Channels ▼
RSS

Security

IEEE: Top Ten Software Security Design Flaws


The IEEE Center for Secure Design cybersecurity initiative has released a report titled "Avoiding the Top 10 Software Security Design Flaws". Based on real-world data, the report welcomed experts from a diverse group of organizations to discuss software security design flaws that they had identified in their own internal design reviews.

What resulted was a list of the top 10 most significant software security design flaws and the design techniques to avoid them. Practical advice ranges from encouraging the correct use of applied cryptography to validating each individual bit of data.

"Bugs and flaws are two very different types of security defects," said participant Gary McGraw, chief technology officer at Cigital. "We believe there has been quite a bit more focus on common bugs than there has been on secure design and the avoidance of flaws, which is worrying since design flaws account for 50% of software security issues. The IEEE Center for Secure Design allows us a chance to refocus, to gather real data, and to share our results with the world at large."

The following list of recommendations was born from the workshop to help developers avoid the top security design flaws (each technique is described in detail in the report):

  1. Earn or give, but never assume, trust
  2. Use an authentication mechanism that cannot be bypassed or tampered with
  3. Authorize after you authenticate
  4. Strictly separate data and control instructions, and never process control instructions received from untrusted sources
  5. Define an approach that ensures all data are explicitly validated
  6. Use cryptography correctly
  7. Identify sensitive data and how they should be handled
  8. Always consider the users
  9. Understand how integrating external components changes your attack surface
  10. Be flexible when considering future changes to objects and actors


Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 

Video