Archive for September, 2008

It’s Only a Model

Monday, September 15th, 2008

Recently, and by recently I mean in the last three months and I am just now getting around to posting my thoughts on it, a colleague challenged whether the so-called “Postive Security Model” that I so often reference in my security architectures is really a model at all.  His comments are below:

“What is the “Model” part.  If it’s a principle, then isn’t the name “Positive Security”?  If there is a model, then what are the components of the model?  If there really is a model, then I should be able to see some set of the principles embodied in the model.”

In my opinion, the Positive Security Model is one of the fundamental models that should be included in a high-level security architecture.  I recognize that it may not be practical in all situations and isn’t foolproof, but I think it is an important default control design approach.  I would really like to see more developers start with this approach, and fallback on other methods when it isn’t practical to define all the allowable inputs.  In network security we typically use the example of a firewall.  You don’t want to start with an Any-Any-Allow rule and only block known bad traffic, you want to start with an Any-Any-Deny rule and only allow explicitly needed business traffic.  I think the same model should be applied to application input validation.  Only allow specified characters, lengths, types, etc. rather than just checking for bad ones.

What I like about including the Positive Security Model as a basic principle, is that it hopefully gets people into the right state of mind to approach security.  Starting by defining only what should be allowed and working from there, rather than starting with defining what shouldn’t be allowed.  It may just be an academic difference, but just referring to whitelists and blacklists seems too specific, and brings its own baggage.  When I hear whitelist, I immediately think of Web URL Filtering for example.  I think whitelisting is just one mechanism that can be derived from a positive security model.  Other principles such as Least Privilege I think can also be derived from the concept of a positive security model.

I see this as one fundamental model or principle (still undecided here) that needs to be included in the highest level security architecture.  It provides a good basis for approaching security design without limiting the process to well known countermeasures and controls, rather than focusing on expected business logic and interactions.