Secure Design in the Limelight


The launch last week of the IEEE Center for Secure Design is an opportunity to remind the industry of the prominent role of secure design in building secure IT products.

Security engineering requires three main technical activities: Secure design, secure coding and security testing. Much of emphasis has been put by the industry on secure coding and security testing and much less on secure design. That is unfortunate.

Design Matters: Chanute’s twelve-winged glider in 1896.

The early flying machines from the late 19th century failed, not because of a defect in any of their components, but because of the overall design of the machine. Likewise, secure design is needed to provide confidence in the overall security of a system. We need to approach security engineering as one discipline tightly integrating secure design, secure coding and security testing.

Tools may be to blame for the lack of focus on secure design. The security tool market has become more mature and there is a broad choice of tools available to engineers for use during coding and testing that do a decent job at detecting coding mistakes. We need to increase their use and reduce the amount of false positives they produce, but overall, they have created the perception for some that software security was just about using a security tool.

It is not. The only tools you need for secure design are a marker, a white board and most importantly experience. Secure design is about understanding how the components interact, establishing trust assumptions and making design decisions that prevent attacks given those trust assumptions. Secure design is very complex; it requires the knowledge of how the product operates along with an attacker mindset. The IEEE Center for Secure Design document provides great field-tested examples of secure design considerations ranging from defining trust to validating data and access.

Threat Modeling is the most important activity to support secure design. It gives you the security foundation on which all the other security engineering activities that needs to be performed rely. You will not be able to sustainably build a secure product without secure design.

We have always made secure design a priority in EMC’s product security engineering practices and we were delighted to contribute our experience to the IEEE Center for Secure Design.

Continue Reading
Would you like to read more like this?

Related Posts

Software Security Training for All

 Fifteen years ago, a common representation of the hacker was a computer science college student hacking systems from his or her dorm room. Nowadays hackers operate on a different scale; … READ MORE

Eric Baize May 14th, 2013
Click to Load More
All comments are moderated. Unrelated comments or requests for service will not be published, nor will any content deemed inappropriate, including but not limited to promotional and offensive comments. Please post your technical questions in the Support Forums or for customer service and technical support contact Dell EMC Support.