Security by design is one of those concepts that happily goes hand in hand with resilience. Candidly, they were made for each other. The security by design methodology helps minimize some of the inherent risk we cannot do anything about.

Building on a Tectonic Plate

Consider for a moment you absolutely had to construct something — say, a building — on a foundation that is inherently vulnerable. There are no other areas to build on (at least not yet). How would you go about that?

Chances are you would take a more cautious approach, build incrementally and test along the way. You would likely add in some redundancies, just to be safe, correct? You would also think about the entire life cycle of the building. You’d try to determine how many good years you could get out of it knowing it is on shaky ground. You’d want to know what type of maintenance would be required.

Quite reasonably, you would examine your technical processes to make sure you have good project management in place, a risk matrix and decision-making process and a way to keep track of quality all before you started to build. And knowing that you are building on something inherently vulnerable, you would also have a plan for how to bring down the building safely and dispose of all materials just in case it becomes too risky to keep up.

Finally, you wouldn’t want people to enter that building unless a bunch of safety checks were performed.

Seems like a quite reasonable approach.

So why are we developing our software and infrastructure in the exact opposite way?

The Inherent Vulnerability of the Internet

The backbone of what we rely on — the internet — is inherently vulnerable.  Accept that and you are ahead of most, especially as there is little we can do about it right now. If you are asking why, it’s because of decisions made decades ago. At the same time, we’re stuck with what we have because of the lack of capital resources to build a ‘new internet’. Because ‘it is what it is,’ there is pressure on business continuity and disaster recovery planners. Therefore, if you are feeling that it is one cybersecurity crisis after another, just remember this: the people who built the internet made it to share information, not necessarily be secure. Security just wasn’t top of mind.

Welcome to 2021. Information security is so top of mind for everybody, the issue is ready to pop out of our heads!

Here’s the key: the internet is your unstable tectonic plate. And just like we have learned to design and construct buildings to be stronger and more resilient in earthquake zones, we need to do something similar for our information technology infrastructure and software. That is where security by design comes in. It is the mitigating methodology to reduce risk.

A Multidisciplinary Approach to Design For Systems Security

If you are looking for a one-stop-shop on security by design principles, there is no better place than NIST SP 800-160 Volume 1, Systems Security Engineering, Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. Building on standards from the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC) and the Institute of Electrical and Electronics Engineers (IEEE), NIST SP 800-160 mixes in systems security engineering techniques, methods and practices to improve the robustness, security and resilience of systems and software.

It is difficult to summarize any better the purpose of the special publication from what is already in there, so let’s just cite directly from it:

The ultimate objective is to address security issues from stakeholder requirements and protection needs perspective and to use established engineering processes to ensure that such requirements and needs are addressed with the appropriate fidelity and rigor across the entire life cycle of the system.

And the keyword is ‘system’ because that is what ties it all to resilience.

Think about it like this. A single business process becoming unavailable or an asset failing, in isolation, does not impact anything else. Sure, that individual item may buckle, but you contain the blast zone. It’s an isolated resilience failure.

But if those processes or assets have upstream and downstream dependencies, well, then the calculus changes. Knock off one or more of those critical ones and your entire system can come crashing down. That’s why security by design is such an incredible methodology: it’s fixing every piece (a smaller system) in isolation before it gets plugged into the larger system. In other words, if it is safe in isolation, the likelihood of it being unsafe in the larger system decreases. Translation: a more resilient system.

The Price of a Secure System

There are two harsh truths that come with security by design. It’s potentially costly and may come in opposition to business needs. Candidly, good code isn’t cheap. And business drivers, along with market demands and behaviors, do not necessarily have the time or patience to wait for good code.

And therein is your resilience paradox. Security sustains and helps build a strong economy. But, you need a strong economy to invest in security.

See the conundrum? Limited resources and time bind us, leaving us to invoke the old favorite: it’s all about risk management. At some point, somebody has to make the decision and say, “All right, I know I’m going to suffer a disruption, and I know that I need to find a way to operate through that disruption; how much risk can I take on and survive?”

Really, that is all that it comes down to. With 5G investments happening, Internet of Things use still exploding and sensitive data handling requirements continuing to grow, such as personal health information, we are reaching a tipping point where the risk may be too high. Specifically, we are reaching that level where an organization may not be able to operate through a disruption. Instead, it may go bust.

That’s why security by design is such a good idea. It may cost upfront, and it may take a bit longer to implement, but the approach will help you weather most storms.

Next in our journey and very appropriate after this piece: the supply chain and third parties.

More from Incident Response

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today