“One man's new feature is another man's new exploit.”
Who's job is it to make things secure? Everyone [I say we should take pride in what we due and be diligent].
1) Less is more (Less privilege) - minimal
permissions... who runs on their laptop as a non-admin? very few [I
plan on doing it at some point soon]. You want the platform to take
care of your security by integrating with the platform (on windows
integrate with ActiveDirectory). Also, secrets are problematic because
you have to hide them.
2) Newer is often not better - proven methods for security are better than new less tested methods.
3) Trust no input - Where does the input come
from? You really don't know. Input = all data not originating inside
your process. He shows us this input:
PurchaseOrder | format c:\ < 'Y'
[if you are piping this to a command line]
%d%d%n
[this is a format string for the c printf function the
'%n' causes the 4 bytes to be pushed to the stack... like a buffer
overrun]
256 drop table users
[this is a SQL injection attack]
So what do you do? Use strong types and filter it. Keep the
attacker out of the control channel (they can be in the data channel).
Control channel is like when you call an app with command line args, so
don't blindly take user input when you're building these types of
strings.
4) You can't authenticate remote software - many people try to filter on the client side, but nothing guarantees this.
5) What your program knows, an attacker can discover
- Any secret that your app knows about a hacker can get. He says
Kerberos is less expensive these days (you don't need domain
controllers to authenticate)
6) Understand Trust - He describes a n tier method
for security (I know about it but my readers might not). You have a
client, and authority and a server. The client has to get a secret
from the Authority so that the client can access the server; the server
takes the secret and double checks with the Authority. If the
authority is compromised, a bad guy can do anything. If you add a
second authority that is what the server uses and the second server has
full trust of authority 1. Same thing results in the new scenario
7) Wetware is unreliable (wetware = human) - Kevin Mitnick broke into systems via a telephone. Protect users passwords at all costs.
8) You probably need a bigger key - The minimum
cert key size that Keith says that you should use (right now) is
2048 bytes. Larger keys will take a while to generate. You should use
about a 256 bit key for a symmetric key.
9) Availability is the third pillar - How do you keep your app alive? Performance monitoring. Windows event tracing.
10) Find the weakest link - Find your problems.