Chapter 9. Building Secure and Usable Systems
What does it mean to build a secure system?
Building a secure system means designing and implementing a system that deals with the risks that you are taking, and leaves only acceptable risks behind.
The level of security that you apply will depend on your organization, on your industry, on your customers, and on the type of system. If you are building an online consumer marketplace, or a mobile game, you’ll have a very different set of security concerns than someone building an encryption device designed to be used in the field by Marines in the advance guard.
However some patterns are common in most security-based situations.
Design to Resist Compromise
A secure system must be built to resist compromise, whether that’s resisting remote SQL injection attacks, being resistant to power differential attacks, or not leaking electromagnetic spectrum information. The point is that you understand the operating environment and can build in protection against compromise.
You do this by changing your design assumptions.
We know from years of crypto research that you should assume that all user input is compromised, and that attackers can repeatedly and reliably introduce whatever input they want. We should also assume that attackers can reliably read all output from your system.
You can even go so far as to assume that the attackers know everything about your system and how it works.1 So where does that leave you?
Resisting compromise is about ...