Search-Lab Kft.

Design phase

Why should I concern myself about security in product design?

Design provides the foundation for your product's security. A robust design can eliminate a lot of security problems in further development phases – however, errors and mistakes in the design can cause significant security holes in the product even if the implementation is perfect.

For instance, consider the bluejacking attack against Bluetooth technology. During the Bluetooth pairing process, one device sends a pairing request to another. For identification reasons, this request contains the name of the requester device – which will be displayed to the user. On one hand, this is a good solution to allow the user to control the pairing requests. On the other hand, the attacker may use this feature to send unwanted messages to the mobile user or make the phone unusable by sending pairing requests continually.

What can I do to avoid or mitigate such problems?

There are several things to keep in mind when designing security into a system. Most importantly, the system architects have to think about security when creating the design instead of just looking at the functional aspects.

To create a clear and effective security architecture, you have to identify the main assets of the system – typically the user's personal data, encryption keys, certificates and so on. These assets will be the targets that the attacker wants to obtain or modify.

By thinking as an attacker, threat modeling techniques can be used to identify possible security hotspots and countermeasures should be built into the design to minimize the possibility and the effect of such problems.

How can SEARCH-LAB help me in this?

We have performed design reviews on numerous systems in a variety of domains, and have significant expertise in threat analysis from past security audit projects. We can help you identify critical design issues early in your development, harden your design against threats, and highlight possible "problem areas" that will need to be paid extra attention during later phases of the development process.