The top 10 security software design flaws and how to avoid them
It's a fact that most software has bugs of some sort when it gets released. More significant are fundamental flaws in the design, yet whilst bugs generally get fixed, design flaws are often overlooked.
In an effort to address this professionals organization IEEE is bringing together leading figures from Google, HP, Twitter and Cigital to form a Center for Secure Design group with the aim of tackling serious design flaws in software.
What has emerged from the first workshop held by this group is a list of the top ten most significant software security design flaws and the design techniques needed to avoid them. Practical advice ranges from encouraging the correct use of applied cryptography to validating each individual bit of data.
"The Center for Secure Design will play a key role in refocusing software security on some of the most challenging open design problems in security", says Neil Daswani of the security engineering team at Twitter. "By putting focus on security design and not just focusing on implementation bugs in code, the CSD does even the most advanced companies in the space a huge service".
The workshop resulted in a series of recommendations for avoiding the most common flaws:
- Earn or give, but never assume, trust
- Use an authentication mechanism that cannot be bypassed or tampered with
- Authorize after you authenticate
- Strictly separate data and control instructions, and never process control instructions received from untrusted sources
- Define an approach that ensures all data are explicitly validated
- Use cryptography correctly
- Identify sensitive data and how they should be handled
- Always consider the users
- Understand how integrating external components changes your attack surface
- Be flexible when considering future changes to objects and actors
Each of these is discussed in more detail in the report which you can read on the IEEE site.
"Bugs and flaws are two very different types of security defects," says Gary McGraw, chief technology officer at Cigital. "We believe there has been quite a bit more focus on common bugs than there has been on secure design and the avoidance of flaws, which is worrying since design flaws account for 50 percent of software security issues. The IEEE Center for Secure Design allows us a chance to refocus, to gather real data, and to share our results with the world at large".