Skip to content
Red Lambda software and downloads for network security.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md

README.md

This document helps you think through possible security issues in your software, as well as providing resources to address some common problems.

alt text

Part 1 - Understand and Communicate a Threat Model

Think of a threat model - a situation with a user (or type of user) and a context that frames their personal security preferences and situation. Concepts you should consider (and a few examples of each) include:

  • Attack surface (what tech/situation exposes them, e.g. systems they use, places they go)
  • Adversaries (who may be interested in compromising their security, e.g. criminals, pranksters)
  • Attack vectors (specifically how they may be compromised, e.g. password theft/cracking, surveillance)
  • Mitigations (what can be done to reduce the risk, e.g. 2-factor auth, encryption)

Part 2 - Practical Security

You can do things improve your personal security setup - if you’re not using a password manager, set one up. If you’re doing that, then set up two factor for some of your accounts. If you’re doing that, then set up proper SSH keypairs for services that support it (e.g. GitHub). And you can keep going - set up a GPG keypair, consider simple dedicated hardware for second factor, set up a trusted computer/VM running only open source software, set up a "sandboxed" environment for web browsing that doesn't save state, etc.

As you do this kind of analysis, take concrete steps to improve security - this means pick a suitably long passphrase to protect your password manager, and think about what your threat model is and what services you want to trust with what information. Some general tips:

  • If you are a software developer,you're a high value target (you are a potential attack vector to anyone who runs your code)
  • Unless you're working on something controversial for the political regime you reside in, the NSA/Mossad/KGB/MI5/etc. are probably not your adversaries
  • The sorts of threats you should worry about - common criminals/organized crime, botnets, malware, extortion (stealing your files, DDoS-ing your service)
  • For deciding whether or not to trust a service, consider history, reputation, and incentives, as well as what countries it operates in (which will impact the laws it is subject to, both in terms of disclosure and potential damages)

Some resources/goals:

You can’t perform that action at this time.