Partager via

How to think about Security

  • Article

Rewind to Yesterday
I remember the early days very well; I’d get an email from someone asking for the best way to do something securely. It would usually be a relatively vague email, like, “how do we protect our network traffic?” or “where should I store the database connection string?”

Both of these questions are really hard to answer, sure you can take a wild stab at a solution, but chances are the person at the other end would provide a follow-up email yielding a little more information about the scenario which would make you re-visit the solution.

Fast forward to Today
Oh, how things have changed! Now, whenever I get emails about protecting stuff from attack they always include one little data point which makes life so much easier: the threats. Once I know the threats concerning you, I can answer the question correctly.

Emails I get now from within Microsoft follow this pattern:

“We’re building a web app. The bad guy we’re concerned about is the internal disgruntled employee, we want to prevent him from tampering with the data, he can see it, just not change it, and this must run on Win2000 and later. What’s the best way to protect these data?”

Once I know who you’re up against, and what threats you want to protect against, I can make an honest attempt to provide a solution. Note the question includes constraints too, like the target platform. This really helps me, as some better solutions (read: more secure) can only be found on later platforms.

The moral of this story is simple. Don’t just ask, “How do I secure this,” ask, “How do I secure this from these threats.”

FWIW, “threats” and “threat modeling” are part of the standard vocabulary at Microsoft. You simply cannot build secure products unless you understand the threats.

Comments

  • Anonymous
    May 12, 2004
    The comment has been removed
  • Anonymous
    May 18, 2004
    One thing also to note that depending on what level threats go, then it require someone to know what could be threat in order to think threats.
  • Anonymous
    May 19, 2004
    And that's why we use a threat modeling process, to make it somewhat easy for normal humans to derive threats from an application model.
  • Anonymous
    May 23, 2004
    [Docs] ???????????????
  • Anonymous
    May 23, 2004
    [Docs] ???????????????