Page 26 - index
P. 26
For example, an integrity control should not respond to an attack by executing sensitive
functionality exposed through an administrative API service.
5. Avoid Integrity Security by Obscurity Alone
Security through obscurity is a weak security control, and nearly always fails when it is the only
control. The security of key systems should not be solely reliant upon keeping details hidden.
For example, an application should not solely rely upon an obfuscation control to prevent an
attacker from understanding the application. In addition to obfuscation, the application could
include Static Damage, Checksum, and the many other types of code integrity controls working
together.
6. Simplicity
Attack surface area and simplicity go hand in hand. Architects should avoid the use of integrity
control architectures if it is possible, and does not adversely impact business models, to
eliminate the storage or processing of sensitive assets in untrustworthy environments.
7. Detect Integrity Violation Incidents
Detecting code integrity violation incidents are important because otherwise the attacker has
unlimited time to perfect an integrity attack. An integrity violation is defined as an insertion of
code into the application.
For example, a Checksum control is responsible for detecting code changes between compile-
time and runtime of the application.
8. Don’t Trust Infrastructure
The operating environment of an application must never be trusted. Although an application
may be deemed secure in one environment, it may eventually be used in an unforeseen way in
an unforeseen environment.
For example, web application code may be reused within mobile application code. In such a
scenario, the web application’s business layer code may be hosted in a more controlled
(trustworthy) environment while the same web code is later moved into a less controlled
(untrustworthy) mobile environment.
9. Establish Secure Defaults
There are many ways to deliver an “out-of-the-box” experience for users. However, by default,
the experience must be secure. By default, the application should have integrity controls turned
on.
For example, it is advisable to force application integrity controls to be automatic and on at all
times within the mobile application. Such controls should not be active based on an external
configuration file. If this dependency existed, it would be possible to accidentally release an
application with an inactive integrity control.
I25B /1B>9>7C &171J9>5 M +5@D5=25B 49D9?>
?@IB978D K I25B 565>C5 &171J9>5 << B978DC B5C5BF54 G?B<4G945
