The report is based on real-world data collected at the world’s top technology companies and includes information on techniques to avoid the most significant software security design flaws.
According to the IEEE, practical advice ranges from encouraging the correct use of applied cryptography to validating each individual bit of data.
The CSD is part of a cyber-security initiative launched in 2014 by the IEEE Computer Society, an association for computing professionals.
The broader initiative is aimed at escalating the IEEE’s involvement in the field of cyber security.
The CSD was set up to shift some of the focus in security from finding bugs to identifying common design flaws in the hope that software architects can learn from others’ mistakes.
Its main aims are to provide guidance on recognising software system designs that are likely to be vulnerable to compromise, and on designing and building software systems with strong, identifiable security properties.
Read more on secure software
CSD founding members include Cigital, EMC, Harvard University, HP, Intel/McAfee, RSA and Twitter.
Its members believe proper security design has been the Achilles’ heel of security engineering for decades.
“The CSD will play a critical role in refocusing software security and security engineering on the most challenging open problem in security,” said Neil Daswani of the security engineering team at Twitter.
“By getting past the myopic focus on implementation bugs in code and talking about security design, the CSD does even the most advanced companies in the space a huge service.”
Gary McGraw, chief technology officer at Cigital and author of the book Software Security, said bugs and flaws are two very different types of security defect.
“We believe there has been quite a bit more focus on common bugs than there has been on secure design and the avoidance of flaws, which is worrying because design flaws account for 50% of software security issues,” he said.
McGraw said the CSD had provided the opportunity for its members to refocus, gather real data, and share the results with the world.
The report contains a list of recommendations drawn from a workshop to help developers avoid the top security design flaws. Each technique is described in detail in the report.
Summary of recommendations:
- Earn or give, but never assume, trust
- Use an authentication mechanism that cannot be bypassed or tampered with
- Authorise after you authenticate
- Strictly separate data and control instructions, and never process control instructions received from untrusted sources
- Define an approach that ensures all data is explicitly validated
- Use cryptography correctly
- Identify sensitive data and how it should be handled
- Always consider the users
- Understand how integrating external components changes your attack surface
- Be flexible when considering future changes to objects and actor