1.4 End-to-End Security
The final concept we introduce in this chapter is
end-to-end
security,
which is the result of considering the wider aspects of security,
beyond the resources and secrets protected by your application.
Although this book is focused on implementing software security, it
is important that you take a higher-level view, taking into account
the real world and its complexity. The following sections highlight
other issues that you should consider.
1.4.1 Real-World Trust Relationships
One of the most important things to remember about
security is that not everyone shares your motivations and
aspirations, and not everyone thinks the way that you think. The most
carefully defined software trust system may not reflect the actual
trust that has been granted to users of an application.
As a simple example, when we outlined the important roles that play
in security, we differentiated between the legitimate users of an
application and the hackers who want to subvert it. The reality is
less clear-cut; most fraud is perpetrated by employees otherwise
trusted by their company; when you grant trust to a user, you may be
providing that individual tools that will be used to defraud, and
otherwise rob, your company.
Differences in motivation are especially relevant when considering
coercion; although you may feel that the security and profitability
of your application is paramount, others may not. In some countries,
it is common to rob a bank by kidnapping the branch
manager's children, coercing the manager to unlock
the bank and provide access to the vaults in order to secure the
freedom of his offspring. The robbers have secured access to the
protected resources with the explicit cooperation of a trusted
employee. When thinking about security, you must give consideration
to motivation, both of the potential users and the potential
attackers.
1.4.2 Side Channels
A side-channel
attack employs methods that have little to do
with the software security measures that protect an application. For
example, looking over a person's shoulder while he
types his password circumvents any policy that may be put in place to
control identity authentication; the attacker has side-stepped the
security measures and can now access the system.
Identifying potential side-channel attacks takes a lot of lateral
thinking, and requires careful evaluation of the information exposed
by your security systems that attackers might be able to exploit.
Various smart-card technologies, for example, have been compromised
by analyzing variations in power consumption, electromagnetic
radiation, and the amount of time taken to process an authentication
request associated with their use. Such an attack takes time and
determination, but can be profitable if the smart card is used to
manage cash transactions or provides access to expensive resources.
1.4.3 Physical Security
Physical security is often ignored when application software is
secured. Many years of effort may go into designing an application
that carefully controls access to the contents of a warehouse, but if
the security of the warehouse itself is weak, then attackers will
simply steal your goods directly rather than attempting to subvert
your application to ship goods free-of-charge.
A good example of physical security is represented by automated
teller machines (ATMs). An ATM employs physical measures to protect
against tampering and outright theft, as well as the software
measures that authenticate your card and PIN number.
1.4.4 Third-Party Software
Finally, we draw your attention to third-party
software, which you may rely on for the development of your
application. Examples of this kind of software include development
environments (such as Microsoft Visual Studio .NET), class libraries,
and language compilers.
It is important for you to understand that by using third-party
software, you are trusting the software publisher to produce software
that does not present a security risk, either in the functionality
that is provided or by the introduction of malicious features. You
should also realize that when you distribute software that depends on
third-party software, you are asking your customers to grant the same
level of trust to the third parties as they do to you and your
organization.
For example, you may trust Microsoft to produce safe and secure
software, and you may feel confident that Internet Explorer provides
a secure environment in which to browse the World Wide Web. However,
if you look at the information provided by the
"About Internet Explorer" window,
you will see that Internet Explorer 6 is built, in part, with
software licenses from the following organizations:
When you trust Microsoft to deliver Internet Explorer without the
inclusion of security-related defects or malicious code, you also
implicitly trust all of the companies listed above, some that you may
not even have heard of. Each of these companies may in turn license
content or functionality from other publishers, and the chain
continues; the trust that you confer on an individual software
publisher goes far beyond what you may expect, and this is equally
true for development software and class libraries as it is for
Windows applications.
When selecting third-party tools and libraries for your development
projects, you must consider the level of trust that you assign to the
software publisher and any other companies or
individuals that may have contributed to these products.
 | 
