Skip to content
System Design

Security in System Design

A guide to the core principles, common threats, and best practices for building secure software systems.

Table of Contents

Core Principles of Security

Security is not a feature to be added at the end of development; it must be integrated into every stage of the system design process. The core principles of security are often referred to as the CIA Triad:

  • Confidentiality: Ensuring that data is accessible only to authorized users.
  • Integrity: Maintaining the consistency, accuracy, and trustworthiness of data.
  • Availability: Ensuring that the system and its data are available to authorized users when needed.

Authentication vs. Authorization

These two terms are often used interchangeably, but they represent distinct security concepts.

Authentication

Authentication is the process of verifying the identity of a user or service. It answers the question, “Who are you?”

  • Common Methods:
    • Passwords: The most common form of authentication, but also the weakest.
    • Multi-Factor Authentication (MFA): Requires two or more verification methods (e.g., a password and a code from a mobile app).
    • OAuth: An open standard for access delegation, commonly used to grant websites or applications access to their information on other websites without giving them the passwords.
    • JSON Web Tokens (JWT): A compact, URL-safe means of representing claims to be transferred between two parties.

Authorization

Authorization is the process of granting or denying a user or service permission to access a specific resource or perform a specific action. It answers the question, “What are you allowed to do?”

  • Common Methods:
    • Access Control Lists (ACLs): A list of permissions attached to an object.
    • Role-Based Access Control (RBAC): Permissions are assigned to roles, and users are assigned to roles.

Note: Authentication always comes before authorization.

Common Security Threats

  • SQL Injection: An attacker uses a web form or URL parameter to gain access to or manipulate a database.
  • Cross-Site Scripting (XSS): An attacker injects malicious scripts into a trusted website, which are then executed in the user’s browser.
  • Cross-Site Request Forgery (CSRF): An attacker tricks a user into performing an unwanted action on a website where they are authenticated.
  • Denial-of-Service (DoS) / Distributed Denial-of-Service (DDoS): An attempt to make a machine or network resource unavailable to its intended users.

Best Practices and Techniques

  • Encryption:
    • In Transit: Encrypting data as it travels over a network (e.g., using TLS/SSL).
    • At Rest: Encrypting data when it is stored on a disk or in a database.
  • Secure Coding Practices: Following guidelines to write code that is resilient to attack (e.g., input validation, parameterized queries).
  • Principle of Least Privilege: Granting users and services only the permissions they absolutely need to perform their tasks.
  • Firewalls: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
  • Regular Security Audits and Penetration Testing: Proactively identifying and fixing security vulnerabilities.
  • Monitoring and Logging: Continuously monitoring for security threats and logging relevant events for auditing and forensics.

Key Security Protocols

  • HTTPS (Hypertext Transfer Protocol Secure): The secure version of HTTP, where communications are encrypted using SSL/TLS.
  • SSL/TLS (Secure Sockets Layer / Transport Layer Security): Cryptographic protocols that provide secure communication over a computer network.

Summary

Security is a critical aspect of system design that requires a proactive and multi-layered approach. By integrating security considerations from the beginning of the development lifecycle and following best practices, you can build systems that are resilient to threats and protect user data. Key elements include robust authentication and authorization, protection against common threats, and the use of encryption and secure protocols.