CSC 1029 Week 06: Secure Software Design

Questions and Answers

What is one of the main goals of security engineering in software development?

• To prioritize features over security.
• To integrate security-minded thinking into the process. (correct)
• To increase software complexity.
• To eliminate the need for testing.

Which security design principle advocates for maintaining a straightforward approach?

• Trust with Confidence
• Favor Complexity
• Favor Simplicity (correct)
• Defensive Programming

What does the acronym STRIDE represent in threat modeling?

• Simplicity, Transparency, Reliability, Integrity, Data Protection
• Software, Threats, Resilience, Implementation, Defense
• Security, Trust, Risk, Integrity, Development
• Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege (correct)

What is the primary difference between a software flaw and a software bug?

Flaws are security problems in design, while bugs are issues in code. (D)

What is a consequence of not considering security throughout the entire software development process?

Greater vulnerability to attacks. (A)

Which approach is suggested to avoid design flaws in secure software?

Adopting a security through the entire development process mindset. (A)

What is one of the key tenets in the article "Simplicity Is the Ultimate Sophistication"?

Simplicity often leads to better security. (D)

Trust with reluctance is primarily about:

Evaluating trustworthiness before granting access. (B)

Elevation of privilege in threat modeling refers to:

Gaining unauthorized access to system resources. (C)

What is the relationship between secure software design and user feedback?

User feedback should be considered in the early stages of design. (A)

What does the principle of 'Trust with Reluctance' emphasize?

Giving access only to users who need it (C)

Defense in depth mainly seeks to address what kind of security challenge?

Single points of failure in security (D)

What is meant by 'attack surface' in the context of software design?

All parts of an application accessible by users or programs (B)

Which of the following best describes the principle of 'least privilege'?

Users should have the minimum level of access necessary. (A)

What does the secure design principle of 'modularity' refer to?

Creating independent modules that can function separately (D)

What is the focus of the principle of 'fail secure'?

In the event of a failure, the system should remain secure. (A)

Which principle emphasizes the importance of complete mediation?

All requests for access should be verified each time. (C)

What does 'separation of domains' imply in secure design?

Isolating sensitive data from less sensitive data (D)

Which principle aims to minimize trust surface interactions?

Minimize the number of parties involved in interactions. (A)

What is the primary objective of encapsulation in software security?

To hide internal states and only expose necessary interfaces. (B)

Flashcards

Security Engineering

Applying security considerations throughout the software development process.

Threat Modeling

Identifying potential attacks on a system.

Software Security Requirements

Defining security needs and goals for software.

Software Design Flaws

Security problems in software's design, not in the code.

Favor Simplicity

Designing for ease of understanding and security.

Trust with Reluctance

Accepting limited trust or validation.

Defense in Depth

Using multiple layers of security.

Top Design Flaws

Common weaknesses in software design that increase vulnerabilities.

Software Vulnerability

A weakness in software that can be exploited.

Spoofing

Masquerading as someone or something else.

Attack Surface

Any part of a program that can be accessed by an attacker.

Minimize Attack Surface

A security principle that reduces the potential points of attack in a system.

Modularity

A principle of building systems from separated, independent modules.

Separation of Domains

A security design principle used to divide a system into distinct controlled areas.

Least Privilege

Granting users and programs only the access they absolutely need.

Complete Mediation

Every single access request must receive authorization/denial.

Fail-Safe Defaults/Fail Secure

Setting up system defaults to be secure by default.

Study Notes

Course Information

• Course code: CSC 1029
• Course title: Designing Secure Software

Week 06 Agenda

• Designing & Building Secure Software
• Threat Modeling
• Software Security Requirements
• Avoiding Software Design Flaws
• Favor Simplicity
• Trust with Reluctance
• Defense in Depth
• Top Design Flaws
• Case Study
• Interview on Building Secure Software
• Interactive Lesson
• TODO & Resources for Help

Design and Building Secure Software

• Protection of Information in Computer Systems (Saltzer and Schroeder, 1975) is a highly relevant classic paper.

Threat Modeling

• There are five major threat modeling steps:
  • Defining security requirements
  • Creating an application diagram
  • Identifying threats
  • Mitigating threats
  • Validating that threats have been mitigated
• Threat modeling should be incorporated in the development lifecycle to reduce risk.
• Common threat categories (STRIDE):
  • Spoofing (S)
  • Tampering (T)
  • Repudiation (R)
  • Information disclosure (I)
  • Denial of service (D)
  • Elevation of privilege (E)

Software Security Requirements

Avoiding Software Design Flaws

• Security flaws are weaknesses in software code that attackers can exploit.
• Software vulnerabilities are implementation-level bugs
• Design flaws are security problems in the software system.
• Security needs to be considered throughout development.

Secure Design Principle: Favor Simplicity

• Articles like "Simplicity is the Ultimate Sophistication" and Bruce Schneier's plea for simplicity in computer systems emphasize simpler designs for secure software.

Secure Design Principle: Trust with Reluctance

• Trust with reluctance, a security principle, emphasizes limiting trust levels ("need-to-know").

Secure Design Principle: Defense in Depth

• Most applications are vulnerable when a single defense layer is breached.
• Defense in depth entails multiple layers of defense, each offering protection, and working to add resilience and help limit impact to a system if a breach occurs at a point in any of the defended layers within the system.

Secure Design Principle: Software Design Flaws

• Attack surface is any accessible component part within a system that can be targeted or a point on a system's defensive layers that an attacker can leverage to expose weaknesses in those defenses.
• The principle of minimizing the attack surface aims to reduce points of access that malicious users can exploit.

Case Study

• Case study of a very secure FTP.

Interview

• Interview with Gary McGraw on building secure software.

Cybersecurity Principles Interactive Lesson

• Cybersecurity principles such as:
  • Modularity
  • Simple designs
  • Layering/Defense in depth
  • Separation of Domains
  • Complete Mediation
  • Least privilege
  • Fail-safe Defaults/Fail Secure
  • Isolation
  • Encapsulation
  • Usability
  • Open Design
  • Least Astonishment
  • Trust Relationships
  • Minimizing trust surface

Pre-Work and Next Week

• Guidelines for completing the pre-work for Week 6.
• Introduction of the content for week 7.

Questions, Clarifications, and Help

• Access to student office hours, email, tutoring, and online resources.