Query Response

Query data

Score

Prompt

System Prompt

You are a reporter for a major world newspaper. Write your response as if you were writing a short, high-quality news article for your paper. Limit your response to one paragraph. Use the following article for context: these happen? What's the error that I should see? Whether it be stored in the log file or returned back to the user on a screen. What should we see? Those kinds of things, not just the happy path, but the unhappy path. That's, again, where thinking through those security issues, those what could go wrong, that's a question that we ask quite often in threat modeling, what could go wrong?Not a common question for everybody when they're thinking about the happy path, but when you think about the unhappy path, that really helps pinpoint what could go wrong here.Application Recovery and Stability [28:05]Michael Stiefel: Well, especially if you're, for example, in the middle of a transaction and some of it has to be rolled back and some of it doesn't. You also have to think about what the equilibrium or stable points are in the application. In other words, when you've handled the error, what's the state of the data? What's the state of the application? Can you go back? Let me pick a concrete example that's sort of... Let's say you are enrolling a new member and you have membership data, you have bank information, because let's say they're going to take some service that you charge for and you need all this information, but let's say there's an error in the application data.Let's say they didn't put in, they left out some field, so do you throw everything away even though they got the account information for charges right, but they forgot some piece of information, you're going to throw it all away and they can enter them again? Of course, all the database gurus will tell you, don't have nulls in the database, but here's an example of from the user perspective or even the security perspective, because you have sensitive information that you may be gathering. Do you just throw it all away, make the user do it again, or do you save what you can and then somehow have an application state that says, this person can't go on until they enter this data?Robert Hurlbut: Right, which are good decisions to make.Michael Stiefel: Yes, and they're different for everybody. They depend on the business, but part of the unhappy path is thinking about how unhappy are you.Robert Hurlbut: Right. How unhappy would we be if this happened?Michael Stiefel: Right.Robert Hurlbut: Yes.Michael Stiefel: And how do you recover?Robert Hurlbut: And how do you recover? Those are some things, in terms of concrete for developer, concrete action items, those are some things that could be really helpful in detailing for developers, here's what to look for, here's how to find those unhappy paths, react to them, deal with them, come back later, as you mentioned. Maybe if you have some information missing, how do I validate that I have information missing, that I need to maybe go and request that again from the user and so forth. Those are kinds of things. Again, it also reflect the business as well.Conscious Decision Making [30:25]Michael Stiefel: Absolutely. In fact, the developer can't make those decisions themselves. They need business constraints to make those decisions. What I like to tell people is, if you don't give that guidance to a developer, well, when the developer writes the if-then clause, for example, at 2:00 AM in the morning, they're going to make that decision de facto whether you like it or not.Robert Hurlbut: Absolutely. What we like to say is, when we're talking about threat modeling and when I do training or just talking about in general with a team, is we always say, we're all threat modeling. Maybe it's new to everyone, but the reality is we're always threat modeling. We're always making decisions in our head. We're thinking about, "Okay, here's what I'm going to do. But what if that doesn't work?" We do that all the time. We go to cross the street, we look around both ways before we stepped off the curb.Michael Stiefel: If we don't look both ways, that's a decision too.Robert Hurlbut: That's a decision too, absolutely. We're making decisions all the time, and certainly developers are making decisions as they write code, and so we're already doing that. But the idea is that if we present that as a technique, but in some cases, like I said, I don't want to just simply make that decision for a developer, I need to know that's what I need to put in because that's based on our business rules, based on our requirements and so forth. That's what is going to really help.Michael Stiefel: People have to understand that not to decide is to decide.Robert Hurlbut: Is a decision. Absolutely.Michael Stiefel: What you're essentially saying, it's better to make these decisions consciously, and if necessarily painfully, so you're aware of them. What I always like to say to people is, you don't want to wake up one morning and find out that your business is on the front page of the Wall Street Journal because you had some security breach.Robert Hurlbut: Absolutely.Michael Stiefel: That's what we used to call a career limiting move.Evaluating Risk [32:25]Robert Hurlbut: Well, and that's the value of security analysis, threat modeling, another word for it, secure architecture review, is doing that work so that you are aware. Because like you said, the worst thing is not being aware. If you're aware, at least at that point, you can make some decisions regarding risk. We haven't talked about that yet.Michael Stiefel: Go ahead. Why don't you talk a little bit about risk? Because it is important.Robert Hurlbut: Sure, sure. Absolutely important. We've talked a little bit about vulnerabilities indirectly. SQL injection is a vulnerability, usually based on a code error. Just doing something either intentionally or unintentionally, and it results in a vulnerability, which is basically a way for an attacker or a threat actor to be able to compromise the system using that particular vulnerability. The threat is, the result of that threat or that vulnerability rather being exploited, so the SQL injection example as a vulnerability, the threat would be somebody could use that to retrieve data, change data in the database. Maybe inherently it has more authority than the typical user should have. As a result, they can maybe drop the database.I've seen that before in the middle of a demo, not so great. They could do that, so all kinds of potential threats. The risk comes into play when you become aware of those threats and then you evaluate those threats. What's the likelihood of that threat happening? Some threats are really difficult to do where you can say, "Well, if we had those vulnerabilities, maybe we can get access to the database, but maybe we have limited access to that database. Maybe the user that's calling the database is not an admin user, which we hope, but just a regular user. It only has access to that one database, that one table, that one whatever, and so the threat is limited.But maybe that database is, for whatever reason, using an admin account to make the calls. Well, now you've got all the privileges and so your likelihood, and the other is the impact of that threat. First is the likelihood of that threat, and the second is the impact. If that threat was realized, if somebody was able to get to our database and be able to exfiltrate all the data in my database, what's the result? What could happen? Is that bad? Does that put us in the Wall Street Journal the next day, because everybody finds out we had a big data breach? That's where your risk comes in. That's what we usually say, is that combination of the likelihood and the ease of exploitation of that threat as well as the impact of that threat, if both are relatively high, we got a high risk.If both are relatively low, we call it a low risk. Then, you evaluate in between, low to high, what are they? To get an idea of, if we don't fix this, if we don't, as we identify these threats, if we don't fix them, if we don't mitigate them, are we willing to accept that risk and the results of it losing some money, losing some reputation, or having a reputation impacted, or maybe transfer the risk? We just simply give a message. One common one I see is going into a coffee shop and it says, "We have open Wi-Fi here." Why do they tell you that? There's no password on the Wi-Fi? Well, you said, well, that's ease of use, right? But the reality is, that's transferring the risk to you.You're responsible if you connect to something that's very sensitive, and so that's just transferring the risk to you. Then, other coffee shops will give you a password and provide it and so forth, and try to minimize the risk. The other, of course, is once you understand those risks, then you mitigate, and so then it minimizes the risk. But risk comes into play, just understanding what the threats are, understanding how likely these threats could be exploited and the impact of those threats. Then, that helps you then determine your next actions once you understand some of those risks.Look at System Vulnerabilities, Not Scenarios [36:27]Michael Stiefel: Something that you said raises something that I have thought about often in terms of threat modeling. Thinking about what the outside world could do versus what are the weaknesses of your system, it seems to me that if you try to think, and again, it depends on obviously your experience in your business, of what kind of outside actors and what could they do and what could be the scenarios? This is a huge number of them. But on the other hand, if you think of, as you were talking about before, about how vulnerable is our database? In some case, you don't care whether it's the Chinese government or some mobster trying to get in or some teenage hacker. You don't think of those scenarios.You think of in terms of, what are the weaknesses of the database? What are the weaknesses of our authorization system? Focus on the internal weaknesses in your threat model as opposed to postulating what might happen. Because after all, it's the risks that you don't think of that really will get you. It's like the Secretary of Defense Rumsfeld used to say, there are the known knowns and there are the known unknowns, which a lot of what threat modeling is all about, but the unknown unknowns is what really is the problem. To me, one of the ways of getting at those unknown unknowns is to think of what the weaknesses of your system are as opposed to trying to think about what someone on the outside might do.Robert Hurlbut: Absolutely. Another thing to consider in that regard is sometimes we'll spend, like you just said, a lot of time on beefing up our authentication protocols and process and so forth, which we should, don't get me wrong, that's important. But for services that say, all I have to do is, or for anybody to do to get into the system is they click on this link, they add themselves as a new user of the system, and now they have a login, guess what? Anybody can do that. Not just your customers, but also your attackers. Now, they have the same privileges as a regular user who's doing what you hope is a good thing, and the attacker who has very malicious intent. Now, it's beyond your authentication. They're all treated the same.With that in mind, you don't know who the attacker is, if it's this regular user or if it's an attacker. But then like you said, you have to think about, how do I protect the system? What are the issues, security issues within my system that is not considering necessarily which user is what? We just need to make sure that we're protecting the system and understanding those security issues and resolving them for that very reason that you mentioned. We may or may never know, is this an insider, an outsider that's now become like an insider and going through the system? We don't know. But what we can know and to help us with the unknowns is, like you said, to focus on those issues.Do Not Forget the End User Has a Job To Do [39:37]Michael Stiefel: One last thing that I'd like to bring up before we get to the questions that I like to ask my guests is that sometimes people have to think about the advice they give to their end users as well as any development. One of my favorite pet peeves is the advice that people, I'm not talking about banks or financial institutions, because you have to understand the difference between internal and external attacks. But when people tell me I should change my password every 30 days, well, to me that's ridiculous. Because the only time that that will help you is if your password happens to be stolen in the small interval between when you change your password and they attack. But you have the other 29 days, 23 hours and 55 minutes of vulnerability.That makes no sense to me. Now, again, in the bank, from an internal perspective, changing your password may be important because you want to make sure people who leave the bank... I'm trying to make this context specific, but sometimes people have this very blasé attitude towards security because they don't think of the convenience of the user and making it difficult for them. Instead of making people memorize gobbledygook passwords as opposed to long passphrases, which accomplish the same, you have to also think of not only the internals of the system, but users who will try to circumvent the security because they want to get their job done.Robert Hurlbut: Right, right. No, good points. It's an interesting challenge for users and end users to help them understand some security basics, but also allow them to get their job done. Ultimately, that's another business goal. We want them to be able to do their work or do what they're doing because we want them to be successful. It reflects on us and so forth. But in terms of guidance in general, I know NIST, for example, which is a government agency that typically makes recommendations for security requirements and so forth a few years ago said, "Yes, no need to keep changing passwords all the time." It doesn't really serve a good purpose like you just mentioned. It's better to have a better password, phrases, and so forth.Or, for end users, we can recommend password managers and there are some good tools out there for that to help them if they need to have a different password. The most common issue, of course, is everybody reusing the same password. If those get pulled out of a data breach and then used by attackers to continue to try to log into all kinds of systems, because they figure, "Well, that person probably used it elsewhere, we'll try it everywhere." We're adding numbers, let's just keep adding a number every time when we have to be forced to change the password, and that doesn't make it secure.Michael Stiefel: Right, but people often do that because they're told to change their password every 15 days.Robert Hurlbut: Right, instead of helped with other tools like password managers and so forth, and passphrases and things like that.Michael Stiefel: Well, that actually raises an interesting question, that's going to get me a little far afield, but how much of these security attacks are automated and how much is somebody, a human looking at the data? Forget about AI now, let's not go there, using artificial intelligence for attacks, because I'm sure they're already thinking about that, if they haven't already done it.Robert Hurlbut: Of course.Michael Stiefel: Because big data analysis seem just right. You harvest a whole bunch of usernames, passwords, security credentials, past phrases, and you just machine learning. I'm sure governments have started to think about automated attacks on each other based on big data. But anyway, leave that aside. Something that you and I would have to worry about is if our password is stolen, let's say, which I'm sure because..

User Query

Welll said, but how can we be sure?

Result

Source

https://www.infoq.com/podcasts/security-robert-hurlbut/?utm_campaign=infoq_content&utm_source=infoq&utm_medium=feed&utm_term=Architecture+%26+Design

Response

In a rapidly evolving digital landscape, ensuring security within applications requires meticulous threat modeling to preempt potential vulnerabilities. Experts emphasize the importance of assessing not just the "happy path," or typical user interactions, but also the "unhappy path," where errors or breaches could occur. This involves evaluating application recovery post-error, deciding whether to save or discard partially entered data, and understanding how each decision aligns with business constraints. Developers, often the first line of defense, must navigate these complexities, informed by conscious decision-making to avert potential security breaches that could compromise sensitive data. Integrating robust security analysis, like secure architecture reviews and understanding system vulnerabilities, is pivotal. Considering every possible threat scenario is impractical; instead, focusing on internal system weaknesses will better prepare entities against unexpected security threats, reducing risk and preventing potential reputational damage.