This material was developed with funding
from the National Science Foundation
This work is licensed with a
Creative Commons Attribution 4.0 International LicenseEndFragment
You are a software developer. Your ultimate goal is to create a design that does the task intended, is efficient, effective and usable. Use security design principles to help you achieve the main tenets of information security—confidentiality, integrity, and availability of the system, sub-system, and system data.
Minimize Trust Surface
(Reluctance to Trust)
Good Design Principles
Modularity subdivides a system into smaller parts or modules that can be independently created and then used in several systems. The development of security functions as separate, protected modules.
Simplicity of Design
When you design a security application or program, keep it as simple and small as possible.
Cybersecurity Design Principles
Simplicity of Design (Economy of Mechanism)
Just keep it simple #$!!^%!
The door lock design on the top is interesting, but it adds too much complexity.
Layering uses overlapping protection approaches to address the people, technology, and operational aspects of information systems.
An example of layering is Defense-in-Depth, a security approach that involves a series of security mechanisms so that if one fails, others will be in place.
Procedures & Awareness
(Defense in Depth)
Users in a child domain cannot see or manage records in a parent domain.
Domain B: Database Chicago
Domain C: Database Houston
Use a practice in which multiple privilege attributes are required to achieve access to a restricted resource. Data and/or systems are separated into logically-defined domains, and communication between domains must be authorized.
Domain D: Database Dallas
Users in Domain A, the parent domain can
see and manage records in Domain B, C, and D (the child domains)
Fail Safe Defaults/Fail Secure
All access to objects needs to be checked to ensure that they are allowed. Whenever a subject attempts to read an object, the operating system should mediate the action. First it determines if the subject can read the object. If so, it provides the resources for the read to occur.
General Employee Role
Bob will ensure that every process and every user of the system should operate using the least set of privileges necessary to perform the task.
Any user, program, or process should have only the bare minimum privileges necessary to perform the assigned functions based on a role.
Click each user to see
his/her role and what
privileges are needed
When a system fails, system access attempts also fail. The system will fail safe (NOT allow users to access protected resources).
The system is
Please try later
Fail Safe Defaults/
Click to see the encapsulated properties
In object-oriented programming (OOP), a class definition encapsulates all data and functions that operate on the data.
If an application maintains information on streets and roads for mapping, the database will encapsulate and define properties of the streets and roads for processing. Properties like speed limit, direction, lanes, and congestion are encapsulated for real-time processing. The application does not need to know about other properties like how the road is constructed, the types of vehicles using ths street, or other physical properties.
Usability is all about user-centered design. Both the design and development processes are focused around the perspective of the application user.
Avoid abrupt and major changes of the interface view when it is not necessary to maximize the stability of the interface. Using a default interface pattern helps improve the stability of interfaces that show pieces of correlated content and allow the user to make choices
The design of a security mechanism should be open and not depend on the secrecy of the design details or implementation.
For example, RSA is an asymmetric encryption algorithm based on the principle that it is easy to multiply large numbers, but factoring large numbers is difficult. The public key consists of two numbers. One number is the result of multiplying two large prime numbers. Although the algorithm is very secure, the design is well-known and open to the community. This principle ensure compatibility and makes update and revisions much easier.
A component of a system should behave in a way that most users will expect it to behave and it should not astonish or surprise users. When Microsoft removed the Start button from its operating system, users were surprised. Microsoft ended up releasing an updated version of Windows and added the Start button back.
No start button
Developers and security specialists should build applications, systems, and networks that match ordinary users’ sociological expectations of trust in terms of identity, authentication, service level agreements, and privacy. Developers must maintain a Trust Boundary. The issues in establishing trust include the following:Authenticating the other endpoint to prevent masqueradingEnsuring the security of the communication to maintain the confidentiality of the dataPreventing data tampering to maintain the integrity of the data
Assume that the environment in which a system resides is insecure. Trust, whether it is in external systems, code, or people should always be held closely and never loosely given.
When building an application, anticipate malformed input from unknown users. Even if the users are known, they are susceptible to social engineering attacks making them potential threats to a system.
No system is 100% secure, so the interface between two systems should be secured. Minimizing the trust in other systems can increase the security of an application.
The design does not depend on the secrecy of the design details
The user interface responds as expected
Quiz 1 of 10
Software that users learn quickly and is easy to use
Minimize Trust Surface
Boundaries exist to prevent masquerading and to maintain confidentiality and integrity
Drag each term to its appropriate description.
Clear distinctions between privilege levels exist (i.e., authentication AND authorization)
Isolation prevents disclosure or tampering with critical resources (data, processes, etc.).
For example, processes run on a computer. Each process can only access certain address space (memory). If there is a word processor, a point of sales program, and a database program all running on a system at the same time, process isolation ensures that each application cannot influence or corrupt the others.
multiple privilege attributes are required to achieve access to a restricted resource
Fail Safe Defaults
Protection is provided by having a collection of procedures in a domain of its own
access decisions based on permission rather than exclusion
every access is checked against the access control setting to ensure that access is allowed
Quiz 2 of 10
privileges granted to perform the required task
Quiz 3 of 10
What design principle is illustrated?
Simplicity of design
A system should be subdivided into smaller parts that can be independently created and then used in several systems.
Quiz 4 of 10
Bob works at a small company. When he enters the building, he has access to all rooms. Which principles of security is the company violating with this practice?
Select all possible answers.
Quiz 5 of 10
What design principle does the lock pictured above violate?
Quiz 6 of 10
Bob designed an administrative interface that grants access to production management networks, checks for administrative user authorization, and logs all access. Which of the following best describe the security principle that Bob has employed?
Defense in depth
“The security of a mechanism should not depend on the secrecy of its design or implementation” describes which of the following principles?
Quiz 7 of 10
This security principle maintains confidentiality, integrity and availability by defaulting to a secure state and unless a user is given explicit access to an object, that user is denied access to that object.
Quiz 8 of 10
Quiz 9 of 10
Bob is verifying that all pages and resources by default in his web application require authentication except those specifically intended to be public. What design principle does this describe?
Drag the cybersecurity principle into its proper category.