SlideShare a Scribd company logo

Principles of Secure Design and its componetnts

Download as PPTX, PDF
A
AssadLeo1

The document outlines key principles of secure design, including least privilege, defense in depth, and fail securely, advocating for minimal permissions, multiple security layers, and maintaining security during failures. It emphasizes mechanisms such as complete mediation, economy of mechanism, and psychological acceptability to ensure user-friendly and efficient security practices. Examples illustrate the application of these principles in operating systems, addressing the handling of permissions and access checks.

Education
1 of 13
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
Principles of Secure Design and its componetnts
Principles of Secure Design Least Privilege: Grant only the minimum permissions required for tasks. Defense in Depth: Use multiple layers of security to protect systems. Fail Securely: Ensure systems remain secure even when they fail. Open Design: Security should not depend on secrecy of the design. Separation of Duties: Divide responsibilities to prevent misuse or errors.
Principles of Secure Design • Economy of Mechanism: Keep designs simple and minimal to reduce errors. • Complete Mediation: Validate all access requests without relying on cached data. • Least Common Mechanism: Minimize shared resources to reduce risks. • Psychological Acceptability: Ensure security mechanisms are user-friendly.
Principle of Least Privilege • A subject should only be given the privileges it needs to complete its task and no more. • The privileges should be controlled by the function, not the identity, similar to the right to know principle. • For example, a cashier cannot write checks.
Principle of Fail-Safe Defaults • Unless explicit access has been granted, access should be denied. Moreover, if a system is unable to complete a task, it should roll back to the start state, for safety. • Example: A regular user may not modify other people's mail files; in addition, if the mail program cannot deliver mail, the only thing it can do is report failure.
Principle of Economy of Mechanism • Security mechanisms should be as simple as possible. • This way, it is easier to check for errors.
Principle of Complete Mediation • All accesses to objects must be checked to ensure that they are still allowed.
Principle of Defense in Depth • The more lines of defense there are against an attacker, the better the defense, specially if the additional line(s) are of different nature.
Principle of Open Design • The security of a mechanism should not depend on the secrecy of its design or implementation. • Specially important for crypto. • Example DVD's
Principle of Separation of Privilege • A system should not grant permission based on a single condition. • Example: on BSD systems, su users must belong to the wheel group and know the root password.
Principle of Least Common Mechanism • Mechanisms to access resources should not be shared (because they provide a haven for covert channels)
Principle of Psychological Acceptability • Security mechanisms should not make it more difficult to access a resource. • Examples: ssh, login mechanism
Exercises • Which of these principles apply to operating systems, and which of them are followed by Linux/Unix? Which are followed by Windows? • What would be the effect of checking EACH I/O file access for permission? Assume that each check would require an extra disk operation.

More Related Content

PDF
Security Principles and Protection Mechanism
Mona Rajput
 
PPTX
security introduction and overview lecture1 .pptx
nagwaAboElenein
 
PPTX
Fundamental_Security_Design_Principles.pptx
KelvinDube4
 
PPTX
protection-151130150434-lva1-app6891.ppt_20240605_104455_0000.pptx
abidwaqar4554
 
PPTX
CISSP Chapter 7 - Security Operations
Karthikeyan Dhayalan
 
PPTX
about the presenation i dont fck about the t;
tejaswi0514
 
PPTX
002 Security Design Principles with best
AssadLeo1
 
PPTX
002 Security Design Principles and some other
AssadLeo1
 
Security Principles and Protection Mechanism
Mona Rajput
 
security introduction and overview lecture1 .pptx
nagwaAboElenein
 
Fundamental_Security_Design_Principles.pptx
KelvinDube4
 
protection-151130150434-lva1-app6891.ppt_20240605_104455_0000.pptx
abidwaqar4554
 
CISSP Chapter 7 - Security Operations
Karthikeyan Dhayalan
 
about the presenation i dont fck about the t;
tejaswi0514
 
002 Security Design Principles with best
AssadLeo1
 
002 Security Design Principles and some other
AssadLeo1
 

Similar to Principles of Secure Design and its componetnts (20)

PPTX
CISSP Domain 03 Security Architecture and Engineering.pptx
gealehegn
 
PDF
Principles for Secure Design and Software Security
Mona Rajput
 
PDF
Understanding security operation.pptx
Piyush Jain
 
PPT
4_5949547032388570388.ppt
MohammedMohammed578197
 
PPTX
System Security Sem 2(Module 1).pptx
rahulkumarcscsf21
 
PPT
Software Security Engineering
Muhammad Asim
 
PPTX
Protection in general purpose operating system
Prachi Gulihar
 
PPT
Software security engineering
aizazhussain234
 
PPTX
Date security security principles
Leo Mark Villar
 
PPTX
Survey of file protection techniques
Prachi Gulihar
 
PDF
Design and Analyze Secure Networked Systems - 7
Don Kim
 
PDF
BAIT1103 Chapter 7
limsh
 
PPTX
Security & Risk Mgmt_WK1.pptx
dotco
 
PPTX
Security & Risk Mgmt_WK1.pptx
Technocracy2
 
PPT
Security Design Principles.ppt
DrBasemMohamedElomda
 
PPTX
Security issues in os
DevAdnani
 
PDF
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
PDF
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
PPTX
Lecture one Network Security Introduction.pptx
AreebaSaeed18
 
PDF
Chapter 1 Introduction of Cryptography and Network security
Dr. Kapil Gupta
 
CISSP Domain 03 Security Architecture and Engineering.pptx
gealehegn
 
Principles for Secure Design and Software Security
Mona Rajput
 
Understanding security operation.pptx
Piyush Jain
 
4_5949547032388570388.ppt
MohammedMohammed578197
 
System Security Sem 2(Module 1).pptx
rahulkumarcscsf21
 
Software Security Engineering
Muhammad Asim
 
Protection in general purpose operating system
Prachi Gulihar
 
Software security engineering
aizazhussain234
 
Date security security principles
Leo Mark Villar
 
Survey of file protection techniques
Prachi Gulihar
 
Design and Analyze Secure Networked Systems - 7
Don Kim
 
BAIT1103 Chapter 7
limsh
 
Security & Risk Mgmt_WK1.pptx
dotco
 
Security & Risk Mgmt_WK1.pptx
Technocracy2
 
Security Design Principles.ppt
DrBasemMohamedElomda
 
Security issues in os
DevAdnani
 
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
Lecture one Network Security Introduction.pptx
AreebaSaeed18
 
Chapter 1 Introduction of Cryptography and Network security
Dr. Kapil Gupta
 
Ad

More from AssadLeo1 (20)

PPTX
Software Quality Assurance Qurat ul ain.pptx
AssadLeo1
 
PPTX
UML Samra Bs it 4th all about aspire college
AssadLeo1
 
PPTX
Process Structure and some other important
AssadLeo1
 
PPT
Process importance with full detail about
AssadLeo1
 
PPTX
IPM Chapter 1 Complete detail and chapeter
AssadLeo1
 
PPTX
Hardware Firewall with all the detail of
AssadLeo1
 
PPTX
Law and Order in PK in a country is most important
AssadLeo1
 
PPTX
Types of Multipule things and other things
AssadLeo1
 
PPTX
Model_of_Heterogeneous_System and other things
AssadLeo1
 
PPTX
what a knowledge and other things in this slide
AssadLeo1
 
PPTX
full with knowledge and other things with
AssadLeo1
 
PPT
that is the most important part of this topic
AssadLeo1
 
PPT
Discrete and other examples with great intrest
AssadLeo1
 
PPTX
Decoding Insights and some extra examples
AssadLeo1
 
PPTX
system updates Best to other Presentations
AssadLeo1
 
PPTX
Combined_Simulation and some other detail about
AssadLeo1
 
PPTX
Checking Model Validity and Verification.pptx
AssadLeo1
 
PPTX
cyberCrime and other knowledge with ful detail
AssadLeo1
 
PPTX
System Dymola with all the things and other
AssadLeo1
 
PPTX
Time Simulation Discrete Event (time) Simulation.pptx
AssadLeo1
 
Software Quality Assurance Qurat ul ain.pptx
AssadLeo1
 
UML Samra Bs it 4th all about aspire college
AssadLeo1
 
Process Structure and some other important
AssadLeo1
 
Process importance with full detail about
AssadLeo1
 
IPM Chapter 1 Complete detail and chapeter
AssadLeo1
 
Hardware Firewall with all the detail of
AssadLeo1
 
Law and Order in PK in a country is most important
AssadLeo1
 
Types of Multipule things and other things
AssadLeo1
 
Model_of_Heterogeneous_System and other things
AssadLeo1
 
what a knowledge and other things in this slide
AssadLeo1
 
full with knowledge and other things with
AssadLeo1
 
that is the most important part of this topic
AssadLeo1
 
Discrete and other examples with great intrest
AssadLeo1
 
Decoding Insights and some extra examples
AssadLeo1
 
system updates Best to other Presentations
AssadLeo1
 
Combined_Simulation and some other detail about
AssadLeo1
 
Checking Model Validity and Verification.pptx
AssadLeo1
 
cyberCrime and other knowledge with ful detail
AssadLeo1
 
System Dymola with all the things and other
AssadLeo1
 
Time Simulation Discrete Event (time) Simulation.pptx
AssadLeo1
 
Ad

Recently uploaded (20)

PPTX
Command Palatte in Odoo 18.1 Spreadsheet - Odoo Slides
Celine George
 
PPTX
Applications of matrices In Real Life_20250724_091307_0000.pptx
gehlotkrish03
 
PPTX
Continental Accounting in Odoo 18 - Odoo Slides
Celine George
 
PPTX
BASICS IN COMPUTER APPLICATIONS - UNIT I
suganthim28
 
DOCX
pgdei-UNIT -V Neurological Disorders & developmental disabilities
JELLA VISHNU DURGA PRASAD
 
PPTX
Basics and rules of probability with real-life uses
ravatkaran694
 
PPTX
Five Point Someone – Chetan Bhagat | Book Summary & Analysis by Bhupesh Kushwaha
Bhupesh Kushwaha
 
PDF
What is CFA?? Complete Guide to the Chartered Financial Analyst Program
sp4989653
 
PDF
Module 2: Public Health History [Tutorial Slides]
JonathanHallett4
 
PPTX
20250924 Navigating the Future: How to tell the difference between an emergen...
McGuinness Institute
 
PPTX
INTESTINALPARASITES OR WORM INFESTATIONS.pptx
PRADEEP ABOTHU
 
PPTX
Measures_of_location_-_Averages_and__percentiles_by_DR SURYA K.pptx
Surya Ganesh
 
PDF
Biological Classification Class 11th NCERT CBSE NEET.pdf
NehaRohtagi1
 
PPTX
Introduction to pediatric nursing in 5th Sem..pptx
AneetaSharma15
 
PPTX
Kanban Cards _ Mass Action in Odoo 18.2 - Odoo Slides
Celine George
 
DOCX
SAROCES Action-Plan FOR ARAL PROGRAM IN DEPED
Levenmartlacuna1
 
PPTX
How to Close Subscription in Odoo 18 - Odoo Slides
Celine George
 
PPTX
Cleaning Validation Ppt Pharmaceutical validation
Ms. Ashatai Patil
 
PDF
The Minister of Tourism, Culture and Creative Arts, Abla Dzifa Gomashie has e...
nservice241
 
PPTX
CARE OF UNCONSCIOUS PATIENTS .pptx
AneetaSharma15
 
Command Palatte in Odoo 18.1 Spreadsheet - Odoo Slides
Celine George
 
Applications of matrices In Real Life_20250724_091307_0000.pptx
gehlotkrish03
 
Continental Accounting in Odoo 18 - Odoo Slides
Celine George
 
BASICS IN COMPUTER APPLICATIONS - UNIT I
suganthim28
 
pgdei-UNIT -V Neurological Disorders & developmental disabilities
JELLA VISHNU DURGA PRASAD
 
Basics and rules of probability with real-life uses
ravatkaran694
 
Five Point Someone – Chetan Bhagat | Book Summary & Analysis by Bhupesh Kushwaha
Bhupesh Kushwaha
 
What is CFA?? Complete Guide to the Chartered Financial Analyst Program
sp4989653
 
Module 2: Public Health History [Tutorial Slides]
JonathanHallett4
 
20250924 Navigating the Future: How to tell the difference between an emergen...
McGuinness Institute
 
INTESTINALPARASITES OR WORM INFESTATIONS.pptx
PRADEEP ABOTHU
 
Measures_of_location_-_Averages_and__percentiles_by_DR SURYA K.pptx
Surya Ganesh
 
Biological Classification Class 11th NCERT CBSE NEET.pdf
NehaRohtagi1
 
Introduction to pediatric nursing in 5th Sem..pptx
AneetaSharma15
 
Kanban Cards _ Mass Action in Odoo 18.2 - Odoo Slides
Celine George
 
SAROCES Action-Plan FOR ARAL PROGRAM IN DEPED
Levenmartlacuna1
 
How to Close Subscription in Odoo 18 - Odoo Slides
Celine George
 
Cleaning Validation Ppt Pharmaceutical validation
Ms. Ashatai Patil
 
The Minister of Tourism, Culture and Creative Arts, Abla Dzifa Gomashie has e...
nservice241
 
CARE OF UNCONSCIOUS PATIENTS .pptx
AneetaSharma15
 

Principles of Secure Design and its componetnts

  • 2. Principles of Secure Design Least Privilege: Grant only the minimum permissions required for tasks. Defense in Depth: Use multiple layers of security to protect systems. Fail Securely: Ensure systems remain secure even when they fail. Open Design: Security should not depend on secrecy of the design. Separation of Duties: Divide responsibilities to prevent misuse or errors.
  • 3. Principles of Secure Design • Economy of Mechanism: Keep designs simple and minimal to reduce errors. • Complete Mediation: Validate all access requests without relying on cached data. • Least Common Mechanism: Minimize shared resources to reduce risks. • Psychological Acceptability: Ensure security mechanisms are user-friendly.
  • 4. Principle of Least Privilege • A subject should only be given the privileges it needs to complete its task and no more. • The privileges should be controlled by the function, not the identity, similar to the right to know principle. • For example, a cashier cannot write checks.
  • 5. Principle of Fail-Safe Defaults • Unless explicit access has been granted, access should be denied. Moreover, if a system is unable to complete a task, it should roll back to the start state, for safety. • Example: A regular user may not modify other people's mail files; in addition, if the mail program cannot deliver mail, the only thing it can do is report failure.
  • 6. Principle of Economy of Mechanism • Security mechanisms should be as simple as possible. • This way, it is easier to check for errors.
  • 7. Principle of Complete Mediation • All accesses to objects must be checked to ensure that they are still allowed.
  • 8. Principle of Defense in Depth • The more lines of defense there are against an attacker, the better the defense, specially if the additional line(s) are of different nature.
  • 9. Principle of Open Design • The security of a mechanism should not depend on the secrecy of its design or implementation. • Specially important for crypto. • Example DVD's
  • 10. Principle of Separation of Privilege • A system should not grant permission based on a single condition. • Example: on BSD systems, su users must belong to the wheel group and know the root password.
  • 11. Principle of Least Common Mechanism • Mechanisms to access resources should not be shared (because they provide a haven for covert channels)
  • 12. Principle of Psychological Acceptability • Security mechanisms should not make it more difficult to access a resource. • Examples: ssh, login mechanism
  • 13. Exercises • Which of these principles apply to operating systems, and which of them are followed by Linux/Unix? Which are followed by Windows? • What would be the effect of checking EACH I/O file access for permission? Assume that each check would require an extra disk operation.

Editor's Notes

  • #3: کم از کم اختیارات: صرف وہی اجازت دیں جو کسی خاص کام کو انجام دینے کے لیے ضروری ہو۔ یہ اصول نقصان کے امکانات کو کم کرتا ہے اگر کوئی اکاؤنٹ یا عمل غیر محفوظ ہو جائے دفاع کی تہیں: حفاظتی اقدامات کے کئی پرتیں استعمال کریں تاکہ اگر ایک حفاظتی تہہ ناکام ہو جائے تو دوسری تہہ محفوظ رکھ سکے۔ محفوظ ناکامی: یہ یقینی بنائیں کہ اگر نظام ناکام ہو تو یہ محفوظ طریقے سے ناکام ہو۔ اس سے نظام کی حفاظت برقرار رہتی ہے۔ اوپن ڈیزائن: سیکیورٹی کو ڈیزائن کے راز پر منحصر نہیں ہونا چاہیے بلکہ شفاف اور مضبوط طریقوں پر انحصار کرنا چاہیے فرائض کی تقسیم: اہم ذمہ داریوں کو مختلف افراد یا نظاموں کے درمیان تقسیم کریں تاکہ غلط استعمال یا غلطی کا خطرہ کم ہو آسان ڈیزائن: ڈیزائن کو جتنا ممکن ہو آسان بنائیں تاکہ پیچیدگی اور غلطیوں کے امکانات کم ہوں مکمل جانچ: ہر رسائی کی درخواست کو درست کریں اور کسی محفوظ ڈیٹا یا اجازت پر انحصار نہ کریں کم از کم مشترکہ وسائل: مشترکہ وسائل کو کم سے کم کریں تاکہ خطرات کو محدود کیا جا سکے۔ نفسیاتی قبولیت: ایسی حفاظتی تدابیر اپنائیں جو صارفین کے لیے آسان اور قابل فہم ہوں تاکہ وہ انہیں اپنانے میں ہچکچاہٹ محسوس نہ کریں۔