This journal will record my thoughts and experiences in my journey toward making this website secure, or more precisely, “secure by design”. I want to reflect on all the design decisions I make along the way and how the affect security. “Secure by design” also means that I’ll try to avoid layers of technical controls and filters to compensate for underlying vulnerabilities or exposures.
I’m calling it a “journal” because the word originally referred to the notebook people would take when they went on a trip – a journey – so they could record their thoughts and experiences along the way.
I’m writing this as a “common man” and not as a security expert, and certainly not as a web security expert. To you and others, I may look like a security expert and I may not appear to have much in common with ordinary folk building, maintaining, and using web sites.
Yes, I have been working in and around information security for a few years, and I’ve been thinking about it and writing about it for longer (since about 2007). Yes, I have an Electrial Engineering degree and I worked in Hewlett-Packard’s R&D lab early in my career. Yes, I have designed and built web sites before – in mostly HTML using DreamWeaver, several wiki sites using MediaWiki (same engine as Wikipedia), and briefly a Wordpress site for a blog. So I am certainly not a novice or technically unskilled. But, compared to Real™ security experts (I know many), I haven’t developed or deployed security technologies (e.g. firewalls), I have never done penetration testing (a.k.a. ‘white hat hacking’), and I have certainly never dived deep into secure web design, either on the client or server side.
This means that I will probably learn a lot along the way, even when I make mistakes or I get confused. As a social scientist, I am using myself as a test subject, with a goal to understand how security-related decisions are made, how decisions relate to each other, and whether it is reasonable to expect web site designers to make their sites secure by design.
I may end up with a site that other people might want to emulate or remix, or maybe not. Don’t take anything I say as gospel. Maybe things that I learn and try out will help you, or maybe you’ll appreciate the process and the journey.