Why the Options Pattern is Great for Security
2021-09-03, 12:00–12:40, Main track

The speaker will demonstrate three security benefits of the options pattern for object initialization by showing three examples. They will also suggest and explain a small but significant improvement to the options pattern that increases security even more.


Secure coding and functional programming are rarely mentioned in the same sentence. What if by applying a functional programming construct, we could write more secure code? Enter the Options Pattern, a hidden gem in securing your approach to object initialization.

The options pattern is a modern object initialization idiom. It involves writing a set of second-order functions returning options that roughly correspond to the initialization parameters. An option receives the object for initialization and applies a narrow modification to it.

The options pattern provides security benefits as side effects of encapsulation and separation of concerns. The main benefit is that it can make complex objects difficult to misuse, a necessary quality for modern cryptography, networking, and low-level libraries. It aids with code readability, reliability, and resilience. When properly implemented, the options pattern ensures sensible defaults, detects configuration conflicts at initialization, and provides logical grouping and consistency with entangled parameters.

In this talk, the speaker will explain how wider adoption of the options pattern improves code security for any project. Several examples will be examined and described as a demonstration of how to properly apply the secure coding options pattern in your own code.

Outline

  1. (1min) Review the options pattern.
  2. (1min) State the goal of the presentation: adopt this pattern
  3. (2min) Explain problems it can solve:
    - Secure defaults
    - Parameter grouping
    - Parameter conflicts
    - Parameter misuse
  4. (4min) Suggest and explain an improvement to the classic pattern
  5. Three examples of improved security by adding the options pattern
  6. (2min) Conclusion

Application security engineer and lead curriculum contributor for Go, Python, and ES6 at @SecurityJourney. Aspiring to become a gentle FOSS maverick by age 60.