Seven categories of software security flaws
These seven attack vectors for software were formulated by Gary McGraw, CTO at secure code development consultancy Cigital, in conjunction with security experts Katrina Tsipenyuk and Brian Chess.
The seven pernicious kingdoms
Seven attack vectors for software were formulated by Gary McGraw, CTO at secure code development consultancy Cigital, in conjunction with security experts Katrina Tsipenyuk and Brian Chess, which they called "The seven pernicious kingdoms".
Input validation
Check user input so attackers can not send confusing or manipulative data to be processed.
API abuse
Application programming interfaces (APIs) are ways to access software functions. If you access such features in unexpected ways, you can create security loopholes.
Security features
Misusing well-known security features such as encryption and authentication can create gaping holes in your software at the very points where you are trying to make it as secure as possible.
Time and state
This is a big attack vector for distributed software. Autonomous systems working together across networks need to be aware of each other's state of operation. If attackers can find loopholes to exploit differences in state, distributed applications can be compromised.
Errors
Good error handling is critical. Common mistakes involve not handling errors at all, or returning too much information in error messages that can give away clues about a system. Both can render systems vulnerable.
Code quality
Poor quality code can make a system vulnerable to unpredictable behaviour. Make sure your code is elegant and performs well to avoid creating security loopholes.
Encapsulation
Good security relies on trust boundaries, and understanding what parts of a system, or an organisation, a particular piece of code can touch. Drawing robust trust boundaries around systems will help to stop attackers finding their way in, but this requires code that understands and respects those boundaries.
