Security Rules Of Thumb.

During tonight’s iPhone judging contest, one of the projects was one which handles personal information in a way which requires a fair degree of security. Unfortunately I didn’t have the time to make some simple observations about security, so I’ll note them here instead. So here are some simple security rules of thumb:

(1) “Never underestimate the power of human stupidity.” — Robert Heinlein.

(2) Security by obscurity simply gives a single point of failure. That includes things like “hidden” encryption keys.

(3) Unless you have a degree in Mathematics with a specialty in abstract algebra and encryption algorithms, and later either got a Ph.D. in encryption security or apprenticed at the NSA for a few years, do not create your own encryption algorithm. (These guys invented their own system, and how many microseconds did it take to break it?)

(4) Always salt your passwords: One-way hashing never is.

(5) Never pad your blocks with zeros.

(6) Be aware of man-in-the-middle attacks and design to work around them.

(7) Two factor authentication means something other than what the banks think it means.

(8) Security only increases the cost to break in a system: if you put something behind a security barrier that is worth more than the cost of breaking the system, someone will break it.

(9) Social engineering is your greatest enemy. The best key lock systems protected by armed guards, security cameras and a barbed wire fence won’t protect you against a helpful employee who holds the back door for some nice young man.

(10) If you don’t understand the stuff above, for God’s sake, hire someone who does.

2 thoughts on “Security Rules Of Thumb.

  1. Pingback: Further thoughts on Security. « Development Chaos Theory

  2. Pingback: Further thoughts on Security. | Development Chaos Theory

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s