Threat Intel Solutions

#### [CSO](/security/cso/)**3** What does it mean to build in security from the ground up?==========================================================**3** As if secure design is the only bullet point in a list of software engineering best practices———————————————————————————————[Larry Peterson](/Author/Larry-Peterson ‘Read more by this author’) Sun 2 Feb 2025 // 17:26 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/02/02/security_design_choices/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=What%20does%20it%20mean%20to%20build%20in%20security%20from%20the%20ground%20up%3f) [](https://twitter.com/intent/tweet?text=What%20does%20it%20mean%20to%20build%20in%20security%20from%20the%20ground%20up%3f&url=https://www.theregister.com/2025/02/02/security_design_choices/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/02/02/security_design_choices/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/02/02/security_design_choices/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=What%20does%20it%20mean%20to%20build%20in%20security%20from%20the%20ground%20up%3f&summary=As%20if%20secure%20design%20is%20the%20only%20bullet%20point%20in%20a%20list%20of%20software%20engineering%20best%20practices) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/02/02/security_design_choices/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) Systems Approach As my Systems Approach co-author Bruce Davie and I think through what it means to apply the systems lens to security, I find that I keep asking myself what it is, exactly, that’s unique about security as a system requirement?That question takes me back to a time before security became such a mainstream news topic; before security breaches were so common that we’ve become desensitized to the news of another one. Believe it or not, there was a time when Internet security was not on the public’s mind, and the task at hand was to raise awareness of the security risks the internet posed.This was well after the [Morris Worm](https://en.wikipedia.org/wiki/Morris_worm) made it painfully obvious how impactful a security incident could be. That was a wakeup call for the research community ([myself included](https://www.theregister.com/2022/02/09/section_8_unix_user_manual/)), who were at the time the only serious internet users. That experience (and others) eventually led to a concerted effort to educate the public about security. Two personal opportunities in the mid-2000s to get on a soapbox and talk about security come to mind.> The echo on the line was so bad it was hard to keep your wits about youThe first was an invitation to be a guest on [Ira Flatow’s Science Friday](https://www.sciencefriday.com/). I haven’t been able to reconstruct the details — there were other ‘future of the internet’ experts on the show — but I do remember my role was to talk about the risks of security incidents, and how we needed to rethink the internet architecture from the ground up to make it more secure. (This was at a time when [PlanetLab](https://planetlab.cs.princeton.edu/history.html), a networking research hub of which I was director, was getting a lot of press coverage as a laboratory for [reinventing](https://planetlab.cs.princeton.edu/impact.html) the internet.)My only vivid memory of the experience is that I called into [the Science Friday show](https://www.npr.org/transcripts/5434633?storyId=5434633?storyId=5434633) over an ISDN line terminated in a sound recording room at Princeton, and the echo on the line was so bad it was hard to keep your wits about you. The second opportunity took place at a Princeton Development Retreat at Pebble Beach. (In university vernacular, ‘Development’ is a fundraising endeavor and, at Princeton, faculty are sometimes invited to talk about their research at events attended by wealthy alumni.) In this particular case, I teamed up with Tom Leighton, an alum and co-founder of Akamai, to talk about internet security.  Tom played the bad cop (telling everyone about the security threats exposed by the data Akamai collects) and I played the good cop (Princeton researchers to the rescue, building a more secure internet for the future). We must have made an impression because, shortly afterwards, we were invited to the White House to brief the Deputy National Security Advisor on internet security risks.Again, my most vivid memory is about the most banal detail — in this case, how small an office the advisor had. I’m also pretty sure we weren’t telling him anything he didn’t already know.### Security as a motivatorWhat do I take away from these stories? For one, while I believe it is important for innovators to educate and inform the public about the implications of technology they are inventing, it is also clear that we (computer science researchers, the universities that employed us, and the government funding agencies that lobbied for appropriations so they could fund our research) were at least in part using security for its motivational value. There’s nothing quite like fear to get people to act.That’s definitely one thing that’s unique about security as a systems requirement: Security is something that’s easily understood by the general public. But I wonder whether the ‘we need to build in security from the ground up’ part of the message actually makes sense. It sounds good — and the alternative of ‘bolting security onto existing systems’ was intentionally pejorative — but I’m not sure it’s a meaningful goal. One reason to doubt that message — which gets at the heart of the ‘what’s unique’ question — is that we have succeeded in building highly modular security mechanisms that can be reused by any and all applications. Kerberos and TLS are two great examples. The last thing we’d want is for every system or application to have to get the details of complex authentication protocols, key distribution protocols, and so on, right. Pushing for security ‘from the ground up’ ought not to discourage the use of perfectly capable, preexisting modular security mechanisms.* [Security is hard because it has to be right all the time? Yeah, like everything else](https://www.theregister.com/2024/02/25/security_not_different/)* [Security is an architectural issue: Why the principles of zero trust and least privilege matter so much right now](https://www.theregister.com/2021/05/27/security_architecture/)* [Windows: Insecure by design](https://www.theregister.com/2024/06/28/windows_insecure_by_design/)* [Good luck securing ‘things’ when users assume ‘stuff just works’](https://www.theregister.com/2016/10/27/good_luck_securing_things_when_users_assume_stuff_just_works/)What security-related issues you have to address on day one? Certainly if you expect a system to be multi-tenant, you have to define the level of isolation you want to maintain between tenants/users, and implement mechanisms that enforce it, from the ground up.But I don’t consider isolation (or its counterpart, resource sharing) to be a security question, at least not in the ways we talk about security today. Early timesharing operating systems and filesystems were supporting isolation without directly considering potential attack vectors. Isolation was primarily about fair resource allocation and efficient utilization; naming and addressing were critical to enabling resource sharing; and privileged operations were limited to the kernel. Malicious attacks were generally not a ‘failure mode’ under consideration. Design questions about isolation, privilege, and access control were expressed as ‘positive goals’ that could be satisfied.Today if you were to build a multi-tenant system you’d have to start with the same fundamental design issues — eg, identify the relevant principals and resources and specify who can access what — but then you would employ existing security mechanisms to protect the resulting system from known attacks.This suggests that knowing about the state of the art in security mechanisms, and how to use them, is what it means to build in security from the ground up. It turns out that this is just one bullet item on a list of a general set of best practices software companies require their developers to follow.If you’re not familiar with such requirements, [take a look at](https://www.microsoft.com/en-us/securityengineering/sdl/practices?oneroute=true) Microsoft’s Security Development Lifecycle (SDL) Practices, which is targeted at app developers who might deploy their services on Azure. I’d wager most software companies have similar, if not more stringent, engineering requirements for their own engineers to follow. I’d also wager the measures each company takes to ensure those rules are followed is highly variable.The list is as applicable to sound software engineering in general as to security specifically, but the existence of security-focused lists like this suggest to me that security is unique in one way: The strong negative incentive that failure to secure provides. The failure modes are as unlimited as an attacker’s imagination, making security a ‘negative goal.’Personally, I’ve never found work that primarily involves keeping bad things from happening all that satisfying, but as I learned from my ‘soapbox’ experiences, it is a strong motivator. ® **Larry Peterson and Bruce Davie** are the authors behind [*Computer Networks: A Systems Approach*](https://book.systemsapproach.org/) and the related [Systems Approach](https://www.systemsapproach.org/) series of books. All their content is open source and available for free on [GitHub](https://github.com/SystemsApproach). You can find them on [Mastodon](https://discuss.systems/@SystemsAppr), their newsletter [right here](https://systemsapproach.org/newsletter/), and past *The Register* columns [here](https://www.theregister.com/Tag/Systems%20Approach). [Whitepaper: Top 5 Tips For Navigating Your SASE Journey](https://go.theregister.com/tl/2386/-14369/top-5-tips-for-navigating-your-sase-journey?td=wptl2386bt) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/02/02/security_design_choices/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=What%20does%20it%20mean%20to%20build%20in%20security%20from%20the%20ground%20up%3f) [](https://twitter.com/intent/tweet?text=What%20does%20it%20mean%20to%20build%20in%20security%20from%20the%20ground%20up%3f&url=https://www.theregister.com/2025/02/02/security_design_choices/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/02/02/security_design_choices/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/02/02/security_design_choices/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=What%20does%20it%20mean%20to%20build%20in%20security%20from%20the%20ground%20up%3f&summary=As%20if%20secure%20design%20is%20the%20only%20bullet%20point%20in%20a%20list%20of%20software%20engineering%20best%20practices) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/02/02/security_design_choices/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Computer Science](/Tag/Computer%20Science/)* [Developer](/Tag/Developer/)* [Devops](/Tag/Devops/) More like these × ### More about* [Computer Science](/Tag/Computer%20Science/)* [Developer](/Tag/Developer/)* [Devops](/Tag/Devops/)* [Security](/Tag/Security/)* [Systems Approach](/Tag/Systems%20Approach/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [API](/Tag/API/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Cloud native](/Tag/Cloud%20native/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [Exploit](/Tag/Exploit/)* [FinOps](/Tag/FinOps/)* [Firewall](/Tag/Firewall/)* [Git](/Tag/Git/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Phishing](/Tag/Phishing/)* [Programming Language](/Tag/Programming%20Language/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Software bug](/Tag/Software%20bug/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [Cloud Computing](/Tag/Cloud%20Computing/)* [Development](/Tag/Development/)* [Education](/Tag/Education/)* [Network](/Tag/Network/)* [Network Computing Architects](/Tag/Network%20Computing%20Architects/)* [Programming](/Tag/Programming/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/02/02/security_design_choices/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=What%20does%20it%20mean%20to%20build%20in%20security%20from%20the%20ground%20up%3f) [](https://twitter.com/intent/tweet?text=What%20does%20it%20mean%20to%20build%20in%20security%20from%20the%20ground%20up%3f&url=https://www.theregister.com/2025/02/02/security_design_choices/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/02/02/security_design_choices/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/02/02/security_design_choices/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=What%20does%20it%20mean%20to%20build%20in%20security%20from%20the%20ground%20up%3f&summary=As%20if%20secure%20design%20is%20the%20only%20bullet%20point%20in%20a%20list%20of%20software%20engineering%20best%20practices) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/02/02/security_design_choices/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **3** COMMENTS #### More about* [Computer Science](/Tag/Computer%20Science/)* [Developer](/Tag/Developer/)* [Devops](/Tag/Devops/) More like these × ### More about* [Computer Science](/Tag/Computer%20Science/)* [Developer](/Tag/Developer/)* [Devops](/Tag/Devops/)* [Security](/Tag/Security/)* [Systems Approach](/Tag/Systems%20Approach/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [API](/Tag/API/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Cloud native](/Tag/Cloud%20native/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [Exploit](/Tag/Exploit/)* [FinOps](/Tag/FinOps/)* [Firewall](/Tag/Firewall/)* [Git](/Tag/Git/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Phishing](/Tag/Phishing/)* [Programming Language](/Tag/Programming%20Language/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Software bug](/Tag/Software%20bug/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [Cloud Computing](/Tag/Cloud%20Computing/)* [Development](/Tag/Development/)* [Education](/Tag/Education/)* [Network](/Tag/Network/)* [Network Computing Architects](/Tag/Network%20Computing%20Architects/)* [Programming](/Tag/Programming/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### Infosec was literally the last item in Trump’s policy plan, yet major changes are likely on his watchFeature Everyone agrees defense matters. How to do it is up for debateCSO11 days -| 19](/2025/01/22/trump_cyber_policy/?td=keepreading) [#### Trump admin’s purge of US cyber advisory boards was ‘foolish,’ says ex-Navy admiralinterview ‘No one was kicked off the NTSB in the middle of investigating a crash’Security3 days -| 103](/2025/01/30/gutting_us_cyber_advisory_boards/?td=keepreading) [#### Trump ‘waved a white flag to Chinese hackers’ as Homeland Security axed cyber advisory boardsAnd: America ‘has never been less secure,’ retired rear admiral tells CongressSecurity11 days -| 94](/2025/01/22/dhs_axes_cyber_advisory_boards/?td=keepreading) [#### Where do European SMEs start when it comes to conquering the world?The answer is in DenmarkSponsored Feature](/2024/11/25/where_do_european_smes_start/?td=keepreading) [#### Guess who left a database wide open, exposing chat logs, API keys, and more? Yup, DeepSeekOh someone’s in DeepShi…CSO4 days -| 71](/2025/01/30/deepseek_database_left_open/?td=keepreading) [#### US freezes foreign aid, halting cybersecurity defense and policy funds for alliesUpdated Uncle Sam will ‘no longer blindly dole out money,’ State Dept saysPublic Sector6 days -| 86](/2025/01/27/us_state_department_freezes_cyber_aid/?td=keepreading) [#### Apple plugs security hole in its iThings that’s already been exploited in iOSCupertino kicks off the year with a zero-dayPatches5 days -| 14](/2025/01/28/apple_cve_2025_24085/?td=keepreading) [#### Biden signs sweeping cybersecurity order, just in time for Trump to gut itAnalysis Ransomware, AI, secure software, digital IDs — there’s something for everyone in the presidential directivePublic Sector16 days -| 40](/2025/01/17/biden_cybersecurity_eo/?td=keepreading) [#### GoDaddy slapped with wet lettuce for years of lax security and ‘several major breaches’Watchdog alleged it had no SIEM or MFA, orders rapid adoption of basic infosec toolsCSO18 days -| 12](/2025/01/15/godaddy_ftc_order/?td=keepreading) [#### One of Salt Typhoon’s favorite flaws still wide open on 91% of at-risk Exchange ServersBut we mean, you’ve had nearly four years to patchPatches10 days -| 4](/2025/01/23/proxylogon_flaw_salt_typhoons_open/?td=keepreading) [#### PowerSchool theft latest: Decades of Canadian student records, data from 40-plus US states feared stolenUpdated Lawsuits pile up after database accessed by miscreantsCyber-crime12 days -| 31](/2025/01/22/powerschool_canada_lawsuits/?td=keepreading) [#### Another banner year for ransomware gangs despite takedowns by the copsAnd it doesn’t take a crystal ball to predict the futureCyber-crime2 days -| 5](/2025/01/31/banner_year_for_ransomware_gangs/?td=keepreading)

Related Tags:
NAICS: 61 – Educational Services

NAICS: 611 – Educational Services

NAICS: 72 – Accommodation And Food Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 92 – Public Administration

NAICS: 516 – Broadcasting And Content Providers

NAICS: 721 – Accommodation

NAICS: 51 – Information

Sodinokibi

Associated Indicators: