Foreword
Security is simple. We use a little bit of cryptography, add some firewalls and passwords – done! In theory…
When I started work in the field of security in the mid 1990s, I met many people who thought they could easily secure their applications. They used certain ingredients of security measures and applied them to whatever problem they had. Even worse: sometimes they didn’t use existing ingredients, but build their own – making the same errors made in hundreds of previous projects. And practice proved them wrong: security was never simple – there’s always at least one loophole. There’s always an unexpected side-effect. There’s always something that you miss if you are not an expert. Front page news regularly proves that we obviously never learn.
Key reasons for insecure applications are:
- Lack of time, due to aggressive deadlines and tight budgets
- Lack of knowledge – IT experts are usually not security experts
- Lack of priorities – functionality and performance usually come top
That’s why we are literally doomed to failure. Hackers have an easy job entering a system, stealing or changing data and leaving without a trace. Sometimes the victim doesn’t even know that something really bad happened until his new designs are somehow copied by a competitor, or supposedly protected customer data is published on public web sites. Or a journalist gets a hint of a fantastic new story. Even worse, modern applications are becoming more and more complex – think of recent trends like mobility and cloud computing. Borders disappear and the means of protecting known areas is difficult.
In traditional engineering we have hundreds of years of knowledge that has evolved over time. We know how to build bridges that survive rain, wind and earthquakes. We know how to build solid cars that give you a good chance of surviving a crash. We know of proven solutions to problems in specific contexts. Written down, these are called a patterns, paradigms that have also been applied to software engineering for quite some time. Towards the end of the 1990s we saw work on patterns that were dedicated to security problems. The pattern community came together and collected the work in progress, resulting in one of the first comprehensive security pattern collections, which captured security expertise for getting it done the right way.
It was obvious that the work was not completed by the publication of a few books. Besides mining additional knowledge and writing more patterns, an interesting question is how to apply them effectively. Both of these issues are answered with this new book from Eduardo Fernandez, a pioneer of computer science and security patterns. He has continued the work that we started ten years ago, and I’m honored that I could be his sparring partner while he wrote it.
The result is the most up-to-date guide for software engineers who want to understand how to build reliable applications. It provides guidance for applying the captured expertise of security pattern in your day-to-day work. Security is still not easy, but it is much easier when you understand the benefits, liabilities and dependencies of specific solutions.
Markus Schumacher
Heidelberg, Germany, March 2013