Secure simply by SD3 way!

  • Article

There is a saying in English “Old habits die harder” and there is a riddle around it

I have one, you have one.
If you remove the first letter, a bit remains.
If you remove the second, bit still remains.
After much trying, you might be able to remove the third one also, but it remains.
It dies hard!

What is it?

Here is the answer for above riddle :

If you remove the first letter “h” from the word “Habit” , still a-bit remains, further if you remove letter from a-bit, still ‘bit’ remains and unfortunately after you remove letter ‘b’ as well, still ‘it’ remains. What is the moral of the story? Habits do not die easily. They linger on and on….

 I was wondering whether it is true for “Software developers” . Yes! It is! The evidence to support my argument is the number of security issues I find in several applications till date.

Clear text connection strings, Poor exception handling, un-sanitized user inputs , dynamic SQL and poor configuration issues and many more…and it’s all about poor habits [practices]. Can we do something about it is the problem question?

Why not? Inculcate good habits to erase the bad habits. Slowly over a period of time new habits superimpose themselves and take a charge.

SD3 is the Mantra to follow defense in depth principles. Developers have to follow the principles of SD3 to reduce security vulnerabilities in their applications.

SD 3 is Microsoft’s defense in depth strategy which stands for Secure by design, secure by default and secure in deployment.

Secure by Design: This means that developers follow secure coding best practices and implement security features in their applications to overcome vulnerabilities.

This principle consists of using security features like Authorization, Authentication, Auditing and logging, usage of least privilege account and cryptography etc.

Many designers and developers at the end just sprinkle few security features in their applications. Secure by design does not advocate that way.

Secure by design means blending security into your applications. It involves due consideration to security right from the design stage of your application and weaving security features into every aspect of application development process.

For Ex: If I know that my application handles sensitive data or information, I would like to encrypt the data and protect it from theft and tampering. I give due consideration to use cryptography in my application right at the design stage.

Secure by Default: This simply means that end users install applications without altering the default settings and therefore requires these users specifically select features that might not be used or that might reduce security.

Many users do not change the default settings after installation. Why to bother them by asking them to disable unwanted features to reduce the attack surface? Security should be by default. If a feature is specifically required by a user she will enable as per her choice and with knowledge of consequences in case of security breach.

For Ex: Users are prompted to select optional components during the setup procedure and have the option to add those components later by re-running setup.

Secure in deployment The applications can be maintained securely after deployment by updating with security patches, monitoring for attacks, and by auditing for malicious users and content.

 This involves having a process to identify newly discovered security vulnerabilities and ability to patch them regularly to remove those vulnerabilities. Also involves taking data – backups so that you can restore to normal in the event of a compromise, monitoring events at regular intervals and check for intrusions.

For Ex: In the event of application failure or errors, a system should be in place so that users should be shown only generic error information and those events should be logged so that administrators can help resolve the issues.

 

So dear developers conform to SD3 to develop secure applications and advocate security best practices to your fellow colleagues.

More information and videos on SD3

https://msdn.microsoft.com/msdntv/episode.aspx?xml=episodes/en/20030513securitymh/manifest.xml