nwave-ai/nw-security-by-design

Security by Design

OWASP Security Design Principles

Apply these during design -- retrofitting security is 10-100x more expensive.

| # | Principle | Architect Action | |---|-----------|-----------------| | 1 | Security by Design | Include security requirements in architecture documents | | 2 | Security by Default | Ship restrictive defaults; require explicit opt-in for relaxed settings | | 3 | Defense in Depth | Layer controls: WAF + input validation + output encoding + parameterized queries | | 4 | Fail Secure | Deny access on error; closed-by-default network policies | | 5 | Least Privilege | Scoped service accounts; time-limited tokens; minimum permissions | | 6 | Compartmentalize | Network segmentation; separate databases per trust level | | 7 | Separation of Duties | Separate deployment approval from code authorship | | 8 | Economy of Mechanism | Minimize attack surface; simple, auditable security code | | 9 | Complete Mediation | Check authorization on every request; no cached auth decisions | | 10 | Open Design | Use published, peer-reviewed algorithms; no security-through-obscurity | | 11 | Least Common Mechanism | Separate admin and user interfaces | | 12 | Psychological Acceptability | Make the secure path the easy path; minimize user friction |

STRIDE Threat Modeling

Apply STRIDE to every component in a Data Flow Diagram (DFD). Four questions drive every session:

1. What are we working on? (system model)
2. What can go wrong? (threat identification)
3. What are we going to do about it? (mitigation)
4. Did we do a good enough job? (review)

STRIDE Reference

| Threat | Violated Property | Architectural Mitigation | |--------|-------------------|--------------------------| | Spoofing | Authentication | MFA, mutual TLS, certificate pinning, OAuth2+PKCE | | Tampering | Integrity | Input validation, HMAC, parameterized queries, immutable infra | | Repudiation | Non-repudiation | Tamper-evident logging (append-only), digital signatures, SIEM | | Info Disclosure | Confidentiality | Encryption at rest+transit, least privilege, generic error messages | | Denial of Service | Availability | Rate limiting, circuit breakers, auto-scaling, query complexity limits | | Elevation of Privilege | Authorization | Least privilege, RBAC/ABAC, signed tokens verified server-side |

STRIDE per DFD Element

| DFD Element | Most Relevant Threats | |-------------|----------------------| | External Entity | Spoofing | | Process | All six STRIDE threats | | Data Store | Tampering, Info Disclosure, Repudiation, DoS | | Data Flow | Tampering, Info Disclosure, DoS | | Trust Boundary | Spoofing, Tampering, Elevation of Privilege |

Risk Response Options

| Response | When | Example | |----------|------|---------| | Mitigate | Probable and impactful; controls feasible | Add MFA for spoofing on admin login | | Eliminate | Remove feature/component entirely | Remove unused admin API endpoint | | Transfer | Better managed by another party | Use managed IdP (Auth0, Cognito) | | Accept | Low risk; mitigation cost exceeds impact | Accept DoS risk on internal status page |

OWASP Top 10 -- Architectural Prevention

Focus on what the architect decides at design time, not implementation details.

A01: Broken Access Control (61% of breaches)

• Deny by default -- no endpoint open unless explicitly granted
• Centralized authorization service (OPA, Casbin, Cedar), not scattered checks
• Resource-level ownership -- queries scoped to authenticated user
• ABAC over simple RBAC for complex multi-tenant systems
• CORS with explicit origin allowlists -- never wildcards with credentials

A02/A05: Security Misconfiguration (rose to #2 in 2025)

• Infrastructure as Code with security scanning (tfsec, checkov) in CI/CD
• Hardened base images -- minimal containers with security baked in
• Configuration drift detection with automated alerting
• Environment parity -- same hardening across dev/staging/prod

A03: Injection (SQL #2 in CWE Top 25 2025)

• Parameterized queries everywhere -- reject PRs with string concatenation in SQL
• Treat ALL database-sourced data as potentially tainted (second-order injection)
• Allowlisting for dynamic query elements (table names, sort columns)
• Template sandboxing -- user input as DATA, never as template source

A04: Insecure Design (new in 2021)

• Mandate STRIDE analysis as gate for architecture reviews
• Abuse cases alongside every user story ("As an attacker, I want to...")
• State machines with explicit transitions for business logic
• Rate limiting built into architecture from day one

A06/Supply Chain (expanded in 2025)

• SCA scanning on every commit (Snyk, Dependabot)
• SBOM generation as build artifact
• Private package registry; block direct public pulls in production builds
• Lock files committed with integrity hash verification

A07: Authentication Failures

• Centralized IdP (Keycloak, Auth0, Cognito) -- no custom auth per service
• MFA required for sensitive data access and admin functions
• Progressive delays on failed attempts (exponential backoff, not permanent lockout)
• Session ID regeneration on every authentication state change

Secure Architecture Patterns

Zero Trust

Core: "Never trust, always verify" -- no implicit trust from network location.

| Component | Implementation | |-----------|---------------| | Identity verification | OAuth2/OIDC for users; mTLS for services | | Transport security | mTLS everywhere; service mesh (Istio, Linkerd) | | Micro-segmentation | Network policies limiting service-to-service | | Continuous verification | Re-authenticate and re-authorize every request | | Least privilege access | Scoped tokens; just-in-time access |

Input Validation Pipeline

User Input
  -> Validation (allowlist, type, length, format)
    -> Business Logic (parameterized queries, ORM)
      -> Output Encoding (context-aware: HTML, JS, URL, CSS)
        -> Client

Key: input validation is complementary, not primary defense. Output encoding prevents XSS. Parameterized queries prevent SQLi. Validation adds defense in depth.

Secrets Management

| Pattern | Implementation | |---------|---------------| | Centralized vault | HashiCorp Vault, AWS Secrets Manager, Azure Key Vault | | Sidecar injection | Vault agent injects secrets into pods at runtime | | Encrypted in repo | SOPS + KMS for GitOps workflows | | Pre-commit scanning | gitleaks or TruffleHog blocks secrets before they reach git |

Rules: never in source code | never in container images | rotate automatically | separate per environment | audit all access.

Required HTTP Security Headers

| Header | Value | Purpose | |--------|-------|---------| | Content-Security-Policy | Strict nonce-based | Prevent XSS | | Strict-Transport-Security | max-age=63072000; includeSubDomains; preload | Force HTTPS | | X-Content-Type-Options | nosniff | Prevent MIME sniffing | | X-Frame-Options | DENY or SAMEORIGIN | Prevent clickjacking | | Referrer-Policy | strict-origin-when-cross-origin | Control referrer | | Permissions-Policy | Feature-specific | Limit browser APIs |

Security Testing in CI/CD

| Type | Tests | Pipeline Stage | Tools | |------|-------|---------------|-------| | SAST | Source code vulnerabilities | Every commit/PR | Semgrep, CodeQL, SonarQube | | SCA | Dependency CVEs | Build stage | Snyk, Dependabot, Trivy | | DAST | Running application | Staging | OWASP ZAP, Burp Suite | | Secrets | Leaked credentials | Pre-commit + CI | gitleaks, TruffleHog |

Strategy: SAST pre-commit (fast) -> SCA at build -> container scan -> DAST on staging -> block on critical/high findings.

API Security Checklist (OWASP API Top 10)

| # | Threat | Architect Decision | |---|--------|--------------------| | API1 | BOLA (~40% of API attacks) | Object-level authorization in service layer, not just routes | | API4 | Unrestricted resource consumption | Rate limiting per-object, not just per-endpoint | | API5 | BFLA | Separate admin and user API surfaces | | API6 | Sensitive business flow abuse | State machine enforcement, idempotency keys | | API9 | Improper inventory management | API versioning with sunset policies; deprecate old versions | | API10 | Unsafe API consumption | Never trust third-party API responses; validate and sanitize |

GraphQL-Specific

• Disable introspection in production
• Set maximum query depth (10 levels) and complexity limits
• Limit batch size; exclude sensitive operations from batching
• Field-level authorization in resolvers

Defensive Coding Patterns (Cross-Reference for Crafters)

| Risk | Vulnerable Pattern | Secure Alternative | |------|-------------------|-------------------| | SQL Injection | f"SELECT * FROM users WHERE name = '{name}'" | Parameterized: cursor.execute("... WHERE name = %s", (name,)) | | Deserialization | pickle.loads(untrusted) | json.loads(untrusted) or Pydantic schema validation | | Command Injection | os.system(f"cmd {input}") | subprocess.run(["cmd", input], shell=False) | | SSTI | Template(user_input) | env.from_string(trusted).render(data=user_input) | | Mass Assignment | User(**request.json()) | DTO with explicit fields, server-set for sensitive | | TOCTOU Race | Read-check-write in separate steps | Atomic conditional update (UPDATE ... WHERE condition) | | Prototype Pollution (JS) | Object.assign(target, untrusted) | Map, null-prototype objects, strict schema validation |