So far, we've covered secure design principles from 1975 to about 2009. We have two more to look at, starting with Richard Smith's principles.
In 2011 Richard Smith wrote Elementary Information Security to fully comply with NSTISSI-4011, a standard for federal cyber-security education. The resulting text covers topics ranging from file systems to identity management to networks and encryption. In the following year, Smith reviewed the principles he used in the text and compared them to Saltzer's original list, also tangentially referencing some similar work from previous years. The resulting list essentially adds a couple of principles to Saltzer's original list and then contemporizes the original principles that still seem to have direct application today. He does, however, take the somewhat contradictory stance that certain principles, like complete mediation, that are not in current use should be dropped even though they may contribute to other principles he does support, like Defense in Depth.
This embraces and extends Saltzer's idea of iterable system design. Developers that adopt this principle commit to continuously improving the security posture of their systems over time. This leads to more malleable systems that can be changed more easily when needed. Systems that are able to continuously improve are also continually changing, and must have infrastructure in place to support that high rate of change. This leads to systems that are more securable by shortening the time they spend in perceived insecure states.
This principle essentially mirrors Saltzer's ideas in his original paper.
Defense in Depth
Defense in depth is a newer security principle, though it is inspired by previous principles like complete mediation. Defense in depth is the practice of inserting security controls throughout a system rather than at a specific perimeter. As a concept, it applies equally well to communication networks and computer systems. In networks, this principle is applied via firewalls and intrusion protection systems deployed throughout a given network, providing security controls throughout the system. Similarly, in computer systems, this kind of thinking results in logging service use at a variety of different layers and in different modules or checking credentials for access at multiple locations in a set of sequential instructions.
This principle adopts Saltzer's thinking as well.
Transitive trust is extending trust to a service that is trusted by an already trusted service. This approach is commonly used today in booting secure systems. In these systems, control is passed from one service to another service that is trusted by the original service. This creates a trusted chain of control which is assumed to be trustworthy if, first, the inter-service trust is deserved, and second, that the original root-of-trust is, in fact, trustworthy.
Chain of Control
Systems that use trusted chains of control exploit transitive trust to provide a trusted execution pipeline. This principle is used to provide efficient trusted computing bases in secure systems.
Deny by Default
An extension of Saltzer's thinking, this principle extends the idea of using fail-safe defaults to denying everything that you do not explicitly allow. With the explosion of overall complexity in computer communication protocols and services, and the usually specific purposes for which we use our general purpose computers, explicitly allowing the few services we need is much more effective that allowing everything but a few untrusted protocols or services. As this approach simplifies overall management of cyber-systems, it adheres to earlier principles related to system simplification as well.
Separation of Duty
Separation of duty extends separation of privilege. While separation of privilege specifically addresses separating the privilege required to perform certain activities, separation of duty also separates the activities themselves. By separating specific duties so that they are performed by separate individuals, systems have intrinsic checks and balances that can protect them from insider threats. Further application of the principle of least privilege then results in a system that provides separation of privilege as each individual is only given privileges to allow them to complete their specific tasks.
In 2014, IEEE came out with cybersecurity design guidance too. We'll cover that next.