### Week 8: Defense-in-Depth

Understand the concept of defense-in-depth and how a layered approach to security is a core engineering practice.
- Learn about Security Principles: Understand the principles of "fail-safe" (a system that defaults to a safe state upon failure, e.g., a traffic light stuck on red) and "fail-secure" (a system that defaults to a secure/locked state upon failure, e.g., a server logging out all users if a security service fails).

Defense-in-Depth: Understand how a multi-layered security approach is stronger than relying on a single defense mechanism (e.g., using a firewall, an intrusion detection system, and user authentication together).

Diagram a hypothetical system and add multiple layers of security (e.g., a firewall, an intrusion detection system, and user authentication).

https://devguide.owasp.org/en/02-foundations/03-security-principles/#:~:text=block%20the%20exploit.-,Fail%20Safe,upon%20design%20or%20implementation%20flaws.

#### Fail-safe and Fail-secure
 https://www.google.com/search?q=security+principles+cybersecurity+fail-safe&num=10&sca_esv=ad0273e9029daca4&rlz=1C1PNFE_enPH1112PH1112&sxsrf=AE3TifOfCALvlrxhw6sFpe_nKKIH3GS_Ew%3A1759417126349&ei=JpPeaOv2D5_e2roPmNnqyA4&ved=0ahUKEwjrocrG44WQAxUfr1YBHZisGukQ4dUDCBA&uact=5&oq=security+principles+cybersecurity+fail-safe&gs_lp=Egxnd3Mtd2l6LXNlcnAiK3NlY3VyaXR5IHByaW5jaXBsZXMgY3liZXJzZWN1cml0eSBmYWlsLXNhZmUyBRAhGKABMgUQIRigATIFECEYoAEyBRAhGJ8FSPoKUO4BWPgJcAF4AZABAJgBogGgAZ4JqgEDMi44uAEDyAEA-AEBmAILoALWCcICChAAGLADGNYEGEfCAgYQABgWGB7CAgsQABiABBiGAxiKBcICCBAAGIAEGKIEwgIIEAAYogQYiQXCAgUQABjvBcICBxAhGKABGAqYAwCIBgGQBgiSBwMyLjmgB9wusgcDMS45uAfQCcIHBTAuOC4zyAch&sclient=gws-wiz-serp

In cybersecurity, a "fail-safe" approach, also known as fail-safe defaults or fail secure, is a design principle where a system's default configuration denies all access by default, requiring explicit permission for anything to be allowed. If a system encounters an error or failure, it should revert to this secure state, restricting access rather than leaving resources unprotected, thereby preserving confidentiality, integrity, and availability. 

https://www.linkedin.com/pulse/understanding-principle-fail-safe-defaults-marc-degli-xgxcc/

Fail-safe = Unless a user is explicitly granted permission, access should be denied by default.
Having fail-safe defaults ensures that there are no alternative methods made by the server as these actions could potentially open doors for attackers to exploit the system, denial of service attacks (DoS) are usually done this way. 

Principle of least privilege : access should be granted only to a specific need or what is necessary so if this account is compromised then there risks wont spill over to other areas of concern.

##### How Fail-Safe Works:
https://devguide.owasp.org/en/02-foundations/03-security-principles/#:~:text=block%20the%20exploit.-,Fail%20Safe,upon%20design%20or%20implementation%20flaws.

1. Deny by Default:
- Instead of denying access only to specific actions, the system starts with a restrictive stance, denying everything unless a rule specifically permits it. 
2. Explicit Permissions:
- For access to be granted, explicit authorization must be provided. This is like using an "allowlist" (or whitelist) of permitted actions rather than a "denylist" (or blacklist) that blocks specific items.
3. Secure State During Failure:
- If a design or implementation flaw occurs, or an attack happens, the system will automatically fall into a secure state, restricting access instead of granting it. 

Example: A new cloud storage folder being set to "private" by default ensures files aren't exposed until explicit sharing permissions are granted


##### Why Fail-Safe is Important
1. Prevents Unauthorized Access:
- By defaulting to denial, it significantly reduces the chances of an attacker or unauthorized user gaining access to sensitive information or functions. 
2. Increases Security:
- Implementing fail-safe defaults makes security a core part of the system, rather than an afterthought
3. Detects Flaws Faster:
- A design or implementation mistake that leads to access refusal is a "safe" failure that is quickly detected, according to Shostack + Associates. In contrast, a mistake that grants unintended access is often unnoticed. 
4. Core to Information Security:
- The principle aims to uphold the fundamental goals of information security: confidentiality (keeping information secret), integrity (ensuring information is accurate), and availability (making sure systems and data are accessible when needed),

Principles of Security
https://cheatsheetseries.owasp.org/index.html
https://devguide.owasp.org/en/02-foundations/03-security-principles/#:~:text=block%20the%20exploit.-,Fail%20Safe,upon%20design%20or%20implementation%20flaws

1. Security by Design - When developing systems, you should begin with identifying relevant security requirements and treat them as an integral part of the overall process and system design. Begin with establishing and adopting relevant principles and policies as a foundation for your design, then build security into your development life cycle. Keep also in mind that the system you are building also will be needing maintenance and that system operators will need to securely manage and even shutdown and dispose of the system. Therefore, commit to secure operations by developing secure "operational management"[^1] principles and practices. 
2. Security by Default - Secure by default means that the default configuration settings are the most secure settings possible. This is not necessarily the most user-friendly settings. Evaluate what the settings should be, based on both risk analysis and usability tests. As a result, the precise meaning is up to you to decide. Nevertheless, configure the system to only provide the least functionality and to specifically prohibit and/or restrict the use of all other functions, ports, protocols, and/or services. Also configure the defaults to be as restrictive as possible, according to best practices, without compromising the "Psychological acceptability" and "Usability and Manageability" of the system.
3. No security guarantee - One of the most important principles of software security is that no application or system is totally 100% guaranteed to be secure from all attacks. This may seem an unusually pessimistic starting point but it is merely acknowledging the real world; given enough time and enough resources any system can be compromised. The goal of software security is not '100% secure' but to make it hard enough and the rewards small enough that malicious actors look elsewhere for systems to exploit.
4. Defense in Depth -Also known as layered defense, defense in depth is a security principle where defense against attack is provided by multiple security controls. The aim is that single points of complete compromise are eliminated or mitigated by the incorporation of a series or multiple layers of security safeguards and risk-mitigation countermeasures.
    - If one layer of defense turns out to be inadequate then, if diverse defensive strategies are in place, another layer of defense may prevent a full breach and if that one is circumvented then the next layer may block the exploit.
5. Fail Safe - This is a security principle that aims to maintain confidentiality, integrity and availability when an error condition is detected. These error conditions may be a result of an attack, or may be due to design or implementation failures, in any case the system / applications should default to a secure state rather than an unsafe state.
    - For example unless an entity is given explicit access to an object, it should be denied access to that object by default. This is often described as 'Fail Safe Defaults' or 'Secure by Default'.
    - In the context of software security, the term 'fail secure' is commonly used interchangeably with fail safe, which comes from physical security terminology. Failing safe also helps software resiliency in that the system / application can rapidly recover upon design or implementation flaws.
6. Least Privilege - A security principle in which a person or process is given only the minimum level of access rights (privileges) that is necessary for that person or process to complete an assigned operation. This right must be given only for a minimum amount of time that is necessary to complete the operation.
    - This helps to limits the damage when a system is compromised by minimizing the ability of an attacker to escalate privileges both laterally or vertically. In order to apply this principle of least privilege proper granularity of privileges and permissions should be established.
7. Compartmentalize - The principle of least privilege works better if access rights are not an "all or nothing" access model. Instead, compartmentalize the access to information on a "need-to-know" basis in order to perform certain tasks. The compartmentalization principle helps in minimizing the impact of a security breach in case of a successful breach attempt but must be used in moderation in order to prevent the system from becoming unmanageable. Therefore, follow also the principle of "Economy of Mechanism".
8. Separation of Duties - Also known as separation of privilege, separation of duties is a security principle which requires that the successful completion of a single task is dependent upon two or more conditions that are insufficient, individually by themselves, for completing the task.
    - There are many applications for this principle, for example limiting the damage an aggrieved or malicious insider can do, or by limiting privilege escalation.
9. Economy of Mechanism - Also known as 'keep it simple', if there are multiple implementations then the simplest and most easily understood implementation should be chosen.
    - The likelihood of vulnerabilities increases with the complexity of the software architectural design and code, and increases further if it is hard to follow or review the code. The attack surface of the software is reduced by keeping the software design and implementation details simple and understandable.
10. Complete Mediation - A security principle that ensures that authority is not circumvented in subsequent requests of an object by a subject, by checking for authorization (rights and privileges) upon every request for the object.
    - In other words, the access requests by a subject for an object are completely mediated every time, so that all accesses to objects must be checked to ensure that they are allowed.
11. Open Design - The open design security principle states that the implementation details of the design should be independent of the design itself, allowing the design to remain open while the implementation can be kept secret. This is in contrast to security by obscurity where the security of the software is dependent upon the obscuring of the design itself. When software is architected using the open design concept, the review of the design itself will not result in the compromise of the safeguards in the software.
12. Least Common Mechanism - The security principle of least common mechanisms disallows the sharing of mechanisms that are common to more than one user or process if the users or processes are at different levels of privilege. This is important when defending against privilege escalation.
13. Psychological Acceptability - A security principle that aims at maximizing the usage and adoption of the security functionality in the software by ensuring that the security functionality is easy to use and at the same time transparent to the user. Ease of use and transparency are essential requirements for this security principle to be effective.
    - Security controls should not make the resource significantly more difficult to access than if the security control were not present. If a security control provides too much friction for the users then they may look for ways to defeat the control and “prop the doors open”.
14. Usability and Manageability - Is a principle related to psychological acceptability, but goes beyond just the perceived psychological acceptability to also include the design, implementation and operation of security controls. The configuration, administration and integration of security components should not be overly complex or obscure. Therefore, always use open standards for portability and interoperability, use common language in developing security requirements, design security to allow for regular adoption of new technology, ensure a secure and logical upgrade process exist, automate security management activities and strive for operational ease of use.
15. Secure the Weakest Link - This security principle states that the resiliency of your software against hacker attempts will depend heavily on the protection of its weakest components, be it the code, service or an interface. Therefore, identifying the weakest component and addressing the most serious risk first, until an acceptable level of risk is attained, is considered good security practice.
16. Leveraging Existing Components - This is a security principle that focuses on ensuring that the attack surface is not increased and no new vulnerabilities are introduced by promoting the reuse of existing software components, code and functionality.
    - Existing components are more likely to be tried and tested, and hence more secure, and also should have security patches available. In addition components developed within the open source community have the further benefit of 'many eyes' and are therefore likely to be even more secure.

Note to self: Refer to cheat sheets and reference in the link if needed.

 Diagram a hypothetical system and add multiple layers of security to illustrate the Defense-in-Depth concept.



Final Reflection Prompt: Write about the parallel: "How is refactoring your code to improve its structure and efficiency similar to hardening a system against attack?" (Hint: Both involve removing unnecessary complexity and vulnerabilities).