Development teams need to consider the concept of secure design when developing applications. When coding any software, the main goal is to focus on security. Never leave protection and security until the end of development. It is important to note that any errors associated with this can damage the entire software.
Prevention is always better than mitigation. To avoid threats, we can use the following secure software development best practices: Validate input, Heed compiler warnings, Architect and design for security policies, Keep it simple, Default deny, Adhere to the principle of least privilege, Sanitize data sent to other systems, Practice defense in depth,Use effective quality assurance techniques, and Adopt a secure coding standard.
Today, I will be discussing the secure software development best practice: . Defense-in-depth is a term coined by the US military. Describing the placement of defensive barriers to impede fighters from reaching a certain position. This military strategy included monitoring the fighters progress and responding to any advances with an equal or greater force. Applying the same concept to the world of cyber security whereas the attacker is the fighter, and the countermeasures are the barriers. The basic idea behind the defense-in-depth defense strategy is to block the attacker as much as possible. With multiple levels of defense.
An alternative to defense in depth is to rely on a single strategy. Complete input validation. While you can theoretically develop and secure a small program by input validation, this is not possible with systems. Multiple levels of protection are required to prevent runtime exploitation and detect changing assumptions during development and maintenance.
More valuable assets need to be protected behind more layers of defensive barriers. This concept is what is known as layering. Layering involves implementing multiple security strategies to protect the same asset. Defense in depth or security in depth is the premise that no single layer is completely effective in securing the assets. The most secure system/network has many layers of security and eliminates any single points of failure.
This combination of multiple layers of protection will not only be more effective against unpredictable attacks, but it is more effective against unpredictable attacks than a single defense optimized for a specific type of attack but will also increase the cost of the attacker in terms of additional time, effort, and equipment.
A variety of technological measures can be used for layers of protection. These can be firewalls, IDSs, routers with access control lists, antivirus software, access control, spam filters, and etc. It is said that defense-in-depth involves not only technology but also people and operations. Meaning that the right level of protection can be implemented for an organization’s assets by customizing an effective set of safeguards to each organization's unique needs. Red Sky Alliance recommends the consistent implementation of secure principles to all developed applications. Consistent approaches and methodologies are important as they determine how to handle sensitive data. As well as how the data is to be stored. Encryption and access control should also be considered.
As mentioned abve, there is no single devinsive barrer that can successfully protect against every single type of attack. Therefore, each situation requires a differing and unique aspect of defense in depth (DiD). Some situations may be better suited to certain methods as opposed to others. These may include, but is not limited to:
- Quality Assurance Techniques,
- Secure Coding Standards,
- The Principle of Least Privilege,
- Validating Input, And
- Sanitizing Data.
This tailoring process permits application of lower-assurance solutions when appropriate and allows for the judicious application of higher-assurance solutions at critical areas. Organizations often conduct risk assessments to determine the value of assets, possible threats, likelihood of threats, and possible impact. In doing this, an organization can identify risks and decide how to allocate security budgets to protect valuable assets under risk. Valuable assets facing unlikely or low-impact threats might not need much protection. Clearly, high value assets facing highly likely threats or high-impact threats deserve the strongest defensive barriers.
This strategy is ideal to combat hydra attacks, or where multiple attack methods are launched against an organization to compromise multiple attack-surface vulnerabilities. For example, combining secure programming techniques with secure runtime environments should reduce the likelihood that vulnerabilities remain in the code at deployment time and can be exploited in the operational environment.
The term operations refer to all preventive and reactive activities required to maintain security. Preventive activities include vulnerability assessments, software patching, system hardening, and access controls. Reactive activities should detect malicious activities and react by blocking attacks, isolating valuable resources, or tracing the intruder- all varying levels of attack deterrence.
The onion analogy is appropriate here as it represents the peeling back of layers of protection before reaching the bulb, the prized asset. As cyberattacks become more sophisticated, defense-in-depth approaches must also become more sophisticated. Defense-in-depth works best if all the layers integrate and harmonize as one. The layer’s nearest to the data are the most important and all layers should be aligned to the types of attacks your organization is likely to experience.
The data processed by the client, server, and application must be kept confidential and the integrity maintained. In doing this, you protect your organization from unauthorized use of clients, servers, and applications. Organizations must also ensure that clients and servers follow the secure configuration instructions and have all appropriate patches applied.
By taking steps to provide adequate defenses against subversive acts by trusted persons and systems, both internal and external. An organization can better protect its' valuable assets. Please also note here that every computer user in an organization should be aware of security policies, safe practices, and the benefits of proper protection as well as every internet user at home.
A simple step you as an organization can take to practice defense in depth is as follows:
- Maintain configuration management for all clients and servers to keep track of patches and system configuration changes.
You can improve the effectiveness of defense in depth from the incorporation of countermeasures. Countermeasures here need to be properly coordinated at all levels to maximize the ability to manage or mitigate cyber-attacks.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization who has long collected and analyzed cyber indicators. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
Comments