Series of articles: defence in depth part 7 of 7

Summary

Throughout this series of articles, we have touched on a number of basic principles for building secure applications.

Defense in depth - Build security in multiple layers
CIA-A - Security is a balance, don't forget availability
Least Privilege - Minimum privilege for the task
Rotate, Repave and Repair - Safe operation requires automation
Secure by design Security is part of your domain
Zero trust Do not trust any actor, data, or individual security layer
Secure defaults Limit the possibility of misconfiguration

When we at Omegapoint conduct security audits, we typically find more vulnerabilities the more complex the system. This is not only because complex systems have more functions and give us a larger attack surface, but also because they can be difficult to get a grip on. Many flaws we find are based on the team not fully understanding their system. For example, the team may not know which APIs are public.

A system that the team understands and can oversee is much more likely to be secure. We typically find fewer flaws in systems where the team can map out and explain the system in its entirety.

We start each security audit with the responsible team providing a technical system description and answering the following questions:

What data the system contains and what is worth protecting
What entrances are available, how they are protected and what the access control is like
What integrations exist and how they are used

In our experience, secure systems can always be described by the team according to these points. The reverse is not true, i.e. a system that can be described is not always secure. Understanding the system gives you the ability to build a secure solution, it is not a guarantee.

https://www.schneier.com/essays/archives/1999/11/a_plea_for_simplicit.html

It is also important to understand the different types of attacks in order to implement and verify the different layers of protection of the system. Here, OWASP is an excellent start. Our experience from security audits shows that OWASP defines a good baseline that is relevant for many systems and is reasonable to implement. OWASP has very good documentation. We would like to highlight in particular:

Achieving a secure system over time requires a structured approach where security is an integral part of your process. Independent, periodic security audits give you feedback that your security work is working.

Read the other parts of the article series

Application security - Defence in depth

Defence in Depth: Modelling Identity Part 1 of 7

Defence in Depth: Claims Based Access Control Part 2 of 7

Defense in Depth: Clients and Sessions Part 3 of 7

Defence in depth: secure APIs part 4 of 7

Defence in depth: infrastructure and data storage part 5 of 7

Defense in Depth: Browser Part 6 of 7

Defence in depth: summary part 7 of 7

Summary

Read the other parts of the article series

Follow us!