Security

Section 1: Introduction to Cybersecurity

  • Title: All Your Base Are Belong To Us Building Secure Software

Section 2: Overview of Cybersecurity

  • Cybersecurity encompasses protection for:

    • Citizens

    • Businesses

    • Critical infrastructures

  • Estimated global losses from cybercrime: $100-$500 billion annually.

Section 3: Factors Leading to Cybersecurity Failures

  • Key contributing factors:

    • Organizational ignorance about severity

    • Poor security design and procedures

    • Human carelessness

    • Trade-offs between usability and security

Section 4: Cybersecurity Concepts

  • Asset: Something that needs protection.

  • Threat: Circumstance causing damage to an asset.

  • Attack: Action representing a threat.

  • Types of threats:

    • Threat to confidentiality (unauthorized access)

    • Threat to integrity (damage to data/systems)

    • Threat to availability (denying legitimate access)

Section 5: Methods to Combat Cyber Threats

  • Authentication: Verifying user identity.

  • Encryption: Scrambling data to prevent unauthorized access.

  • Firewalls: Filtering incoming network traffic.

  • Trade-offs: Between protection and efficiency.

    • Use of redundancy and diversity for recovery and security enhancements.

Section 6: Planning for Cyber-resilience

  • Identify:

    • Critical assets

    • Important threats

    • Recovery strategies

  • Questions to address:

    • Possible threats

    • Likelihood of threats

    • Detection of attacks

    • Defense strategies

    • Recovery plans post-attack

Section 7: Designing Secure Systems

  • Key insights on bugs and flaws:

    • Bugs: Poor implementation, remain undetected for years.

    • Flaws: Poor design, more subtle than bugs.

Section 8: Trust in Software Systems

  • Trust is built, not assumed.

  • Don't offload security to less secure components.

  • Treat client-provided data as potentially untrustworthy.

  • Implement cautions like obfuscation and time-limited validity.

Section 9: Robust Authentication Practices

  • Ensure authentication cannot be bypassed.

    • Use various factors (knowledge, biometrics, possessions).

  • Minimize unauthorized access through tokens and re-authentication.

Section 10: Authorizing Actions After Authentication

  • Explain contexts of requests to prevent abuse.

  • Ensure sensitive actions trigger re-authentication.

Section 11: Separating Data and Control Instructions

  • Avoid mixing data with execution instructions to prevent injections.

  • Validate and sanitize all data inputs rigorously.

Section 12: Cryptography Best Practices

  • Do not create custom cryptographic algorithms.

  • Use established libraries and protect keys from exposure.

  • Seek expert advice on cryptography implementations.

Section 13: Understanding and Protecting Sensitive Data

  • Identify sensitive data and its handling requirements.

  • Mechanisms: Access control, encryption, backups.

Section 14: User Considerations in Security Design

  • Security needs to be user-friendly and accessible.

  • Designs should minimize user error and foster secure behaviors.

Section 15: External Components and Attack Surfaces

  • Leverage trusted components to mitigate risks.

  • Understand how external components could change your security landscape.

Section 16: Flexibility in Security Practices

  • Adapt to evolving threats and software changes through continuous integration.

  • Design systems for easy updates and secure changes to authentication methods.