SoK：安全默认值的设计范例

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications Pub Date : 2025-02-26 DOI:10.1016/j.jisa.2025.103989

Jukka Ruohonen

{"title":"SoK：安全默认值的设计范例","authors":"Jukka Ruohonen","doi":"10.1016/j.jisa.2025.103989","DOIUrl":null,"url":null,"abstract":"<div><div>In security engineering, including software security engineering, there is a well-known design paradigm telling to prefer safe and secure defaults. The paper presents a systematization of knowledge (SoK) of this paradigm by the means of a systematic mapping study and a scoping review of relevant literature. According to the mapping and review, the paradigm has been extensively discussed, used, and developed further since the late 1990s. Partially driven by the insecurity of the Internet of things, the volume of publications has accelerated from the circa mid-2010s onward. The publications reviewed indicate that the paradigm has been adopted in numerous different contexts. It has also been expanded with security design principles not originally considered when the paradigm was initiated in the mid-1970s. Among the newer principles are an “off by default” principle, various overriding and fallback principles, as well as those related to the zero trust model. The review also indicates problems developers and others have faced with the paradigm.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"90 ","pages":"Article 103989"},"PeriodicalIF":3.8000,"publicationDate":"2025-02-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"SoK: The design paradigm of safe and secure defaults\",\"authors\":\"Jukka Ruohonen\",\"doi\":\"10.1016/j.jisa.2025.103989\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>In security engineering, including software security engineering, there is a well-known design paradigm telling to prefer safe and secure defaults. The paper presents a systematization of knowledge (SoK) of this paradigm by the means of a systematic mapping study and a scoping review of relevant literature. According to the mapping and review, the paradigm has been extensively discussed, used, and developed further since the late 1990s. Partially driven by the insecurity of the Internet of things, the volume of publications has accelerated from the circa mid-2010s onward. The publications reviewed indicate that the paradigm has been adopted in numerous different contexts. It has also been expanded with security design principles not originally considered when the paradigm was initiated in the mid-1970s. Among the newer principles are an “off by default” principle, various overriding and fallback principles, as well as those related to the zero trust model. The review also indicates problems developers and others have faced with the paradigm.</div></div>\",\"PeriodicalId\":48638,\"journal\":{\"name\":\"Journal of Information Security and Applications\",\"volume\":\"90 \",\"pages\":\"Article 103989\"},\"PeriodicalIF\":3.8000,\"publicationDate\":\"2025-02-26\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Information Security and Applications\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S2214212625000274\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625000274","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

在安全工程（包括软件安全工程）中，有一个众所周知的设计范例告诉我们要选择安全可靠的默认值。本文通过系统的制图研究和相关文献的范围审查，提出了这一范式的系统化知识（SoK）。根据映射和回顾，自20世纪90年代末以来，该范式得到了广泛的讨论、使用和进一步发展。部分由于物联网的不安全性，出版物的数量从2010年代中期开始加速增长。所审查的出版物表明，该范式已在许多不同的背景下被采用。它还扩展了安全设计原则，当范式在20世纪70年代中期开始时，最初没有考虑到这些原则。较新的原则包括“默认关闭”原则、各种覆盖原则和回退原则，以及与零信任模型相关的原则。审查还指出了开发人员和其他人在使用范式时遇到的问题。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

SoK: The design paradigm of safe and secure defaults

In security engineering, including software security engineering, there is a well-known design paradigm telling to prefer safe and secure defaults. The paper presents a systematization of knowledge (SoK) of this paradigm by the means of a systematic mapping study and a scoping review of relevant literature. According to the mapping and review, the paradigm has been extensively discussed, used, and developed further since the late 1990s. Partially driven by the insecurity of the Internet of things, the volume of publications has accelerated from the circa mid-2010s onward. The publications reviewed indicate that the paradigm has been adopted in numerous different contexts. It has also been expanded with security design principles not originally considered when the paradigm was initiated in the mid-1970s. Among the newer principles are an “off by default” principle, various overriding and fallback principles, as well as those related to the zero trust model. The review also indicates problems developers and others have faced with the paradigm.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Journal of Information Security and Applications Computer Science-Computer Networks and Communications

CiteScore

10.90

自引率

5.40%

发文量

206

审稿时长

56 days

期刊介绍： Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.