Chapter 2 - Design Review

blog December 19th, 2006

Overview

The goal of this chapter is to provide the reader with a quick refresher on software design and basic security concepts, and then present some techniques for reviewing the security of a design. We begin with a discussion of some fundamental software design concepts and how they relate to security. We then move on to the concept of security policies and how those are enforced in the design of software. The chapter finishes by presenting our take on the Microsoft Threat Modeling process—including a walk-through with examples.

External Resources

Microsoft Threat Modeling Page
Wikipedia entry on the Bell-Lapadula Model
Wikipedia entry on the Biba Integrity Model
Wikipedia entry on the Clark-Wilson Model

External References

Howard and LeBlanc’s Writing Secure Code
Szwiderski and Snyder’s Threat Modeling
Howard and Lipner’s The Security Development Lifestyle
Sommerville’s Software Engineering
Bishop’s Computer Security: Art and Science
Saltzer and Schoeder’s The Protection of Information on Computer Systems

Further Reading and Discussion

The three of us are code auditors and if one driving theme is present in this book it’s that you need to read the code to really understand how secure something is. That stated, there are several useful techniques for focusing specifically on design and logic vulnerabilities without targeting the code directly. We presented the Microsoft Threat Modeling process because we’ve found it useful in our own work. We certainly found this to be a good approach, however, we’ve recently discovered some additional material that we that would have liked to address.

In Howard and Lipner’s The Security Development Lifecycle we stumbled on a reference to Saltzer and Schoeder’s 1975 paper entitled The Protection of Information on Computer Systems. The paper is really fascinating, and presents a very thorough coverage of software security topics ranging from process and models to excellent design guidance including eight secure design principles. What’s really amazing is when you consider that these concepts were developed so completely over 30 years ago, yet most developers are still unfamiliar with them and struggling to figure it out on their own.

You can definitely expect any later editions of The Art of Software Security Assessment to cite Saltzer and Schroeder, and synthesize a lot of what presented so well. We’ll likely spend some time presenting some of the classic security models too, such as Bell-Lapadula, Biba, and Clark-Wilson. We made a conscious choice not to address these topics in the current edition because we wanted the coverage to be as concrete and immediately useful as possible. However, after some more research we should be able to present the background in a genuinely helpful way.

(8/7/07) - As Tom writes below, another excellent resource is Ross Anderson’s book Security Engineering. It is available for free(!!!) at his web site here.

One Response to “Chapter 2 - Design Review”

  1. # Tomon 20 Jul 2007 at 4:28 pm

    You might also include a reference to Ross Anderson’s book, “Security Engineering.” This contains a nice exposition of the Bell-Lapadula, Biba, and Clark-Wilson models that you might find helpful.

    This contains a number of useful references in the bibliography as well.

    Hope this helps…

Permanent Link | Trackback URI | Comments RSS

Leave a Reply