Evaluating Design 1 for Security

Design 1 for reference

Design 1 for reference

Now lets evaluate the design from "Security" point of view.

By this time you should have guessed that security itself can be of two different types viz Structural Security and Behavioral Security.

Structural Security

Principle of structural security says that "If the end user of the system can access or know about the internal structural details of the system, then the system is considered to be structurally insecure."

Behaviorial Security

While the principle of behavioral security says that "If the end user of the system can access or know about the behaviors of the system which is not supposed to access or know about , then the system is considered to be structurally insecure."

Since we are now aware of the rules, lets apply the same to the current design and see whether the current design satisfies the above mentioned rules.

Is there anything to stop a user from interacting with the structural components directly?

I feel the answer is no.. since the system is a complete white box, the entire the structural complexity is directly exposed to the user and there is no way to stop the user to access or know about the structural components of the system and hence the system is considered to be structurally insecure.

Similarly, Is there anything to stop a user from using or knowing about a behavior which he is not supposed to access or know about?

Again the answer is NO.. All the behaviors of the system are exposed to all the actors of the system and hence the system is considered to be behaviorally insecure.

In a nutshell we can say the Security of this system is WORST.

 
Hemant Jha
Founder - VPlanSolutions
Researcher, Trainer

www.VPlanSolutions.co.in