back to article What does it mean to build in security from the ground up?

As my Systems Approach co-author Bruce Davie and I think through what it means to apply the systems lens to security, I find that I keep asking myself what it is, exactly, that’s unique about security as a system requirement? That question takes me back to a time before security became such a mainstream news topic; before …

  1. EricM Silver badge

    What it is, exactly, that’s unique about security as a system requirement?

    It's a negative requirement.

    A secure system is basically a system that is incapable of doing things that are not specified.

    Requirements to any system define a limited list on what the system shall do after implementation.

    Execute functions, show values, read inputs, wrtite outputs, etc.

    Checking correctness and completeness is easy: Just test if every defined function works, if every defined input creates the specified output.

    Security requirements are in contrast an nearly indefinite, negative list of things a system must NOT do, e.g. everything that is not in the requirements.

    Like multiple types of crashes, multiple ways of letting external calls modify internal states without authorization, misunderstand authorization of a request, do funny things on garbeled inputs, garbling outputs, etc.

    Each of those things a system must not do in turn has multiple potential causes, that are pretty specific to program, context and architecture.

    So completely checking security is a basically indefinite task, as is requires an indefinite amount of different inputs/actions to be executed and verified to not result in a failure.

    Security _is_ hard.

    1. matjaggard

      Re: What it is, exactly, that’s unique about security as a system requirement?

      I'd agree with most of that, security is hard.

      The first sentence I'm not convinced by. Firstly because using a system in a way not intended is frequently not a security issue and is often very valuable. Secondly it's sometimes the requirements that cause the security issue.

      1. EricM Silver badge

        Re: What it is, exactly, that’s unique about security as a system requirement?

        > because using a system in a way not intended is frequently not a security issue

        True, but _using_ a system in an unintended way (e.g. using a system designed for analyzing genes to analyze data of social networks) is a different thing as having a system perform an unintended internal function ( e.g. yield control to an attacker sending an exploit)

        > Secondly it's sometimes the requirements that cause the security issue.

        True.

    2. big_D Silver badge

      Re: What it is, exactly, that’s unique about security as a system requirement?

      It is hard, but it shouldn't stop developers from trying. Back in the 80s and 90s we were putting tests for buffer overflows, SQL injection, incorrect results etc. in our use cases and test harnesses.

      As time evolved newer requirements turned up, but if there were good security practices built in at the design it was a lot easier to extend the tests to encompass newly found methods of exploitation.

      What I never understood was the Google, Facebook and Twitter method of "we won't bother with any security, because we don't know if the product will ever catch on." Only to be replaced by, "putting security into the product now is too expensive, because it is so big!" (That also applied to things like copyright conformity on YouTube, for example, not just security.)

      These are big problems that come back and smack developers in the face, because they gave little thought to security, when they were developing the system in the first place.

      Security principles need to be taught as a basic requirement for every new system, not an afterthought to be put in expensively once the breaches, data exfiltration and reputation loss cost more than doing the job properly in the first place...

      1. EricM Silver badge

        Re: What it is, exactly, that’s unique about security as a system requirement?

        > Back in the 80s and 90s we were putting tests for buffer overflows, SQL injection, incorrect results etc. in our use cases and test harnesses.

        The you were much further than we were at the time (coding in Fortran and C for inhouse midrange engineering applications).

        Especially in the eighties our threat model mainly consisted of inhouse engineers and mathematicians with a dangerous tendency for experiments beyond what was expressively allowed by the (printed) manual.

        1. big_D Silver badge

          Re: What it is, exactly, that’s unique about security as a system requirement?

          We were programming in house for systems used to manage power stations, missile systems, radars etc. The code had to be efficient (due to the systems of the time) and robust and secure.

  2. Will Godfrey Silver badge

    Which way round

    Do you specify what isn't permitted,or what is permitted. If it's the former you risk missing new attack types, but if it's the latter use get frustrated with the restrictions and verifying new stuff can become complicated.

    1. Giles C Silver badge

      Re: Which way round

      On the firewall side the general principle is allow only what is stated.

      Which frustrates users but does mean we keep it under control, but then management don’t want to run ssl decryption in line so the firewall has no choice but to let the traffic through without being able to inspect the payload so it is secure or not.

      We know the endpoints are talking but that is it… whereas unencrypted traffic can go thorough the analytics engines built into the platform.

      1. Richard 12 Silver badge
        FAIL

        Re: Which way round

        Firewalls doing that decryption are a man-in-the-middle attack on everyone in the organisation, by definition.

        The moment you do that, you've made the firewall the most valuable target in your entire organisation. Perhaps even higher than the sum of every single possible target. Thus a miscreant is willing to spend far more resources attacking it - and they only have to win once.

        Effectively, you're requiring the firewall to be perfect.

  3. John Smith 19 Gold badge
    Unhappy

    Start by being aware of what the system is *for*

    Does it handle money?

    Does it handle personal information?

    Does it control vital infrastructure (at least vital to someone).

    Does it have national security information?

    Does it control a weapon(s)?

    That starts you on an idea of what sort of bad actors you will be facing.

    And never, ever trust user input, even if it comes from a frontend app you wrote, but with data sent through the interwebs IE everything.

    1. An_Old_Dog Silver badge

      "Unimportant" Systems Need Security, Too

      ... because when they are compromised, they can be used to launch and/or amplify an attack on "important" systems and networks.

      Our hospital suffered an attack via our ~2000 vulnerable and compromised JetDIrects. HP, to its credit, quickly created patched firmware. We remotely updated about 80% of our JetDirects; the remainder required physical hands-on by a swarm of techs.

  4. Anonymous Coward
    Anonymous Coward

    "Security" - It Depends On Exactly What Security.........

    So...multi-tenant.....security of one tenant from another.

    So...email, Signal, Telegram......security of ANY user against who knows which attacker.

    So...cloud user....security against the cloud OWNER......

    So...cloud user....security against anyone else......

    So...copyright owner....against anyone at all....not least multiple "big data" aggregators.....

    So...medical services user....against anyone at all....not least multiple "big data" aggregators.....

    ...and so on......the use of the word "security" is itself a weasel word....used indiscriminately..........

    .....to worry people like me who know almost nothing about technology in 2025!!!!

    So....please explain!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like