Airforce Institute of Technology FACULTY OF COMPUTING

Kaduna, Kaduna State DEPARTMENT OF CYBER SECURITY

CYB 309: SYSTEMS SECURITY – LECTURE NOTES

MODULE 4 – SECURITY DESIGN & CODING

1 TOPIC: SECURE DESIGN AND CODING PRINCIPLES

What Is Security Architecture?
Although the concept is somewhat abstract, there are several reasonable definitions. We
think of security architecture as a body of high-level design principles and decisions that allow
a programmer to say "Yes" with confidence and "No" with certainty.
A security architecture also serves as a framework for secure design, which embodies in
microcosm the four classic stages of information security: protect, deter, detect, and react.
Design
Design is the guiding principle for how a system is built and is applicable on all levels, from
code to architecture. It includes any activity that involves active decision-making.
Good design is the sword and shield of the security-conscious developer. Sound design
defends your applications from subversion or misuse, protecting your network and the
information on it from internal and external attacks alike. It also provides a safe foundation
for future extensions and maintenance of the software.
Bad design makes life easier for attackers and harder for the good guys, especially if it
contributes to a false sense of security while obscuring pertinent failings.
Many of the attacks perpetrated by cybercriminals are performed using software
vulnerabilities. Software vulnerabilities are often programming mistakes or oversights that
leave web applications, web servers, or websites exposed. It is up to the software
programmers to create applications with a high standard of security to prevent these attacks
from occurring.
What is OWASP?
OWASP (Open Web Application Security Project) is an online community that produces free
tools, documentation, articles, and technologies to help people secure their websites, web
applications, and network resources. It was founded by Mark Curphey, an experienced
information security specialist, in 2001. Their primary focus is on web security, application
security, and vulnerability assessment.
What are the OWASP Security Design Principles?
The OWASP Security Design Principles have been created to help developers build highly
secure web applications. The OWASP security design principles are as follows:
1. Asset clarification
Before developing any security strategies, it is essential to identify and classify the data that
the application will handle. OWASP suggests that programmers create security controls that

1
 Airforce Institute of Technology FACULTY OF COMPUTING
Kaduna, Kaduna State DEPARTMENT OF CYBER SECURITY

CYB 309: SYSTEMS SECURITY – LECTURE NOTES

MODULE 4 – SECURITY DESIGN & CODING

are appropriate for the value of the data being managed. For example, an application
processing financial information must have much tighter restrictions than a blog or web
forum.
2. Understanding attackers
Programmers should design controls that prevent misuse of the application by different types
of malicious parties, including (from most to least dangerous):

• Disgruntled staff members and programmers

• Drive-by attacks that release viruses or Trojan attacks onto the system
• Motivated cybercriminals
• Criminal organisations with malicious intent
• Script kiddies
The most dangerous type of attacks that developers must safeguard against are from
disgruntled staff members and programmers. That is because they usually have a high level
of access to sensitive systems. Programmers can use OWASP principles techniques to
safeguard against these types of attacks.
3. Core pillars of information security
OWASP recommends that all security controls should be designed with the core pillars of
information security in mind:

• Confidentiality – only allow access to data for which the user is permitted
• Integrity – ensure data is not tampered or altered by unauthorised users
• Availability – ensure systems and data are available to authorised users when they
need it
4. Security architecture
OWASP recommends that every application has application security measures designed to
cover all kinds of risks, ranging from typical usage risks (accidental data erasure) through to
extreme attacks (brute force attacks, injection attacks etc.).
They recommend that developers should consider each feature on the application they are
designing and ask the following questions:
Is the process surrounding this feature as safe as possible? In other words, is this a flawed
process?
If I were evil, how would I abuse this feature?
Is the feature required to be on by default? If so, are there limits or options that could
help reduce the risk from this feature?
By “thinking evil” developers can identify the ways that cybercriminals and malicious
individuals might seek to attack a web application. OWASP suggests that developers also

2
 Airforce Institute of Technology FACULTY OF COMPUTING
Kaduna, Kaduna State DEPARTMENT OF CYBER SECURITY

CYB 309: SYSTEMS SECURITY – LECTURE NOTES

MODULE 4 – SECURITY DESIGN & CODING

following the STRIDE / DREAD threat risk modelling technique used by many corporations.
STRIDE helps programmers identify threats and DREAD allows programmers rate threats.
SECURE CODING PRINCIPLES
These principles are taken from the OWASP Development Guide:
1. Minimise attack surface area
Every time a programmer adds a feature to their application, they are increasing the risk of a
security vulnerability. The principle of minimising attack surface area restricts the functions
that users can access, to reduce potential vulnerabilities.
For example, you might code a search feature into an application. That search feature is
potentially vulnerable to file inclusion attacks and SQL injection attacks. The developer could
limit access to the search function, so only registered users could use it — reducing the attack
surface and the risk of a successful attack.
2. Establish secure defaults
This principle states that the application must be secure by default. That means a new user
must take steps to obtain higher privileges and remove additional security measures (if
allowed). Establishing safe defaults means there should be strong security rules for how user
registrations are handled, how often passwords must be updated, how complex passwords
should be and so on. Application users may be able to turn off some of these features, but
they should be set to a high-security level by default.
3. The principle of Least privilege
The Principle of Least Privilege (POLP) states that a user should have the minimum set of
privileges required to perform a specific task. The POLP can be applied to all aspects of a web
application, including user rights and resource access. For example, a user who is signed up
to a blog application as an “author” should not have administrative privileges that allow them
to add or remove users. They should only be allowed to post articles to the application.
4. The principle of Defence in depth
The principle of defence in depth states that multiple security controls that approach risks in
different ways is the best option for securing an application. So, instead of having one security
control for user access, you would have multiple layers of validation, additional security
auditing tools, and logging tools. For example, instead of letting a user login with just a
username and password, you would use an IP check, a Captcha system, logging of their login
attempts, brute force detection and so on.

3
 Airforce Institute of Technology FACULTY OF COMPUTING
Kaduna, Kaduna State DEPARTMENT OF CYBER SECURITY

CYB 309: SYSTEMS SECURITY – LECTURE NOTES

MODULE 4 – SECURITY DESIGN & CODING

5. Fail securely
There are many reasons why a web application would fail to process a transaction. Perhaps a
database connection failed, or the data inputted from a user was incorrect. This principle
states that applications should fail in a secure way. Failure should not give the user additional
privileges, and it should not show the user sensitive information like database queries or logs.
6. Do not trust services
Many web applications use third-party services for accessing additional functionality or
obtaining additional data. This principle states that you should never trust these services from
a security perspective. That means the application should always check the validity of data
that third-party services send and not give those services high-level permissions within the
app.
7. Separation of duties
Separation of duties can be used to prevent individuals from acting fraudulently. For example,
a user of an eCommerce website should not be promoted to also be an administrator as they
will be able to alter orders and give themselves products. The reverse is also true — an
administrator should not have the ability to do things that customers do, like order items from
the front end of the website.
8. Avoid security by obscurity
This OWASP principle states that security by obscurity should never be relied upon. If your
application requires its administration URL to be hidden so it can remain secure, then it is not
secure at all. There should be sufficient security controls in place to keep your application safe
without hiding core functionality or source code.
9. Keep security simple
Developers should avoid the use of very sophisticated architecture when developing security
controls for their applications. Having mechanisms that are overly complex can increase the
risk of errors.
10. Fix security issues correctly
If a security issue has been identified in an application, developers should determine the root
cause of the problem. They should then repair it and test the repairs thoroughly. If the
application uses design patterns, it is likely that the error may be present in multiple systems.
Programmers should be careful to identify all affected systems.

4
 Airforce Institute of Technology FACULTY OF COMPUTING
Kaduna, Kaduna State DEPARTMENT OF CYBER SECURITY

CYB 309: SYSTEMS SECURITY – LECTURE NOTES

MODULE 4 – SECURITY DESIGN & CODING

2 TOPIC: WHAT IS THE PRINCIPLE OF LEAST PRIVILEGE (POLP)?

The principle of least privilege (POLP) is a concept in computer security that limits users access
rights to only what are strictly required to do their jobs. Users are granted permission to read,
write or execute only the files or resources necessary to do their jobs. This principle is also
known as the access control principle or the principle of minimal privilege.
POLP can also restrict access rights for applications, systems and processes to only those who
are authorized.
Depending on the system, some privileges may be based on attributes contingent on the
user's role within the organization. For example, some corporate access systems grant the
appropriate level of access based on factors such as location, seniority or time of day. An
organization can specify which users can access what in the system, and the system can be
configured so the access controls recognize only the administrators' role and parameters.
What Is a Superuser?
A superuser account provides information technology (IT) staff members with unlimited
privileges so they have full read, write and execute authority and can make changes across a
network. This includes installing software, modifying settings and files, and deleting data and
users. Superuser accounts are only given to the most trusted individuals, usually systems
administrators (sys admins) or the equivalent. The superuser account is also known as an
administrator account and is often given the name root.
Controlling access
Least-privileged users (LPUs) are those with the most limited access and often the lowest level
of authority within the company. In an organization, users often have elevated levels of access
to the network and the data on it. When an LPU is set up, that user account has limited
privileges and can perform only specific tasks, such as surfing the web or reading email. This
makes it harder for a malicious attacker to use an account to cause harm.
Another way to control user access is by implementing a concept called privilege bracketing.
This approach involves permitting users access to administrator accounts for the shortest
time necessary to complete the specific task. This function can be administered through
special automated software to ensure that access is granted only for the specified amount of
time.
What Is Privilege Creep?
POLP is not only about taking away privileges from users; it is also about monitoring access
for those who do not require it. For example, privilege creep refers to the tendency of
software developers to gradually add more access rights beyond what individuals need to do
their job. This can cause major cybersecurity risks to the organization. For example,

5
 Airforce Institute of Technology FACULTY OF COMPUTING
Kaduna, Kaduna State DEPARTMENT OF CYBER SECURITY

CYB 309: SYSTEMS SECURITY – LECTURE NOTES

MODULE 4 – SECURITY DESIGN & CODING

employees who are promoted may still need temporary access rights to certain systems for
their old job. But, once they are settled in their new position, more access rights are added,
and existing privileges often are not revoked. This unnecessary accumulation of rights could
result in data loss or theft.
Benefits of Using Principle of Least Privilege
1. Prevents the spread of malware. By imposing POLP restrictions on computer systems,
malware attacks cannot use higher-privilege or administrator accounts to install
malware or damage the system.
2. Decreases chances of a cyber-attack. Most cyber-attacks occur when an attacker
exploits privileged credentials. POLP protects systems by limiting the potential
damage that can be caused by an unauthorized user gaining access to a system.
3. Improves user productivity. Only giving users required access to complete their
necessary tasks means higher productivity and less troubleshooting.
4. Helps demonstrate compliance. In the event of an audit, an organization can prove its
compliance with regulatory requirements by presenting the POLP concepts it has
implemented.
5. Helps with data classification. POLP concepts enable companies to keep track of who
has access to what data in the event of unauthorized access.
While POLP helps minimize the risk of an unauthorized user accessing sensitive data, the main
disadvantage is that the minimum permissions must be consistent with a user's roles and
responsibilities, which might be challenging in larger organizations. For example, users might
not be able to perform a certain required task if they do not have the appropriate privilege
access.
How to Implement POLP
Applying POLP concepts can be as simple as eliminating end-user access to devices, such as
removing Universal Serial Bus (USB) drives to prevent the exfiltration of classified information,
to more involved operations, such as conducting regular privilege audits.
Organizations can successfully implement POLP by doing the following:
1. Conducting privilege audits by reviewing all existing processes, programs and accounts
to ensure there is no privilege creep.
2. Starting all accounts with least privilege and adding privileges according to the access
required to perform.
3. Implementing separation of privileges by distinguishing between higher-level privilege
accounts and lower level-privilege accounts.
4. Assigning just-in-time privileges by providing higher-level privilege accounts limited
access to complete the necessary task.
5. Tracking and tracing individual actions conducted by one-time-use credentials to avoid
potential damage.

6
 Airforce Institute of Technology FACULTY OF COMPUTING
Kaduna, Kaduna State DEPARTMENT OF CYBER SECURITY

CYB 309: SYSTEMS SECURITY – LECTURE NOTES

MODULE 4 – SECURITY DESIGN & CODING

3 TOPIC: THREAT MODELING

Threat modelling works to identify, communicate, and understand threats and mitigations
within the context of protecting something of value.
Threat modelling can be applied to a wide range of things, including software, applications,
systems, networks, distributed systems, things in the Internet of things, business processes,
etc. There are very few technical products which cannot be threat modelled; more or less
rewarding, depending on how much it communicates, or interacts, with the world. Threat
modelling can be done at any stage of development, preferably early - so that the findings
can inform the design.
Components of a Threat Model
Most of the time, a threat model includes:

• A description / design / model of what you are worried about

• A list of assumptions that can be checked or challenged in the future as the threat
landscape changes
• A list of potential threats to the system
• A list of actions to be taken for each threat
• A way of validating the model and threats, and verification of success of actions taken
Importance of Threat Modelling
The inclusion of threat modelling in the SDLC can help
1. Build a secure design
2. Efficient investment of resources; appropriately prioritize security, development, and
other tasks
3. Bring Security and Development together to collaborate on a shared understanding,
informing development of the system
4. Identify threats and compliance requirements, and evaluate their risk
5. Define and build required controls.
6. Balance risks, controls, and usability
7. Identify where building a control is unnecessary, based on acceptable risk
8. Document threats and mitigation
9. Ensure business requirements (or goals) are adequately protected in the face of a
malicious actor, accidents, or other causes of impact
10. Identification of security test cases / security test scenarios to test the security
requirements

7
 Airforce Institute of Technology FACULTY OF COMPUTING
Kaduna, Kaduna State DEPARTMENT OF CYBER SECURITY

CYB 309: SYSTEMS SECURITY – LECTURE NOTES

MODULE 4 – SECURITY DESIGN & CODING

Review Questions
1. Write short notes on the following –
a. Security Architecture
b. Design
c. OWASP
2. The OWASP Security Design Principles have been created to help developers build
highly secure web applications. What are the four (4) OWASP Security Design
Principles (list only)?
3. By “thinking evil” developers can identify the ways that cybercriminals and malicious
individuals might seek to attack a web application. Discuss five (5) out of the ten
OWASP secure coding principles.
4. What is the principle of least privilege (POLP)?
5. Write short notes on the following –
a. Superuser
b. Least-privileged accounts (LPU)
c. Privilege creep
6. As a systems control and security consultant, you were asked to review access roles in
a Network Operations Centre (NOC). Your review revealed multiple challenges in the
system.
• Multiple users have more than one job function activated on their profile (e.g.,
accounting function and network security function).
• When an employee is moved from one unit to another, the job function of the
new department is usually just added to the user profile.
• The default user account for new staff is sys_admin.
Your task
a. Propose a suitable principle for this NOC.
b. What are the five (5) ways that will you successfully implement this principle?
c. How will you tackle the issue of creating new users?
d. What should happen when a user change department?
7. Mention the five (5) benefits of using principle of least privilege.
8. What are the ten (10) importance of threat modelling?

RECOMMENDED TEXT
(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 9th
Edition (2021), Mike Chapple; James Michael Stewart; Darril Gibson; ISBN: 978-1-119-
78623-8

8
 Airforce Institute of Technology FACULTY OF COMPUTING
Kaduna, Kaduna State DEPARTMENT OF CYBER SECURITY

CYB 309: SYSTEMS SECURITY – LECTURE NOTES

MODULE 4 – SECURITY DESIGN & CODING

OWASP. Application Threat Modeling | OWASP. Owasp.org. Retrieved 24 April 2021, from
https://owasp.org/www-community/Application_Threat_Modeling.
Rosencrance, L. (2021). What is the Principle of Least Privilege (POLP)?. SearchSecurity.
Retrieved 24 April 2021, from
https://searchsecurity.techtarget.com/definition/principle-of-least-privilege-POLP.