Ask a software engineer what comes to mind when they think about security, and chances are they will tell you about SQLIs and web shells.
Security is a circus, and we all want to see the attractions. — Stefano Zanero
While these topics are definitely exciting and fun to find and think about, the reality of building secure systems goes beyond the shiny realm of ; DROP TABLE users;.
For systems to be secure, they need to be robust against attacks, at multiple levels.
Where do vulnerabilities come from?
To answer this simple question, we’ll go over the areas where vulnerabilities may arise, in any given system. The adressed areas are mutually exclusive & collectively exhaustive.
The answer
As we see it, a socio-technical information processing system may be vulnerable at 5 different levels.
| Layer | Examples of vulnerabilities | Examples of possible mitigations |
|---|---|---|
| System feature | No fine-grained RBAC; password reset links that don’t expire | Threat modelling; design reviews;security by design & default |
| First party code | Any type of vulnerability | SAST; DAST |
| Third party code | Any type of vulnerability | SCA; Container scanners; Auto-updates |
| Platform | Misconfigured servers; secrets leaks | CSPM; secrets observability; patch management |
| Organisation | Members of the organisation responsible for the system, stealing data or sabotaging it | RBAC; security monitoring; background checks |
Of course, the above is merely a simplified view of the bigger picture. The efforts you’ll deploy and tools you’ll choose to robustify each layer will depend on your available resources and risk appetite. In any case, no solution will ever be able to cover all threats, so a dash of common sense and actual industry experience are mandatory too.
Starting point
It’s crucial to keep in mind that attackers only need one attack path to compromise the systems we care about. So we, defenders, need to constantly patrol our entire estate. We can’t afford to erratically wander about the place, and in my opinion, knowing where our vulnerabilities come from sets us on the right path.