What does security say to you?
Imagine for a moment that you randomly select someone in the street and ask him or her “What does the term security say to you?”, the likelihood is that he or she will immediately think of their personal and loved ones’ safety, or the excellent TV series Mr Robot, or media reports about the hacked accounts of socialites.
If that proverbial person in the street happens to be a software professional, perspectives like login screens, captchas and firewalls are likely to pop into his or her mind.
All are coherent viewpoints. But since everything starts with design, what about security in design? Digitalisation customers are more aware of security and privacy these days. Market forces are driving the need to better protect digital products, services, utilities and other critical infrastructure. The ubiquity of the internet and cloud demands ever more proactive and robust protection for business and personal assets to thwart security- and privacy-related harm. There are security- and privacy-related standards, directives and regulations. And of course, product and service security is a contributor to overall quality, which in turn contributes to customer satisfaction and the monetary bottom line.
So, the business justification for secure design is clear. But what does secure design mean?
The term security is derived from the Latin root secura, meaning free of concern. According to SAFECode.org, “Secure design encompasses methods and processes that ensure design, software and user experience function as intended, while mitigating the risks of vulnerabilities and malicious code that could bring harm to your business and to your end users”.
Now, since being free of concern is a human emotion, I must admit that I slightly amended the original SAFECode definition to also incorporate the terms design and user experience, since it is secure design that facilitates secure development which, in turn, enables secure user interaction. In essence, a secure design is a design that is self-protective and, in the context of usability and user interaction, is trustworthy.
What does secure design mean in practice?
So, getting back to the proverbial person in the street, he or she could now reasonably enquire “Well, those are fancy definitions, but then what does secure design mean in practice?”
I would reply that secure design is a mindset and way of working throughout the lifecycle of any product or service digitalisation project. That is to say, security is take into consideration during requirements gathering, architecture design, user interface design, coding, testing, and deployment to customers. In other words, security is built into the product or service from the start, not bolted-on as an afterthought.
Then the proverbial person in the street will logically ask “OK, so how can I do that, and with what?”
I would reply that we conveniently don’t have to go to the bother of inventing secure design frameworks since they already exist.
Firstly, there is the open-source Open Web Application Security Project (OWASP) flagship project called the Open Software Assurance Maturity Model (OpenSAMM) Version 1.1 which is a security assurance framework to help organisations formulate and implement a strategy for software security that is tailored to the specific risks facing the organisation.
Secondly, there is the Security Development Lifecycle (SDL) Version 5.2 developed by Microsoft which incorporates secure development recommendations for Agile development. The Microsoft SDL is vitally focused on the identification of security threats and their mitigation via secure design, secure coding and security verification.
Thirdly, the OWASP project provides a security verification standard that provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.
Companies large and small that are security-aware are utilising these industry-scrutinised frameworks and are benefiting from them.
Secure design enhances inter-disciplinary collaboration
A common thread across these holistic resources is that they encourage us to incorporate industry-scrutinised secure development lifecycle best practices into our daily work. They also facilitate better communication and comprehension amongst digitalisation designers, architects and developers.
For example, threat modeling is the activity of scrutinising a design to identify user and business assets that require protection, and the security controls to protect them. Threat modeling starts in the design phase and requires facilitated collaboration between designers, architects and developers. In this way, a usable and sufficiently secure design starts to be built from the outset, reducing the vulnerability surface of the product or service even before any code is written. Secure coding and security testing further reduces the threat landscape and vulnerability surface to the point where a sufficiently secure service or product is accomplished.
Another impetus for this secure design ethos is that secure design is also a privacy-supporting pillar, and privacy is a media magnet these days. All the more reason then to also invite the privacy manager to threat modelling workshops.
You can start secure design already today
There is no barrier to adopting the secure design mindset and way of working already today. Although ideally begun at project initiation, you can already consider how to introduce the security practices that are relevant for the stage of the project you’re in right now. Your secure design mindset will start to germinate and competence will evolve as you adopt and incorporate secure design and development best practices into your work.