SECURE BY DESIGN

Eliminate Vulnerabilities

How do you eliminate vulnerabilities by design? Isn’t keeping your software up-to-date the best one can do?

Keeping software up-to-date is a must, but it is reactive. It onlyeliminates vulnerabilities after they have been discovered, after patches are published — and after they applied. As soon as a vulnerability is discovered, you’re in a race against the hackers (and the hackers are automated). Yes. Keep software up-to-date, but there is more that can be done.

Eliminating vulnerabilities by design is a proactive strategy. One example is a serverless design which replaces the traditional web host (running scripts and a database) with a CDN that serves static client applications that uses highly trusted and secured servers.

You can’t hack it if it isn’t there.

You can’t hack a server that isn’t there and you can’t hack an application that isn’t there either.

That is ’secure by design’. Moving servers and applications from more vulnerable locations to less vulnerable locations can eliminate an entire class of common attacks. Also, disabling key entry points on the server can eliminate entire classes of malware because the server simply won’t run them.

One characteristic of a good design is that it doesn’t require much maintenance.

If that’s the case, why doesn’t everyone do it?

The reasons have to do with cost and convenience. The open source software business model does not allow for much support, and although web hosting companies usually advertise 24x7 customer support, it doesn’t cover everything. There are restrictions, SLAs, trade-offs and fine print and all of these things are moving targets. There is very little online that isn’t moving.

ABOUT THE SUBMARINE
USS Alaska, Ohio-class submarine

This is the USS Alaska Ohio-class (SSBN 732). By using this image, I don’t mean to claim any military-grade qualifications. I chose this image because it represents ’stealth in an adversarial environment.’

The information security community uses the phrase "security by obscurity " which it considers a particularly inadequate defense. However, hackers are constantly collecting evidence in order to find vulnerable websites. I have never seen a website that was not being probed daily. Whether we know it or not, the Internet is an adversarial environment.

"Eliminate the vulnerabilities that can be eliminated — and make the rest disappear."

My design goal is to yeild as little evidence as possible. I believe my work is approaching zero evidence, comparable perhaps to a stealth bomber with the radar cross section of a sparrow, or this submarine’s navigation system with an extremely low signal-to-noise ratio.

What do I do?

  • Serverless and semi-serverless design
  • Server and application hardening
  • Security reviews
  • Malware reverse engineering
  • Minimize the attack surface
  • Security compliance
  • Penetration Testing