Why Secure By Default?
“Applications without security architecture are as bridges constructed without finite element analysis and wind tunnel testing. Sure, they look like bridges, but they will fall down at the first flutter of a butterfly’s wings. The need for application security in the form of security architecture is every bit as great as in building or bridge construction.” – OWASP, Secure Coding Principles
It’s a Shame
The state of security in today’s software and systems makes us cringe, and we’re out to do something about it. While we aspire to perfection, we don’t expect we’re all going to get there overnight. We’ll settle for starting with “substantially better,” and we’ll help our customers get there by using innovative technologies and tools.
Secure By Default: A Shorthand for Systems That Start Secure
Our goal is to have a broad impact on the state of cybersecurity in the real world. When we say “secure by default,” we mean we want to see the day when software engineering and systems implementations are secure “out of the box.” We want to see the day when it actually becomes hard do to the “wrong” thing. A day when software engineers can’t create a buffer overflow vulnerability, and systems integrators can’t select weak crypto configurations – at least, not without having to use extraordinary means.
Designing Secure Systems
Our pedigree is in creating technologies that implement comprehensive security – not based on patches and brittle signatures that require constant updating in a losing battle. In many cases we use technologies that solve problems once and for all. Examples of the toolsets that we use (and even build) include:
- Formal methods that mathematically prove that software performs as intended, and ONLY as intended
- Domain specific languages that make it very difficult to implement defects common in legacy programming languages
- Machine learning, machine analysis, and automated application security analysis techniques that scale beyond what humans can accomplish manually
We have created numerous systems that help our customers achieve their software security architecture goals, resulting in software that:
- Contains fewer defects from the outset
- Performs with predictable, quantifiable behaviors
- Exposes smaller attack surface areas
- Contains less, unnecessary complexity
- Provides strong separation of duties
- Implements comprehensive defense in depth architectures
Excited? Learn more about secure coding principles at OWASP.