Principle 8:Hard to hide secrets Don't rely on security by obscurity [Kerckhoff principle] Don't assume attackers don't know the application source code, and can't reverse-engineer binaries -Don't hardcode secrets in code. Don't rely on code obfuscation Counterexample -DVD encryption -webpages with hidden URLs - passwords in javascript code-this happens! -CSE825 17CSE825 17 Principle 8: Hard to hide secrets Don’t rely on security by obscurity [Kerckhoff principle] Don’t assume attackers don’t know the application source code, and can’t reverse-engineer binaries ─ Don’t hardcode secrets in code. ─ Don’t rely on code obfuscation Counterexample ─ DVD encryption ─ webpages with hidden URLs ─ passwords in javascript code – this happens!