0

As an application developer, which of these two principles is considered more secure?

I'm familiar with these concepts at a foundational level. Secure by default means it's secure out the box. Secure by design means the software has been designed with a secure process throughout its lifecycle.

Are these principles mutually exclusive? I would think something that's Secure by default would have been designed securely. Would Secure by default merely be an extension of Secure by design with a concept of application hardening?

Charles Owen
  • 121
  • 2
  • 1
    They are orthogonal concepts. Secure by default is a relative term. If a door is shut and locked in the event of a power loss is it secure by default. But is it secure? Nobody can enter the secret room to steal data but nobody can enter it to extinguish a fire either. Security by design means that you think about these threats and come up with a security policy. – Margaret Bloom Jul 01 '23 at 15:28
  • That's a good point because secure by default is a black box and cannot be verified by independent authorities after it's been shipped? – Charles Owen Jul 01 '23 at 16:43

1 Answers1

1

Are these principles mutually exclusive?

They are not exclusive but complementary.

Secure by default means it's secure out the box.

To cite from the recent publication by various international security agencies Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-byDesign and -Default, which I highly recommend to read in full:

“Secure-by-Default” means products are resilient against prevalent exploitation techniques out of the box without additional charge. These products protect against the most prevalent threats and vulnerabilities without end-users having to take additional steps to secure them. ... A secure configuration should be the default baseline. ... The complexity of security configuration should not be a customer problem. ...

So this is more about the configuration of the system. In the past systems often came with an insecure configuration by default, like trivial passwords, disabled encryption, open firewall settings etc. Users were expected to secure the system before putting it into production, but many did not to this or missed some important steps.

Secure by design means the software has been designed with a secure process throughout its lifecycle

It is more then this. It is how much the software can withstand attacks by design. It's less about quickly shipping patches if vulnerabilities get detected, but more about not needing security patches in the first place. To cite again from the publication:

“Secure-by-Design” means that technology products are built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure. Software manufacturers should perform a risk assessment ... Secure information technology (IT) development practices and multiple layers of defense ... holistic security approach ... cannot be “bolted on” later ...

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465
  • Thanks, so software by design would be handled more by the software team and CM would have more to do with making it secure by default? – Charles Owen Jul 01 '23 at 16:30
  • @CharlesOwen: If you mean with CM the configuration management at the customer side then no - the software should come secure by default already without requiring specific customer configuration. – Steffen Ullrich Jul 01 '23 at 16:40
  • I meant CM from the supplier side. – Charles Owen Jul 01 '23 at 16:42
  • @CharlesOwen: I'm not familiar with having a separate CM which only cares how the software is configured and is not integrated with software development. From my perspective implementing how a software gets configured and to ensure that the defaults are secure is a part of software development. – Steffen Ullrich Jul 01 '23 at 17:05
  • Thanks, but back to my original question. Which of these two principles would be viewed as more secure? – Charles Owen Jul 01 '23 at 17:14
  • @CharlesOwen: "Which of these two principles would be viewed as more secure?" One might say that secure by default is the easier one to achieve while deeply implemented security by design has more impact but takes also much more effort. But at the end both are needed. – Steffen Ullrich Jul 01 '23 at 17:18
  • I agree that these are complementary but I don't have the exact context but it came up as a practice question on an exam asking which one was MOST secure. My guess would be secure by design because that's a more comprehensive approach. I agree the context matters. – Charles Owen Jul 01 '23 at 17:23
  • Let us continue this discussion in chat. – Steffen Ullrich Jul 01 '23 at 17:25