Tuesday, January 31, 2017

Tech-Sec Guideline: Open Design and Security by Design

Guideline: Open Design and Security by Design

Part of: Technology Security Guidelines
OverviewBuilding a set of Guidelines for Security and Privacy

Security Architecture and Controls are all developed based on an open design in such a way that only private keys and passwords are secret. There is no security through obscurity from the design perspective (Kerkhoff’s Principle).

Knowing how a castle has been built with all its walls, bridges, trenches, and towers should not have an impact on the workings of such security features. Only then the security features will have value against an incoming attack.

In the world of Information Technology it is not different. Whether you are building software, infrastructure, architecture, databases and what not, its security should only depend on the safekeeping and secrecy of the private keys and passwords.

Security through obscurity is likely not avoidable for 100%, but all efforts should be directed towards reaching that goal. The less you need to worry about concerning keeping things a secret, the less vulnerable you will become to information leakage about the inner workings of your systems. And the less vulnerable you are, the more resilient the environment will become.

More information from OWASP about Security By Design.


Post a Comment