Security Experts Identify Top 10 Software Design Flaws


Security experts at IEEE Secure design center (CSD) published a report on Top 10 Software Security Design Flaws.

The report is based on real data collected from the world’s largest technology companies and includes insights on techniques to avoid the most significant software security design flaws.

According to the IEEE, practical advice ranges from encouraging the correct use of applied cryptography to validating every bit of data.

The CSD is part of a cybersecurity initiative launched in 2014 by the IEEE Computer Society, an association for IT professionals.

The larger initiative aims to intensify the IEEE’s involvement in cybersecurity.

The CSD was set up to shift some of the security attention from finding bugs to identifying common design flaws in the hope that software architects can learn from the mistakes of others.

Its primary objectives are to provide advice on the recognition of software system designs that may be vulnerable to compromise, and on the design and construction of software systems with strong and identifiable security properties.

The founding members of CSD are Cigital, EMC, Harvard University, HP, Intel / McAfee, RSA and Twitter.

Its members believe that proper security design has been the Achilles heel of security engineering for decades.

“The CSD will play a pivotal role in refocusing software security and security engineering on the most challenging open security issue,” said Neil Daswani of Twitter’s security engineering team.

“By moving beyond the myopic focus on implementation bugs in code and talking about security design, CSD is doing a huge service to even the most advanced companies in the industry. “

Gary McGraw, Cigital CTO and author of the book Software security, said bugs and flaws are two very different types of security flaws.

“We believe the focus has been more on common bugs than on secure design and defect avoidance, which is worrying as design flaws account for 50% of software security issues,” he said. he declares.

McGraw said the CSD has provided its members with the opportunity to refocus, collect real data and share the results with the world.

The report contains a list of recommendations from a workshop to help developers avoid major security design flaws. Each technique is described in detail in the report.

Summary of recommendations:

  • Win or give, but never assume, trust
  • Use an authentication mechanism that cannot be bypassed or tampered with
  • Authorize after you have authenticated
  • Strictly separate data and control instructions, and never process control instructions received from untrusted sources
  • Define an approach that ensures all data is explicitly validated
  • Use cryptography correctly
  • Identify sensitive data and how it should be handled
  • Always consider users
  • Understand how integrating external components changes your attack surface
  • Be flexible when considering future changes to objects and actors


Comments are closed.