Defence in Depth: Summary (part 7/7)

Läs den här sidan på: 🇸🇪 Svenska

Throughout this article series we’ve touched upon a number of basic principles for how to build secure applications.

When we at Omegapoint perform security reviews we generally find more vulnerabilities in complex systems. Not only because complex systems contain more functions and provide a larger attack surface, but also because they are hard to grasp. Many weaknesses arise from the fact that the team does not fully understand their own system. For example the team might not know which APIs that are publicly exposed.

A system that the team understands has a greater potential for being secure. We generally find fewer weaknesses in systems where the team can draw architectural overviews and explain their system including any and all integrations.

At the beginning of all security reviews we ask the team responsible for the system to give a technical description of it and answer the following questions:

In our experience a secure system can always be described by the team according to the bullets above. However, the opposite is not true, i.e a system that can be described by the team is not necessarily secure. Understanding a system enables you to make it secure, but it’s not a guarantee.

“You can’t secure what you don’t understand” — Bruce Schneier, 1999 ”

It’s also important to understand different types of attacks to implement and verify your defense mechanisms. Our experience from past security reviews shows that OWASP defines a good base line that is relevant for many systems and realistic to implement. OWASP has a lot of great sub-project with good documentation. In particular we’d like to highlight:

Securing a system over time requires a structured way of working where security is an integrated part of your process. Independent, reoccurring security reviews give you feedback that your security work makes a difference.

See Defence in Depth for additional reading materials and code examples.

More in this series: