Questions tagged [security-by-design]
The security-by-design tag has no usage guidance.
32 questions
1
vote
1
answer
232
views
Network security in Docker containers
I am currently involved in enhancing the security of a Docker-based web application.The application follows a traditional three-tier architecture, comprising a web app, an application layer, and a ...
- 13
5
votes
0
answers
205
views
Why are HMAC signatures frequently used for webhook authorization but not other HTTP API requests?
HMAC signatures are very commonly used for webhook authorization from service to consumer.
Examples:
Stripe
Slack
Twilio
Twitter
GitHub
and hundreds and hundreds more. This seems a near universal ...
- 1,020
1
vote
1
answer
200
views
Is IBM's "Security and Privacy by Design" practices based on any earlier standard or guideline?
The following process overview schematic is derived from IBM's Security in Development The IBM Secure Engineering Framework, but I think I've seen a very similar process diagram before, though I ...
- 111
1
vote
1
answer
295
views
Do we need threat modelling after following ASVS standard?
We are planning to lay out guidelines in our organisation for everyone to follow a secure software development lifecycle. As part of this, we plan to adopt the security knowledge framework (SKF) that ...
- 111
2
votes
2
answers
560
views
How can I verify the hash of the plain text without being able to decrypt the cipher text?
I am building an E2EE chat app where there is one asymmetric key pair per group. Each user also has one asymmetric key pair. All messages in a group chat are encrypted with the group public key and ...
- 121
0
votes
0
answers
244
views
Server Upload to presigned URL
I am writing a ReST service which enables user to get a tar archive of a set of requested documents. When the request succeeds, the service should upload the file to a pre-signed URL that points to an ...
- 101
0
votes
1
answer
239
views
Can we prevent users from generating a QR code with edited information
Currently there is this design of two apps that work together:
Proof app: On customers phone, takes in a textcode and creates a QR code
Scanner app: On hosts phone, Scans the QR code and displays ...
- 1,705
0
votes
1
answer
207
views
Who (Designer or User) Should be Resposible for the Correct/Secure Usage of a Tool Intended for Developers/Admins? [closed]
There is a healthy debate around a series of stack overflow posts that refer to the "RunAs" command. Specifically the discussion is in reference to design decision that the folks at ...
- 191
0
votes
1
answer
119
views
Is testing for all executables without considering any files in the system is enough for deducing whether the system is infected with malware?
I came to know that the malicious activities will be carried out only by a software(program) whereas the malicious files(data to the softwares installed in the system) can't perform the malicious ...
- 101
1
vote
4
answers
204
views
Is it possible to detect malicious software just by analyzing the code structure?
I'm a newbie to software security. I'm designing a network and I was wondering is it possible to detect if a program upgrade being downloaded on the network is malicious just by analyzing the ...
- 11
2
votes
3
answers
372
views
Are injection vulnerabilities a design or an implementation flaw?
Are injection vulnerabilities mainly a design or an implementation problem? I'm using SQL injection as an example; I'm interested in other injection vulnerabilities as well.
I believe that it is the ...
- 131
-2
votes
1
answer
186
views
I opened an http website from my email, how can I know if it's safe?
So, I have Google alerts set for a few words, and one of these alerts had a link to the site "chatsosedi.ru" which I opened. I found out the site isn't https. I clicked on it before realizing. Is it ...
1
vote
1
answer
121
views
How can I preserve the uniqueness of a document without a database?
I’m willing to create a system of transferable documents (identified by it’s ID) whose author can transfer his ownership of that document to another person (identified by his/her ID).
For example:
...
- 95
1
vote
0
answers
238
views
How can you stay safe from spyware used by governments? [closed]
It is a fact that antivirus software can't detect all the spyware/viruses/malware that exist. And when they get detected, new ones are created.
An example is the pegasus spyware for ios created by ...
- 261
3
votes
1
answer
146
views
What are the security implications of allowing API consumer to decide primary key stored in database?
Story
We are developing an API that which allow consumer to create or modify (i.e. upsert) objects stored in database via an endpoint with HTTP PUT.
The primary key of the object stored in this way ...
- 171
0
votes
0
answers
105
views
is there a name for security principle of "balance-preserving functions"? (e.g. for bank balances)
Suppose you are designing software to manage bank balances for different accounts belonging to a given customer. A single customer can have multiple accounts with a bank, such as a credit card ...
- 653
2
votes
1
answer
183
views
Multi Factor and order of authentication [duplicate]
I'm questionning the design and architecture around 2FA/MFA controls while authenticating to services and servers.
On major platforms(*), the end-user is:
first prompted for credentials (username/...
- 693
8
votes
2
answers
5k
views
End-to-end Encrypted Group Chat Considerations
I was thinking about building a simple end-to-end encrypted chat with group chat capabilities. Please bare in mind that 1) it's just an experiment to help me know more about cryptography and 2) I'm an ...
- 237
2
votes
0
answers
241
views
Why don't smartphone manufactures write the IMEI onto one time writable ROM so that it can't be tampered with? [closed]
The title says it all basically. Even now, why is tampering IMEI possible at all? Shouldn't manufactures be using one time writable memory to embed IMEI into phones? Why don't they?
- 21
0
votes
2
answers
230
views
Exception handling in multi-tier applications [closed]
Error and exception handling in web applications can introduce security issues, often in the form of denial of service (i.e., when a service crashes because of poor error handling) and information ...
- 304
1
vote
1
answer
241
views
Can you tell me if my design is secure?
I'm designing a database interface for a system that could store PII. My first focus is on making sure all the data is secure, to do this I have designed the system as follows.
I'm running three ...
- 11
2
votes
1
answer
255
views
How useful is PDF signing in real world usage?
Background scenario:
So we had a problem where our system (Alice's shiny widgets) generated a PDF with a quote amount for 10 widgets. Someone (Eve) took the PDF, altered it to increase the price by 20%...
- 1,308
2
votes
3
answers
710
views
Partitioning database to enhance security/anonymity?
The goal here is to prevent identification of the users and their data. Is it a good idea to partition my database into multiple ones, one for each kind of sensitive data, hiding the links between ...
- 123
1
vote
1
answer
4k
views
Can the person who buys my old number access my old Viber contacts?
I was using Viber on my old phone. I stopped using that SIM card/number and stopped using that phone. I forgot to deactivate my Viber account. When my old SIM card carrier sells my old number to a new ...
- 21
-1
votes
3
answers
2k
views
How do headphones work? Do they contain firmware? [closed]
How do headphones work? Do they contain any firmware or any instruction set? Are they vulnerable to anything? Good old wired analog Jack ones, not USB wired, wireless, Bluetooth which have lot of ...
- 193
0
votes
2
answers
187
views
limiting automated domain creation by malware
As we know most of the malwares create thousands of domains and subdomains using DBA for setting C&C communications. The domain names are controlled by Internet Corporation for Assigned Names and ...
- 61
0
votes
2
answers
712
views
Design and Security Architecture - where should IPS/IDS be placed?
I am a system architecture working on projects - mostly CDN related projects - and I am currently a bit confused about where the IPS/IDS should be placed. We have a NGINX-based webserver for the edge ...
- 246
0
votes
1
answer
167
views
Media content protection [closed]
I have been trying to encrypt media(Video and audio content) from a nodejs server to a client like android or iOS. I heard of DRM but could not get a reliable implementation of DRM.
I wanted to make ...
- 101
9
votes
2
answers
1k
views
Security by design - clarification
I work as a contractor in the IS Security field. I was hired by my current client to design and enforce a methodology to make sure security risks are assessed and addressed in all IT projects. Besides ...
- 504
1
vote
1
answer
176
views
How to convince someone to use layered security?
Layered security, also known as layered defense, describes the
practice of combining multiple mitigating security controls to protect
resources and data.
How to convince someone to use layered ...
- 7,125
2
votes
2
answers
207
views
Why isn't applying security and usability best practices enough?
I have a homework question that suggests that applying security and usability best practices isn't enough to create a secure and usable system. What am I missing? Why isn't this enough?
If I follow ...
- 23
3
votes
1
answer
218
views
Security-by-design based on an existing framework or a custom design?
Personally I do most of the development in PHP (the programming language doesn't really matter for this question). Popular PHP frameworks along developers are for example:
CodeIgniter
Laravel
Symfony
...
- 7,125