How to think about Security

Rewind to Yesterday
I remember the early days very well; I’d get an email from someone asking for the best way to do something securely. It would usually be a relatively vague email, like, “how do we protect our network traffic?” or “where should I store the database connection string?”

Both of these questions are really hard to answer, sure you can take a wild stab at a solution, but chances are the person at the other end would provide a follow-up email yielding a little more information about the scenario which would make you re-visit the solution.

Fast forward to Today
Oh, how things have changed! Now, whenever I get emails about protecting stuff from attack they always include one little data point which makes life so much easier: the threats. Once I know the threats concerning you, I can answer the question correctly.

Emails I get now from within Microsoft follow this pattern:

“We’re building a web app. The bad guy we’re concerned about is the internal disgruntled employee, we want to prevent him from tampering with the data, he can see it, just not change it, and this must run on Win2000 and later. What’s the best way to protect these data?”

Once I know who you’re up against, and what threats you want to protect against, I can make an honest attempt to provide a solution. Note the question includes constraints too, like the target platform. This really helps me, as some better solutions (read: more secure) can only be found on later platforms.

The moral of this story is simple. Don’t just ask, “How do I secure this,” ask, “How do I secure this from these threats.”

FWIW, “threats” and “threat modeling” are part of the standard vocabulary at Microsoft. You simply cannot build secure products unless you understand the threats.