Unpatchable security flaws

How do you possibly mitigate unpatchable security flaws?

  • redesign and reimplement all affected code — design flaws typically impact large amounts of code
  • break some functionality in the interest of mitigation — with the risk that the cure is worse than the original problem
  • convince customers it isn’t a bug, it’s a feature — however, “loss of brakes” is going to be an extremely hard sell

What exactly is a Design-level Security Review?

  • Study the design and supporting documents for a basic understanding
  • Ask the design team clarifying questions about the design and considerations for basic threats
  • Identify the most security critical parts of the design for close attention
  • Write a summary report of findings and recommendations

So why are Design-level Security Reviews not a routine part of development cycles today?

  1. Few software teams — with the notable exception of major dominant software corporations — have the in-house expertise for the job.
  2. Experienced software leads overestimate their own abilities to think through the security implications of design.
  3. There is strong institutional inclination to outsource implementation security review (i.e. penetration testing) ahead of major releases — long after the design horse has left the barn.
  4. Software design itself is so ad hoc (and often poorly documented) the resources to capture a working design for analysis do not even exist.
  5. Designs morph over time and it is difficult to follow through with incremental security reviews to maintain currency.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Loren Kohnfelder

Loren Kohnfelder

Author of Designing Secure Software: a guide for developers. Writing software since 1968. Living on Kauai.