Security by Configuration

There is an interesting article on Linux.com about configuration-centered security, “Configuration: The Forgotten Side of Security” (by Bruce Byfield). Whereas most security products on the market follow the approach of reactive security (e.g., anti-virus scanners, patches), a proactive approach includes security aspects in the design and installation of a computer system. Intuitively, taking security into account right from the start should be the better approach because design flaws in a software architecture are harder to fix later. The article gives some hints why the computer industry has not followed this approach. One reason mentioned is the tradeoff between security and convenience. But counter-examples are given (for instance, Mac OS X *g*), and an IT professional is cited that “usability and security are not mutually exclusive”. And I think that is absolutely right.

The article lists the basic goals of system configuration, which are derived from basic security principles (e.g., least privilege, containment, etc.):

  • Build for a specific purpose and only include the bare minimum needed to accomplish the task.

  • Protect the availability and integrity of data at rest.

  • Protect the confidentiality and integrity of data in motion.

  • Disable all unnecessary resources.

  • Limit and record access to necessary resources.

I think these goals should be applied especially for online banking applications in the context of phishing attacks. Having full-featured, complex web browser applications seems not to be the right basis for such tasks, does it? Well, maybe the idea of browser compartments is a good starting point…