Embedded Security
Embedding Security Best Practices involves the systematic approach to identifying, implementing, and managing security measures to protect software systems from vulnerabilities, threats, and attacks.
Goal
The goal is to ensure the confidentiality, integrity, and availability of software systems and data, minimising the risk of security breaches and enhancing trust among users and stakeholders.
Context
Every software system is exposed to various security threats, including unauthorised access, data breaches, and service disruptions. Security testing after a product has been built is too late, as well as being a blocker to deployment. We need to "Shift Left" and make security the responsibility of the team so they can proactively address these threats and build robust, secure systems.
Security Categories
| Category | Description | Use Cases |
|---|---|---|
| Data Security | Practices for protecting data at rest, in transit, and during use. | Encrypting database entries, using HTTPS for data in transit. |
| Authentication & Authorisation | Mechanisms for verifying user identities and controlling access to data and functionalities. | Login systems, access control for resources. |
| Session Management | Techniques for managing user sessions securely and preventing unauthorised access. | Handling user login sessions, securing session tokens. |
| API Security | Best practices for securing Application Programming Interfaces (APIs) and communication channels. | Protecting against SQL injection, ensuring API keys are kept secure. |
| Secure Coding Practices | Guidelines for writing code that is less vulnerable to common security exploits. | Avoiding buffer overflows, preventing XSS attacks. |
Inputs
| Artifact | Description |
|---|---|
| User Stories | Detailed descriptions of the functionality, performance criteria, and interfaces needed for each component. |
| Threat Models | Analyses that identify potential threats to the system and the measures needed to mitigate them. |
Outputs
| Artifact | Description | Benefits |
|---|---|---|
| Security Policies | Documents defining security protocols, procedures, and responsibilities across the development team. | Establishes a clear security framework and promotes a security-conscious culture. |
| Security Audit Reports | Detailed findings from security assessments, including vulnerabilities, risks, and recommendations for improvement. | Provides actionable insights to enhance system security and compliance. |
Anti-patterns
- Security as an Afterthought: Delaying security considerations until late in the development process, making it more difficult and costly to address vulnerabilities.
- Hardcoded Secrets: Embedding sensitive information like passwords or API keys directly in the source code, creating a significant security risk.
- Insufficient Logging and Monitoring: Not capturing or analysing enough information about security-related events, hindering the ability to detect or respond to incidents.