OWASP insecure design (noun)
Rick Howard: The word is: OWASP insecure design.
Rick Howard: Spelled: O for open, W for web, A for application, S for security, P for project, insecure as in having vulnerabilities that can be exploited, and design as in to plan and fashion skillfully.
Rick Howard: Definition: A broad OWASP Top 10 software development category representing missing, ineffective, or unforeseen security measures.
Rick Howard: Example sentence: To avoid creating an application with insecure design, developers must think about security during the planning and design stage of the Software Development Lifecycle.
Rick Howard: Origin and context: Dave Wickers and Jeff Williams, working for Aspect Security, a software consultancy company, published an education piece in 2003 on the top software security coding issues of the day. That eventually turned into theOWASP Top 10, a reference document describing the most critical security concerns for web applications.
Rick Howard: Today, OWASP is an international team of security professionals led by the Foundation Executive Director and Top 10 project leader, Andrew van der Stock, dedicated to enabling organizations to develop, purchase and maintain applications and API APIs that can be trusted. Today, there are tens of thousands of members and hundreds of chapters worldwide. In 2021, OWASP published an updated Top 10 list where a new category appeared, Insecure Design, ranking at number four on the most critical vulnerabilities to fix. Insecure Design results when there are flaws in thinking about the security of the development process. This is not to be confused with insecure implementation. That has a different root cause and remediation.
Rick Howard: According to OWASP, "A secure design can still have implementation defects leading to vulnerabilities that may be exploited. An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks."
Rick Howard: According to OWASP, the security of the software development process is never done. The landscape requires constant monitoring for newly discovered vulnerabilities and continuous updating as new flaws come to light. The only way to stay ahead of the game is to embrace secure design patterns, reference architectures and deployment frameworks. In other words, automate the development process in a DevSecOps kind of way. Once deployed, assign red teams the task of deploying known attack scenarios against the landscape and make adjustments to newly discovered flaws in the design. OWASP specifically recommends looking for changes in data flows, access controls, or other security controls, as well as automating the validation of assumptions on a regular basis.
Rick Howard: Nerd reference: In the 2001 movie, Oceans 11, starring George Clooney, Brad Pitt, and the late great Carl Reiner and a host of Vegas casinos simultaneously.
Rick Howard: They run into a security system "designed," and I'm using air quotes here, to be impenetrable by the casino owner. In this scene, Clooney describes the "insecure design" with the help of Pitt and Reiner. The design is insecure because, spoiler alert, the Ocean's 11 team successfully steals the money.
George Clooney and others: This is the vault at the Bellagio is located below the Strip beneath 200 feet of solid earth. It safeguards every dime that passes through each of the three casinos above it.
George Clooney and others: This place houses a security system that rivals most nuclear missile silos. First, we have to get within the casino cages, which anybody will tell you, it takes more than a smile. Next, through these doors, each of which requires a different six digit code changed every 12 hours. Past those, lies the elevator. This is where it gets tricky. The elevator won't move without authorized fingerprint identification. Which we can't fake. And vocal confirmation from both the security system within the Bellagio and the vault below. Which we won't get. Furthermore, the elevator shaft is rigged with motion detectors. Meaning if we were to manually override the lift, the shaft's exit would locked down automatically and we'd be trapped.
George Clooney and others: Now, once we get down the shaft, though, then it's a piece of cake, just two more guards with Uzis and the most elaborate vault door ever conceived by man.
George Clooney and others: No tunneling is out. There are sensors monitoring the ground a hundred yards in every direction. If a Groundhog were to nest there, they know about it.
George Clooney and others: I have a question. Say we get into the cage and through the security doors there and down the elevator, we can't move and pass the guards with the guns, and into the vault we can't open, without being seen by the cameres. Oh yeah. Sorry. I forgot to mention that. Yeah, we'll say we do all that. We're just supposed to walk out of there with $115 million in cash on us without getting stopped? Yeah.
Rick Howard: Word Notes is written by Nyla Gennaoui, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.