Functional requirements – what a system must do.
Non functional requirements – how the system must behave. On top of performance, usability, maintanability -> security.
CIA – Confidentiality (Privacy), Integrity, Availability + non-repudiation
– kid-level: unskilled, opportunistic, bragging rights
– malware/ransomware: automated, opportunistic, financial gain
– professional attacker: highly skilled, resources, persistent, adapt to their targets
– nation state level: best skills available, big resources, goals – aligned with the country military/geo-strategic objectives
Vulnerability / exposure / security incident
Vulnerability types: bugs and flaws. Bugs – defects in the development process; could be detected by automated tools. Flaws – defects in the design process; could not be detected by automated tools.
A vulnerability does not necessarily cause an impact. It needs 2 more steps:
– Exposure: if the vulnerability becomes known to an attacker
– Security incident: if the attacker takes advantage of the exposure to perform an attack
Vulnerability assessment: black box vs white box testing
– Black box – no access to the source code, hosting environment, etc
– White box – full access to the source code, hosting, etc
– minimize the attack area
– secure defaults (coding and configuration)
– fail securely (defensive coding)
– give least privilege (need to know)
– multiple layers (ex. encrypted USB key, in a locked safe)
– no security by obscurity
– keep the design simple
Identification, Authentication, Authorization
Identification – who are you?
Authentication – how can you prove who you are?
Authorization – what can you do once authenticated?
– don’t say why the authentication failed (‘wrong username’ -> enumeration, ‘wrong password’ -> brute force attack)
– do not change data on the server via a HTTP GET request
– allow pasting passwords
– do not make the “Log out” option difficult to find
– just use HTTPS
Written by Dorin Moise (Published articles: 260)