Insecure Design is a category of vulnerabilities that cannot be fixed by implementation alone. The problem is in the architecture. No patch can fix bad design.
Examples of Insecure Design¶
- Password reset via security questions
- E-shop without limits on coupon codes
- API without rate limiting on sensitive endpoints
- Authentication via SMS without an alternative (SIM swap)
Threat Modeling — STRIDE¶
- Spoofing — impersonating another identity
- Tampering — unauthorized modification
- Repudiation — denying an action
- Information Disclosure — information leakage
- Denial of Service — making service unavailable
- Elevation of Privilege — privilege escalation
Secure by Design Principles¶
- Defense in depth — multiple layers of protection
- Least privilege — minimum necessary permissions
- Fail secure — lock down on failure, don’t open up
- Separation of duties
- Trust boundaries — clear boundaries of trust
Threat Model as Code¶
OWASP Top 10: Insecure Design¶
application: e-shop data_flows: - name: user_login source: browser destination: auth_service threats: - type: spoofing mitigation: MFA + rate limiting - type: information_disclosure mitigation: TLS 1.3, no password in logs
Key Takeaway¶
Security starts in the design, not in the code. Do threat modeling before the first line of code.
owaspsecuritydesignthreat modeling