Building Security into System Design

  • Eric Goldman

5 Feb 2009   ::   Security   ::   #proactive security #vendor responsibility #network security #enterprise security



In this article [1], Hale argues that information systems need to be designed with security as a primary factor. He starts the article be emphasizing the number of attacks and their related costs. He notes it is relatively inexpensive to hack any given enterprise which is specifically targeted by skilled hackers, who are always a step ahead of the security researchers and patch writers. He notes that in general, systems are not designed with security in mind, and as a result, security holes and backdoors are only discovered after deployment. As a result, an organization is always playing catch-up to the hackers. If systems are designed to not only function well, but with the goal of increasing security less attacks will be possible. The article notes that security does not just magically appear, but that is must be explicitly addressed and built in to any given system. When a system is purchased or built internally security cannot be an afterthought. Hale concludes by recognizing it is impossible to make any system 100% secure, but that a security centric system stands a better chance of resisting attack. A weak system is not going to be secured by an additional security measure such as a firewall.

Relation to Enterprise Security

The security team within an enterprise often focuses on discovering and patching security vulnerabilities. While this is often one of the top tasks for the team, it would be better if more time was spent proactively thinking about security. When products are purchased from outside vendors, they should be analyzed and reviewed for their security characteristics. This process would include reviewing NIST/CERT and other reports for the application. Other possibilities include reading product reviews written by security professionals and organizations as opposed to white paper or general commercial reviews. When products are developed internally, it is important to have a quality assurance team which is well versed in secure coding procedures and practices. In addition, the application should be tested with security tools in a sandbox before deployment. By doing the upfront analysis, the costs of later mitigation are reduced because many of the obvious and easily identifiable security vulnerabilities have been eliminated.

When security is an afterthought, the security team will always be playing catch up to the attackers. As a result, the attacks will be more costly because of time limitations based upon the urgency and criticality of the vulnerability. In addition, the proactive approach will help create security consciousness within the enterprise which will help in anticipating and reacting to the inevitable attacks.


I believe encouraging vendor security consciousness would also be a valuable presentation. I believe that even if this increased the costs of the software or information system, customers would be willing to pay more upfront for a more secure system. Customers could take the word of the vendor; however, it would be more useful if there was some trusted organization which could provide a score on the security or evaluate the security evaluations used internally by the vendor.

I am sure that every day, many security professional make earn their salary finding the same common vulnerabilities over and over again on their customer.s systems. While this is great for the auditors and penetration testers, it is a waste for the customer. The customer organization could have saved more money up front making security conscious decisions. In addition, this would then allow the penetration testers and security researchers to focus on more intricate and complex vulnerabilities, instead of focusing on the simple exploits that can often be perpetrated with a found script or with .script kiddie. tool kits.

While it is not desirable, it is understandable that many companies continue to use vulnerable software and systems which are known to be insecure. At the time of the initial investment many years ago, security was probably not a hot topic or a major concern. Now, they are stuck with these systems until then next purchasing or upgrade cycle. I believe that today security has become more prominent, and that vendors will work to make their products much more secure. This is not only because of increased awareness, but the new reality of negative publicity and diminished customer retention that can result from being flagged as a vendor of insecure or .easily hacked. products.


  1. Hale, Gregory. Think Network Security First, System Second. Enterprise Security Today. [Online] NewsFactor Network, February 4, 2009. [Cited: February 5, 2009.]

`* Note the original article link appears to be dead, but a version of the article appears to be available at: