Software Architecture, Code, and Information Security
Information security is tightly linked with the code running on platforms and decisions made during the software architecture planning phase. One can trace a lot of results in penetration tests to workarounds caused by inadequate tools, bad design choices, trends in software development, legacy applications, and too optimistic testing strategies. Let’s visit some of the accident sites by example.
Implementing the basic principles of information security can be hard. The dreaded undefined behaviour or the lack of graceful failures in error conditions happens frequently. A recent presentation about autonomous systems illustrates what we expected from your code — it must be completely self-reliant. Doing n restarts and halting is not the best way of dealing with unexpected situations. Rejecting dangerous states and input is always an option, but sysadmins frequently need to bash applications over the head in order to restore a known operational state. Your code also needs to know the odd parts of your platform. Have a look at the source code of databases and read about the simple operation of writing data to non-volatile storage. Do a full-text search of sync in the PostgresSQL source code and read the comments. Saving data is not necessarily a problem solved on some platforms.
Despite the strict rule in software development of not reusing code, concepts are often reinvented and disguised with alternative names. Modern application stacks feature many levels of isolation, but not all of them are used to their full capabilities. Pentesters love using containers with old code running as root user. That’s not isolation nor mitigation. Cloud platforms offer you a rich set of privileges for your accounts, but complexity leads to the workarounds mentioned earlier.
Getting rid of bad design choices can be a hard fight. It requires social skills, convincing arguments, careful research of facts, and being a tenacious advocate of secure design. Adding Sec to DevOps is much more than introducing alternative names for developer roles. There is not always an app for your problem and stringing random three-letter words together won’t solve your problems automatically. Implementing information security is much more than paying lip service.
Therefore DeepSec is looking for your experience. We know that there are lots of developers out there who want to know more about combining information security with code. Especially the Internet of Things (IoT) field needs a lot more scrutiny and secure design decisions. The call for papers is open! We are looking for experts presenting show cases, examples, and ways to improve your code. We are also looking for trainers to teach secure code development in a two-day workshop. Let us know if you are interested!
Originally published at https://blog.deepsec.net on April 8, 2021.