The seven pernicious kingdoms
Seven attack vectors for software were formulated by Gary
McGraw, CTO at secure code development consultancy Cigital, in
conjunction with security experts Katrina Tsipenyuk and Brian
Chess, which they called "The seven pernicious kingdoms".
Input validation
Check user input so attackers can not send confusing or
manipulative data to be processed.
API abuse
Application programming interfaces (APIs) are ways to access
software functions. If you access such features in unexpected ways,
you can create security loopholes.
Security features
Misusing well-known security features such as
encryption and
authentication can create gaping holes in your software at the
very points where you are trying to make it as secure as
possible.
Time and state
This is a big attack vector for distributed software. Autonomous
systems working together across networks need to be aware of each
other's state of operation. If attackers can find loopholes to
exploit differences in state, distributed applications can be
compromised.
Errors
Good error handling is critical. Common mistakes involve not
handling errors at all, or returning too much information in error
messages that can give away clues about a system. Both can render
systems vulnerable.
Code quality
Poor quality code can make a system vulnerable to unpredictable
behaviour. Make sure your code is elegant and performs well to
avoid creating security loopholes.
Encapsulation
Good security relies on trust boundaries, and understanding what
parts of a system, or an organisation, a particular piece of code
can touch.
Drawing robust trust boundaries around systems will help to stop
attackers finding their way in, but this requires code that
understands and respects those boundaries.