire system at risk. On the other hand, a Web server that runs inside a virtual private server and only has the privileges for required network and file system functions cannot compromise the system it runs on unless the security around it (the "sandbox") is also flawed.

See also

• Computer security
• Hardening
• Secure by default
• Security through obscurity
• Software Security Assurance
• zero-day exploit

External links

• Secure Programming for Linux and Unix HOWTO
• Secure UNIX Programming FAQ