3.2. Secure Design Steps

There is so much more to security design than planning out a modularized application with minimal privilege. So, how do we get where we want to go? Although there are many differing software development processes, security design efforts typically include most of the following specific steps, and ask the following specific questions:

  1. Assess the risks and threats:

    What bad thing can happen?

    What are the legal requirements?

  2. Adopt a risk mitigation strategy:

    What is our plan?

  3. Construct one or more mental models (e.g., a "bathtub," a "safe," a "jail," a "train") to facilitate development:[2]

    [2] Interestingly, this model need not resemble in any way the model presented to the eventual users of the software as a guide to their use.

    What does it do?

  4. Settle high-level technical issues such as stateful versus stateless operation, use of privileges, or special access by the software:

    How does it work?

  5. Select a set of security techniques and technologies (good practices) to satisfy each requirement:

    What specific technical measures should we take?

  6. Resolve any operational issues such as user account administration and database backup (and the protection of the resulting media):

    How will we keep this application system operating securely?

The following sections cover the first five of these steps; Chapter 4 and Chapter 5 describe the final step from different perspectives.

Here we present an informal way of working that has sufficed for our purposes for many years. There are ...

Get Secure Coding: Principles and Practices now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.