Thursday, March 06, 2008

Security Principles

Browsing thru the OWASP site, I came across the following security principles that are of interest while designing the security architecture. Every security policy has 3 objectives:
a) Confidentiality b)Integrity c)Availability

Examples of security principles:
1: Securing the weakest link (The chain is only as strong as its weakest link) - e.g. Attackers will not target the firewall, but the applications accessible through the firewall.

2: Minimize Attack Surface Area - design the system such that the potential areas for intrusion are reduced.

3. Principle of Least Privilege - only give those permissions to the user that are required.

4. Principle of Defense in Depth - e.g. Do validations at the front-end using Javascript, in the web-tier using validation logic, in the database using constraints and triggers.

5. Fail securely - If an application/program fails, then it should not leave the system in an insecure state.

6. Separation of Duties - administrator should be able to turn the system on or off, set passwordpolicy but shouldn’t be able to log on to the storefront as a super privileged user, such as beingable to buy goods on behalf of other users.

7. Don't just rely on security by obscurity. Use security by design. Use elements of both the strategies.

The following links provide interesting material for reading: