Total security is not achievable but it is not necessary. Focus on the weakest links and design security to your needs.
- I love Hollywood heist films. Heat and Oceans Eleven are two of my favorites. Most heist films start with something of great value which has been protected by what everyone is sure is impenetrable security. The defenders have taken every precaution they can imagine but there's always an angle that they've not considered, a failure point that has escaped their notice. The film's plot develops surprising schemes to get past their defenses. As audience members, we delight in watching the exploit of that unexpected, improbable, sometimes high risk way to get inside. The most famous example has got to be from Mission: Impossible when Tom Cruise is suspended from the ceiling as he hacks into a computer in an ultra secure room. Like heist films, nothing can ever be 100% secure. There are always ways to gain access that we don't expect. Even if we were able to perfectly secure a system against all known bugs and vulnerabilities, that system is not fixed in time. Software gets upgraded, configurations get changed, data gets updated, new vulnerabilities are introduced or discovered. Some of these are called zero-day vulnerabilities because even though hackers may be sharing and using the exploit, the developer has had zero days of awareness and zero days to craft a defense for it. They might not have seen it coming before, but I bet that the CIA is prepared for secret agents coming into their computer rooms through the ceilings now. Dennis Hughes is credited as having said the only secure computer is one that's unplugged, locked in a safe and buried 20 feet under the ground in a secret location, and I'm not even too sure about that one. If security is unachievable, then how should we approach our task? We should let our threat model guide our priorities. This tells us where to start our work and how to allocate our resources. Overall, security is only as strong as the weakest link. To use our castle example, it doesn't matter if your northern defenses are very strong if an attacker can go around them and use the damaged southern castle wall to get inside. Our goal should not be to create a castle that cannot be stormed, but to raise the security level by making the weakest points as difficult to exploit as possible. This helps us to measure our security level and our progress. It's essential to frequently reevaluate security especially as circumstances change. For example, new attackers may appear, or old attackers may gain new capabilities. Business objectives may change. Adding new software or features to a website my introduce new vulnerabilities. The point is, security is not a one time process. Effective security requires reassessment. Instead of trying to achieve perfect security, which does not exist, focus on protecting against the risks in your particular threat model.
- Threat models
- Least privilege
- Defense in depth
- Validating and sanitizing input
- Credential attacks
- SQL injection
- Cross-site scripting