Security Hot Spots are a lens for security. If you know what you’re looking for, you can find it. When you don’t know what you’re looking for, you can waste a lot of time. The Hot Spots provide a way to find, organize and share software security knowledge. You can use hot spots to share principles, patterns, and practices. You can also use hot spots to share knowledge around threats, attacks, vulnerabilities, and countermeasures.
Rather than deal with a laundry list of information, use hot spots to focus your attention on key categories. The Hot Spots are actionable and they are high ROI. The Hot Spots helps you simplify, clarify and gain insight before you elaborate, maximize and optimize. Before wasting a bunch of time down the wrong paths, use Security Hot Spots to help you identify and map out your best opportunities. Another way to think of Security Hot Spots is the Pareto Principle or 80/20 rule in action.
Why Security Hot Spots
There’s several reasons for using Security Hot Spots:
- Security Hot Spots are a way to chunk up the security space.
- Security Hot Spots create more meaningful filters for problem domains.
- Security Hot Spots act as durable, evolvable backdrops to help rationalize a space.
- It’s a living map. You can start with a baseline set of hot spots and add as you need to.
- You can help deal with information overload. You need a way to see the forest from the trees. You can use Security Hot Spots as a heat map.
- You can use Security Hot Spots to guide your inspections (security design inspection, security code inspection, and security deployment inspection).
- You can use Security Hot Spots to reduce friction.
Security Hot Spots (Application Level)
With Security Hot Spots, it’s easy to walk the categories and think of potential security problems or mistakes. Here are some example issues, grouped by Security Hot Spots at the application level:
Hot Spots | Examples |
---|---|
Auditing and Logging |
|
Authentication |
|
Authorization |
|
configuration Management |
|
Cryptography |
|
Exception Management |
|
Input and Data Validation |
|
Sensitive Data |
|
Session Management |
|
Security Hot Spots (Code Level)
Here’s a list of potential security mistakes and issues, grouped by Security Hot Spots at the code level:
Hot Spots | Examples |
---|---|
Authentication, Authorization and Trust |
|
Cryptography and Secrets |
|
Language and Feature Misuse |
|
Logic Errors |
|
Memory |
|
Range |
|
Synchronization and Timing |
|
Type |
|
Validation |
|
Case Studies / Examples
Using Security Hot Spots produces results. Here’s examples of Security Hot Spots in action:
- Security Guides / Books. Security Hot Spots helped frame the patterns & practices books: Building Secure ASP.NET Applications, Improving Web Application Security, Security Engineering Explained, and Improving Web Services Security.
- Competitive Assessments. Security Hot Spots helped frame and drive the results for competitive assessments: .NET 1.1 vs. WebSphere 5.0, OpenHack4, and Security Engineering Study.
- Web Application Security Frame. Security Hot Spots helped create the Web Application Security Frame, which is an organizing backdrop for Web Application Security Guidelines and Web Application Threats, Attacks, Vulnerabilities and Countermeasures.
- Web Services Security Frame. Security Hot Spots helped create the Web Services Security Frame, which is used as an organizing backdrop for Web Services Design Guidelines and Web Services Threats, Attacks, Vulnerabilities and Countermeasures.
- Security Engineering Methodology. The heart of our patterns & practices Security Engineering Methodology is Security Hot Spot driven. We focus on the high ROI activities and each activity uses Security Hot Spots to focus results.
- Security Inspections. Security Hot Spots help drive results for our patterns & practices Security Design Inspection, Security Code Inspection, and Security Deployment Inspection.
- Security Checklists. Security Hot Spots help organize the patterns & practices Security Design Checklist for Web Applications and the Security Design Checklist for Web Services.
- Threat Modeling. A large part of our optimization around our patterns & practices Threat Modeling is by leveraging Security Hot Spots. We use the Security Hot Spots to help identify threats, attacks, and vulnerabilities.
Questions for Reflection
Hot spots are a powerful way for sharing information. Here’s some questions to help you turn insight into action:
- How can you leverage Security Hot Spots to improve security results in your organization?
- How can you organize your bodies of knowledge using Security Hot Spots?
- How can you improve sharing patterns and anti-patterns using Security Hot Spots?
- How can you improve checklists using Security Hot Spots?
- How can you tune and prune your security inspections using Security Hot Spots?
My Related Posts
Thanks for the information! Now I’ll go and check all these spots on my server/apps.