Seven categories of software security flaws

These seven attack vectors for software were formulated by Gary McGraw, CTO at secure code development consultancy Cigital, in conjunction with security experts Katrina Tsipenyuk and Brian Chess.

The seven pernicious kingdoms

Seven attack vectors for software were formulated by Gary McGraw, CTO at secure code development consultancy Cigital, in conjunction with security experts Katrina Tsipenyuk and Brian Chess, which they called "The seven pernicious kingdoms".

 

Input validation

Check user input so attackers can not send confusing or manipulative data to be processed.

 

API abuse

Application programming interfaces (APIs) are ways to access software functions. If you access such features in unexpected ways, you can create security loopholes.

 

Security features

Misusing well-known security features such as encryption and authentication can create gaping holes in your software at the very points where you are trying to make it as secure as possible.

 

Time and state

This is a big attack vector for distributed software. Autonomous systems working together across networks need to be aware of each other's state of operation. If attackers can find loopholes to exploit differences in state, distributed applications can be compromised.

 

Errors

Good error handling is critical. Common mistakes involve not handling errors at all, or returning too much information in error messages that can give away clues about a system. Both can render systems vulnerable.

 

Code quality

Poor quality code can make a system vulnerable to unpredictable behaviour. Make sure your code is elegant and performs well to avoid creating security loopholes.

 

Encapsulation

Good security relies on trust boundaries, and understanding what parts of a system, or an organisation, a particular piece of code can touch. Drawing robust trust boundaries around systems will help to stop attackers finding their way in, but this requires code that understands and respects those boundaries.




This was last published in March 2008

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close