Security experts identify top 10 software design flaws

ComputerWeekly.com.com

Security experts identify top 10 software design flaws

By Warwick Ashford

Security experts at the IEEE Center for Secure Design (CSD) have published a report on the top 10 software security design flaws.

The report is based on real-world data collected at the world’s top technology companies and includes information on techniques to avoid the most significant software security design flaws.

According to the IEEE, practical advice ranges from encouraging the correct use of applied cryptography to validating each individual bit of data.

The CSD is part of a cyber-security initiative launched in 2014 by the IEEE Computer Society, an association for computing professionals.

The broader initiative is aimed at escalating the IEEE’s involvement in the field of cyber security.

The CSD was set up to shift some of the focus in security from finding bugs to identifying common design flaws in the hope that software architects can learn from others’ mistakes.

Its main aims are to provide guidance on recognising software system designs that are likely to be vulnerable to compromise, and on designing and building software systems with strong, identifiable security properties.

Read more on secure software

After Heartbleed: New realities of open-source software security
Putting software security in the hands of the buyer
UK lags US in application security investment
Boards need to get behind application security, says Owasp
Finance and retail applications most vulnerable to breaches

CSD founding members include Cigital, EMC, Harvard University, HP, Intel/McAfee, RSA and Twitter.

Its members believe proper security design has been the Achilles’ heel of security engineering for decades.

“The CSD will play a critical role in refocusing software security and security engineering on the most challenging open problem in security,” said Neil Daswani of the security engineering team at Twitter.

“By getting past the myopic focus on implementation bugs in code and talking about security design, the CSD does even the most advanced companies in the space a huge service.”

Gary McGraw, chief technology officer at Cigital and author of the book Software Security, said bugs and flaws are two very different types of security defect.

“We believe there has been quite a bit more focus on common bugs than there has been on secure design and the avoidance of flaws, which is worrying because design flaws account for 50% of software security issues,” he said.

McGraw said the CSD had provided the opportunity for its members to refocus, gather real data, and share the results with the world.

The report contains a list of recommendations drawn from a workshop to help developers avoid the top security design flaws. Each technique is described in detail in the report.

Summary of recommendations:

Earn or give, but never assume, trust
Use an authentication mechanism that cannot be bypassed or tampered with
Authorise after you authenticate
Strictly separate data and control instructions, and never process control instructions received from untrusted sources
Define an approach that ensures all data is explicitly validated
Use cryptography correctly
Identify sensitive data and how it should be handled
Always consider the users
Understand how integrating external components changes your attack surface
Be flexible when considering future changes to objects and actor

27 Aug 2014