Scribd
Upload
7 views18 pages

LeastPrivilege Secure Programming Related Module 2 001

Uploaded by

Sudin kumar G.K
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
7 views18 pages

LeastPrivilege Secure Programming Related Module 2 001

Uploaded by

Sudin kumar G.K
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Sudhina Kumar GK Principles of Secure Coding 1 / 18

Key Security Principles

Principle of Least Privilege (PoLP)


A user, process, or program should have only the minimum necessary
rights and permissions to perform its function.
Minimizes the potential damage if an account or system is
compromised.

Sudhina Kumar GK Principles of Secure Coding 2 / 18


Defense in Depth

Employing multiple layers of security controls to protect against a


single failure point.
If one control is bypassed (e.g., a firewall), another is in place to
provide protection (e.g., strong authentication).

Sudhina Kumar GK Principles of Secure Coding 3 / 18


Fail Securely

When a system fails or encounters an unexpected state, it should


deny access or data rather than revealing it.
An application should not display a verbose error message that
includes sensitive information.

Sudhina Kumar GK Principles of Secure Coding 4 / 18


Minimize Attack Surface

Reducing the number of potential entry points for an attacker.


Includes turning off unnecessary services, closing unused ports, and
restricting access to critical components.

Sudhina Kumar GK Principles of Secure Coding 5 / 18


Separation of Duties

Requiring two or more individuals to complete a sensitive task.


Prevents one person from having complete control and is a crucial
control against fraud and insider threats.

Sudhina Kumar GK Principles of Secure Coding 6 / 18


Secure Defaults

The default settings for any product should prioritize security over
convenience.
This is a massive impact principle, as many users do not change
default settings.

Sudhina Kumar GK Principles of Secure Coding 7 / 18


Topic: What is SD3?

Secure by Design, Default, and Deployment


A modern security philosophy that embeds security into a product
from its inception.
Moves from a reactive model (fixing vulnerabilities) to a proactive
one.
Makes security a proactive, built-in feature, not an afterthought.

Sudhina Kumar GK Principles of Secure Coding 8 / 18


Secure by Design

Security is a core architectural requirement.


Threat Modeling: A systematic process to identify threats and
vulnerabilities before code is written.
Secure Architecture: Designing the application with security in
mind, including layered security and robust access controls.
Security Requirements: Defining and documenting explicit security
requirements alongside functional ones.

Sudhina Kumar GK Principles of Secure Coding 9 / 18


Secure by Default

Products should have the most secure configurations enabled ”out of


the box.”
Minimizes the risk of user error and ensures a baseline level of security.
Least Privilege: All components should run with the fewest
necessary permissions by default.
Conservative Settings: Avoid enabling risky or less-used features by
default.
Pre-configured Security: Critical features like MFA should not
require complex setup.

Sudhina Kumar GK Principles of Secure Coding 10 / 18


Secure in Deployment

Focuses on maintaining the product’s security throughout its


operational life.
Maintainability: The system should be easy to update and patch
with security fixes.
Patch Management: A clear, automated process for vulnerability
discovery and rapid remediation.
Secure Administration: Providing clear documentation and tools to
help users and administrators operate the system securely.

Sudhina Kumar GK Principles of Secure Coding 11 / 18


Topic: Threat Modeling Tools

Used in the early stages of the SSDLC to visualize and analyze


potential attack vectors.
Help teams brainstorm how an attacker might exploit vulnerabilities.
Enable the design of mitigations before coding begins.

Examples:
Microsoft Threat Modeling Tool
OWASP Threat Dragon

Sudhina Kumar GK Principles of Secure Coding 12 / 18


Static Application Security Testing (SAST)

Analyzes source code without running it (white-box testing).


Finds common vulnerabilities like SQL injection and XSS.
Best when integrated into a developer’s IDE or the CI/CD pipeline.

Examples:
SonarQube
Checkmarx

Sudhina Kumar GK Principles of Secure Coding 13 / 18


Dynamic Application Security Testing (DAST)

Analyzes a running application by simulating attacks from the outside


(black-box testing).
Finds issues SAST might miss, like server configuration errors and
authentication flaws.
Used in the testing and verification phase.

Examples:
OWASP ZAP
Burp Suite

Sudhina Kumar GK Principles of Secure Coding 14 / 18


Interactive Application Security Testing (IAST)

Offers a hybrid approach, combining the best of SAST and DAST.


Runs within the application, analyzing code execution in real-time.
Provides highly accurate results with fewer false positives.

Examples:
Contrast Security

Sudhina Kumar GK Principles of Secure Coding 15 / 18


Software Composition Analysis (SCA)

Scans for known vulnerabilities in open-source components and


third-party libraries.
Critical for finding vulnerabilities in dependencies.
Often integrates with package managers for immediate alerts.

Examples:
Snyk
Dependabot

Sudhina Kumar GK Principles of Secure Coding 16 / 18


Container Security & Infrastructure as Code (IaC) Scanners

Checks for misconfigurations and vulnerabilities in container images.


Secures the deployment environment by scanning the code that
defines it.

Examples:
Trivy
Kubescape

Sudhina Kumar GK Principles of Secure Coding 17 / 18


Secret Scanners

Detects hard-coded secrets (passwords, API keys, private tokens).


Prevents dangerous exposure of sensitive information in code.

Examples:
GitLeaks
GitGuardian

Sudhina Kumar GK Principles of Secure Coding 18 / 18

You might also like